Re: why LDAP and LDAPS was opened contemporary

To: Indexer <indexer@internode.on.net>

Subject: Re: why LDAP and LDAPS was opened contemporary

From: owen nirvana <freeespeech@gmail.com>

Date: Fri, 2 Jul 2010 12:47:53 +0800

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=5EIN3Wv/ZcHx0AQPlk73xxpWxVwdjT/NiQu22e4njSs=; b=HpNkMNAfHzeYCoAmadO1dTJqeBJI2HNkWws9I+8j3w1xj+fpoMxnZIysd9uIFFMLLN Q1nyXtHfc9THDqswKUimbzKrSYPsNoy/An1K5D4sw5YrCMQkYgyrl37QKH9m8Lvg+fao EJSQc+3xzsxMnz4g8n42k4eHiKFHJWcKynXGc=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=FDlPIOnQjSoAjOz3DWXnYdNCAfERBqLUz83GhuvcNYoq2xBaIUnyOTGPq4eRFtl817 CY/ZyygAp5+Jx4DWDvSE3MixYrsRJK3BJyaSot7UKDPcFRVofYTAI6XIR5K/x0iITRxx Fa08XB1gwEr+xBNBncXvn15MbdQZ+CwN43tNg=

In-reply-to: <233481E0-3F55-4189-AD9E-F95F55E687E8@internode.on.net>

References: <AANLkTikLWp9B_Kg12FxOw9_BN8-XSovM_LJHk-Xq6Ifl@mail.gmail.com> <233481E0-3F55-4189-AD9E-F95F55E687E8@internode.on.net>

gtalk:freeespeech@gmail.com

On Fri, Jul 2, 2010 at 11:24 AM, Indexer <indexer@internode.on.net> wrote:

On 02/07/2010, at 12:49 PM, owen nirvana wrote:

> I set tls options to use ldaps.

When using TLS you dont need LDAPS, you want to set your systems to ldap://ldap.server

>
> question 1:
> port 389 is opened yet when I scan the LDAP Server by nmap, but I could not
> connect it with Apache Directory Studio v1.5.3.
>
> question 2:
> Nmap tell me "server still supports SSLv2", but I set TLSCipherSuite is
> HIGH:MEDIUM:-SSLv2
>
> question 3:
> I try to import some data with ldapmodify
>
> ldapmodify -a -H ldap://mydomain.org:636 -D "cn=admin,dc=mydomain,dc=org" -x
> -w whatever -f init.ldif

Try adding the -Z flag to turn on encryption. Your servers CN on the certificate must also match the hostname of the server.

>
> the following is error report:
>
> ldap_start_tls : Can't Contact LDAP Server(-1)
> addition info: error: 14000092: SSL Routine: SSL3_GET_CERTFICATE:
> certificate verify failed
>
> ldap_sasl_bind(Simple): Can't Contact LDAP Server(-1)
>
>

> gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech@gmail.com>