First off, thanks for the reply...
> Re: ldap-browser - it's SSL.
> SSL talks on port 636. TLS talks on port 389. TLS "upgrades" an existing
> LDAP connection to encrypt the traffic - hence the start_tls following the
> constructor.
Aah, so that's why you dont need a new connect.
Well, I *know* the server is listening on 636 and that it works with
ldap-browser so I guess that is where I will start...
> It looks like the server is listening on ports 389 and 636. Try verifying
> that your certificates are correct -
> openssl s_client -connect <server:636> -CApath <path to CA dir>
>
Here is the output of the openssl call. Note, the openldap dir contains
cacert.pem, servercert.pem and serverkey.pem (in addition to the slapd
files).
openssl s_client -connect localhost:636 -CApath /usr/local/etc/openldap/
CONNECTED(00000003)
depth=0 /C=NL/ST=ZH/L=Zmere/O=MyOrg/CN=myserver.myorg.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=NL/ST=ZH/L=Zmere/O=MyOrg/CN=myserver.myorg.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=NL/ST=ZH/L=Zmere/O=MyOrg/CN=myserver.myorg.com
i:/C=NL/ST=ZH/L=Zmere/O=MyOrg/CN=myserver.myorg.com
---
Server certificate
-----BEGIN CERTIFICATE-----
<!!!SNIP CERT DATA!!!!>
-----END CERTIFICATE-----
subject=/C=NL/ST=ZH/L=Zmere/O=MyOrg/CN=myserver.myorg.com
issuer=/C=NL/ST=ZH/L=Zmere/O=MyOrg/CN=myserver.myorg.com
---
No client certificate CA names sent
---
SSL handshake has read 966 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID:
249FBCBD73E3C8192A3AE87145CF2577BE1601D853E575A220868749FD2CC12
Session-ID-ctx:
Master-Key:
D864BAFB5034FC849391EDAF9DTB24598B458982AC61565427310A83AF46CE0931E04B632B91
9DDEC1151957B5ABE88C
Key-Arg : None
Start Time: 1079607077
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Does not look good. But ldap-browser can connect OK... Even if I put
verify=>none it still does not work...
> Then verify that TLS works ok with standard clients -
> /path/to/openldap/bin/ldapsearch -ZZ -x ...
here is what I ran:
ldapsearch -ZZ -x -D <mybind> -h myserver.myorg.com -w mypass -b
"ou=myunit,o=myorg" "(ObjectClass=*)" "description"
It worked fine.... But -h localhost did NOT work... That makes sense.
> If that looks ok, the only thing I can suggest is adding
> sslversion=>'sslv3'
> to the start_tls call.
I'll give that a go too...
