> > if I set up the ldap server to also listen on port 383, and change the
> > line
> >
> > NS_LDAP_SERVERS= 129.21.36.128
> >
> > It works.
> >
> > From what I am getting from this, is that the solaris ldap client wants
> > to communicate on an unencrypted channel and establish encryption from
> > that.
> >
> > What I think I need to figure out (and help is always appreciated) is
> > how to get the solaris ldap client to communicate with the openldap
> > server on port 636 without having to go through TLS negotiation.
>
> Port 636 is reserved for ldaps (LDAP over TLS). It would be pretty silly to
> run a non-TLS LDAP server on port 636.
>
> Your three options are:
>
> - LDAP on port 389, unencrypted (no TLS)
> - LDAP on port 389, TLS encrypted using the 'starttls' extension (RFC2830);
> that is, the connection starts unencrypted and then a request is sent to
> upgrade the connection to TLS.
> - LDAPS on port 636, TLS is negotiated immediately on connection
>
> At the moment your client thinks it is talking LDAP without TLS, and your
> server is trying to negotiate TLS immediately.
I am sorry that I am slowly wrapping my brain around this; I seem to
be going round and round with it.
What you have here seems to work with what I have going so far.
What I would like to have (if at all possible) is to have the
solaris client machines connect to the LDAPS on port 636. I can
get it to work just fine with using ldapsearch built from openldap
and with the one in /usr/iplanet/.
If I start slapd with this:
$SLAPD_DIR/slapd $DEBUG -u ldap -h "ldaps:///"
/etc/init.d/ldap.client will not work (I get the error that I have
shown)
If I start it like this:
$SLAPD_DIR/slapd $DEBUG -u ldap -h "ldap:/// ldaps:///"
/etc/init.d/ldap.client works. And what's more, when I run snoop
on the master, this is how things start up:
tear -> manetheren LDAP C port=56534
manetheren -> tear LDAP R port=56534
tear -> manetheren LDAP C port=56534
tear -> manetheren LDAP C port=56534 Search Request neverDerefAliases
manetheren -> tear LDAP R port=56534
manetheren -> tear LDAP R port=56534 Search ResEntry
manetheren -> tear LDAP R port=56534 Search ResDone Success
tear -> manetheren LDAP C port=56534
tear -> manetheren LDAP C port=56534
tear -> manetheren LDAP C port=56534 Unbind Request
tear -> manetheren LDAP C port=56534
manetheren -> tear LDAP R port=56534
manetheren -> tear LDAP R port=56534
manetheren -> tear LDAP R port=56534
tear -> manetheren LDAP C port=56534
tear -> manetheren TCP D=636 S=56535 Syn Seq=840837329 Len=0
Win=49640 Options=<mss 1460,nop,nop,sackOK>
[..]
Interesting to me is that at no point is port 383 contacted.
So why do I need to have ldap:/// going ???
To see the difference, I snooped again with just ldaps:/// and got this:
tear -> manetheren LDAP C port=56537
manetheren -> tear LDAP R port=56537
tear -> manetheren LDAP C port=56538
manetheren -> tear LDAP R port=56538
tear -> manetheren LDAP C port=56539
manetheren -> tear LDAP R port=56539
tear -> manetheren LDAP C port=56540
manetheren -> tear LDAP R port=56540
tear -> manetheren LDAP C port=56541
manetheren -> tear LDAP R port=56541
tear -> manetheren LDAP C port=56542
manetheren -> tear LDAP R port=56542
tear -> manetheren LDAP C port=56543
manetheren -> tear LDAP R port=56543
tear -> manetheren LDAP C port=56544
manetheren -> tear LDAP R port=56544
tear -> manetheren LDAP C port=56545
I know I was asked to read the man page, but I was not able to find
any illumination on why it needs to be like this.
thoughts? comments?
jim craig
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
