On Thu, 7 Jul 2005, Quanah Gibson-Mount wrote:
>
>
> Which is why about 5 messages ago I suggested reading the man page for
> ldapclient, which is what is supposed to create and configure the file in
> question that is getting edited, and it has a section on TLS.
>
I may have mentioned that I have read the man page, and this is still
something that is bothering me. I have read over the man page, and I
believe that I am setting up the client propperly. However as I
mentioned the communication does not work unless I also have ldap
running on port 389.
From what I read, to get things working I have used this command:
ldapclient manual -a credentialLevel=proxy \
-a authenticationMethod=tls:simple \
-a proxyPassword=blahblahblah
-a proxyDN=cn=proxyagent,ou=profile,dc=cs,dc=rit,dc=edu \
-a defaultSearchBase=dc=cs,dc=rit,dc=edu \
-a domainName=cs.rit.edu \
-a followReferrals=false \
-a defaultServerList=10.10.220.1
and this connects and works as long as port 389 is open to start the
communication. After a few exchanges it does go over to 636. (thanks
to brian for pointing out solaris's snoop deficiency)
All I wanted to know was this really the way it had to be?
I have been digging through the openldap archives and found this
question:
(from http://www.openldap.org/lists/openldap-software/200306/msg00672.html )
"2. The sun documentation also states that in order to use TLS, your
directory MUST accept connections on port 636. This flies in the face of
everything else I've ever read anywhere about TLS/SSL and LDAP. 636 is
specifically for SSL, and is a deprecated technique in favor of using
TLS on 389, for various reasons - one being that you can then accept
requests from any client on a single port, using tls or not.
In spite of the documentation, I *am* still seeing traffic on port 389
on my ldap server. However, the TLS connection fails and gives me an
error saying so (I don't remember the error text, but it was 'error 91',
which was presented to me upon trying to log in IIRC). "
So far I have not found an answer to this.
I think this is what I am stuck on (and from the responses I get, it
must be my own ignorance) What i want to see is what Brian Candler
had pointed out to me as one of my options:
> - LDAPS on port 636, TLS is negotiated immediately on connection
The man page is fairly unclear on how this is going to be accomplished.
If anyone has accomplished this with Solaris 9, I am greatly interested
in figuring out what I am doing wrong.
jim craig
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
