At 12:48 PM 9/21/2006, Kurt D. Zeilenga wrote: >At 12:00 PM 9/21/2006, Dan O'Reilly wrote: >>I'm trying to get an OpenLDAP client to use TLS to talk to (non-OpenLDAP) >>LDAP server. This LDAP server is properly configured for TLS (as verified by >>other (non-OpenLDAP) LDAP clients). > >Verify the server is configured properly for LDAP over TLS (ldaps://) >using the OpenSSL s_client program (with certificate verification >enabled).
I forgot to note that discussion of the use of OpenSSL, including s_client, should be directed to a list about OpenSSL, such as <[email protected]>. >One you have that working, you should be able to translate the >s_client configuration directly into an ldap.conf configuration >(OpenLDAP uses OpenSSL, TLS configuration options are directly >passed to OpenSSL). > >Note that s_client does do LDAP specific certificate checks (as >discussed in RFC 4513)... so don't be surprised if ldapsearch(1) >(or other OpenLDAP command line programs) fail due to these >additional checks. > >Kurt > > >> I've generated the DER-format P7B file that contains the CA's trusted root >> certificate and copied it to my VMS system. However, whenever I try to use, >> say, ldapsearch with the -ZZ option and port 636, it always comes back with >> "Can't contact LDAP server (-1)". When I use port 389 and no TLS, it all >> works fine. >> >>Any ideas? My LDAP.CONF file has TLS_CACERT and TLS_CACERTDIR entries in it, >>but I wouldn't swear this file is even being used.
