On Fri, 5 Sep 2008, Norman Gies wrote: > i have a problem with tls connections to my openldap server. > > The openldap server is running on debian. I created all certificates > with openssl. If I use ldapsearch on the server (SASL//EXTERNAL mech/) > everything works fine, but if i try to connect with jxplorer, > ldapbrowser (softera), eclipse (apache directoy), or with the examples > from jldap, i always got the same error: > javax.net.ssl.SSLHandshakeException: Remote host closed connection > during handshake
I'm guessing this is the usual LDAP-with-StartTLS-on-port-389 vs LDAP-with-SSL-on-connect-on-port-636 confusion. Does jxplorer support the LDAP StartTLS operation, or does it only support negotiating TLS/SSL at connect time? If both, are you sure you're configuring it to use the right one? The slapd log you quoted shows a connection on port 389, the normal LDAP port. If a client tries to negotiate SSL at connection-time on that port, the LDAP server will hang up on it, as the SSL handshake packets don't look like LDAP requests. If the client only supports SSL-on-connect, then you need to have it connect on port 636 (and you have to tell slapd to serve ldaps there too). Philip Guenther
