On Wednesday, 7 July 2010 11:17:27 Cedric Jeanneret wrote: > Hello, > > I'm trying to configure an openldap with TLS so that all connections are > encrypted. > > Here's the revelent part of my slapd.conf: > > TLSCipherSuite HIGH:MEDIUM:+SSLv3 > TLSVerifyClient never > TLSCertificateFile /etc/ldap/ssl/server.crt > TLSCertificateKeyFile /etc/ldap/ssl/server.key > > Here's my ldap.conf: > > URI ldaps://my.server.ltd > BASE dc=my,dc=server,dc=ltd > LDAP_VERSION 3 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > ssl start_tls > ssl on
You should *either* use an ldaps:/// URI (for ldaps), or use an ldap:/// URI with 'ssl start_tls'. While you may have a working client configuration (probably trying ldaps), you'll probably confuse someone .... > TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 > > > While starting slapd with: > slapd -h 'ldaps:///' -g openldap -u openldap -d 16383 You are only listening on ldaps, so unless you change your -h argument, you can't do START_TLS. > > and trying to connect to it with: > ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar" > -S cn -h my.server.ltd -p 636 cn So, you have just tried to do a START_TLS bind on the ldaps port, which is obviously not how things are supposed to work. Either use -H ldaps:///my.server.tld without -Z, or -H ldap://my.server.tld or -h my.server.tld *with -Z. Please note that ldaps (usually port 636) is different to START_TLS, you can't use both, you can not do START_TLS on the ldaps port, and you can't do ldaps on the normal ldap port (which is where you do START_TLS). Since your slapd is only listening on ldaps, you should probably try with -H ldaps://my.server.tld (no -Z). > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Regards, Buchan
