Hi all, Ben, Dieter, thank you for your help ... got it working on ldaps without TLS :-))
we can close that thread cheers Axel AXEL GROSSE Principal Solution Architect, Sales Solution Center, Axway P: +61-405-995-768 828 Pacific Highway Gordon, 2072 NSW [email protected] http://www.axway.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of btb Sent: Friday, 4 October 2013 6:20 AM To: [email protected] Subject: Re: Openldap server with TLS not working On 2013.10.03 08.22, Axel Grosse wrote: -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Dieter > Klünter > Sent: Thursday, 3 October 2013 6:46 PM > To: [email protected] > Subject: Re: Openldap server with TLS not working > > Am Thu, 3 Oct 2013 00:16:28 +0000 > schrieb Axel Grosse <[email protected]>: > >> Hi ben, >> thanks for the comment. >> agree with you on TLS usage should be perferred but the client that >> is connecting is only capable of LDAPS ... he has not implemented TLS >> Client jet . >> >> But can you please take a look to the error I am facing >> >> openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile >> ./ssl/VordelCA.crt CONNECTED(00000003) 710:error:140790E5:SSL >> routines:SSL23_WRITE:ssl handshake >> failure:s23_lib.c:188: >> >> any idea what can cause this ? >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of btb >> Sent: Wednesday, 2 October 2013 10:57 PM To: >> [email protected] Subject: Re: Openldap server with TLS >> not working >> >> On 2013.10.02 07.29, Axel Grosse wrote: >> >>> when I test on the server itself .. >>> openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile >>> ./ssl/VordelCA.crt >>> CONNECTED(00000003) >>> 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >>> failure:s23_lib.c:188: >> >> ldaps [port 636] is deprecated. use starttls with the standard port >> [389]. to test, just use ldapsearch [see the reference to -Z in the >> man page] > > You are connnecting to port 389, but s_client is not able to initiate > a LDAP startTLS session (only SMTP and IMAP), so you have to connect > ldaps and port 636. > > -Dieter > > Hi Ben, Dieter > can we focus on LDAPS because TLS1 is not an option and even if LDAPS > is > deprecated I should be able to configure it .. > > TLSCACertificateFile /etc/openldap/ssl/VordelCA.crt > TLSCertificateFile > /etc/openldap/ssl/VordelDev.crt > TLSCertificateKeyFile > /etc/openldap/ssl/VordelDev.key > TLSVerifyClient never > > > are this > entries in the slapd.conf sutable for LDAPS ? > if not whats missing ? nothing more is required > start the server with > /usr/sbin/slapd -h ldap://192.168.30.169:636 -u ldap /usr/sbin/slapd -h 'ldaps:///' [...] you must specify ldaps, and you do not need to explicitly specify the port. 636 is the default. see man 8 slapd for details.
