TLS authentication for ldap

We are trying to put in place a high availability instance of openLDAP using a 3-node n-way multi master setup. I can telnet to our instance and each individual node through ports 389 and 636. I can use the showcerts command on port 636 and see the certs but wheh I try to do this on port 389

RE: TLS authentication for ldap

I can use the showcerts command on port 636 and see the certs but wheh I try to do this on port 389 to use TLS I get the following error. 389 is the plaintext LDAP port; 636 is for LDAP over SSL/TLS so your system is doing the right thing. If you want to force SSL/TLS, then you'll have to

Re: TLS authentication for ldap

On Mon, Sep 23, 2013 at 10:54:04AM -0400, Salz, Rich wrote: Another option is to use LDAP's STARTTLS support on port 389. It seems the config to require it is a bit obscure; http://www.openldap.org/lists/openldap-technical/201202/msg00414.html might be useful. Note, the above is for

RE: TLS authentication for ldap

Another option is to use LDAP's STARTTLS support on port 389. It seems the config to require it is a bit obscure; http://www.openldap.org/lists/openldap-technical/201202/msg00414.html might be useful. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA

Re: TLS authentication for ldap

From: Viktor Dukhovni openssl-us...@dukhovni.org To: openssl-users@openssl.org openssl-users@openssl.org Date: 09/23/2013 10:10 AM Subject:Re: TLS authentication for ldap Sent by:owner-openssl-us...@openssl.org On Mon, Sep 23, 2013 at 10:54:04AM -0400, Salz, Rich

Re: TLS authentication for ldap

Viktor Dukhovni wrote: On Mon, Sep 23, 2013 at 10:54:04AM -0400, Salz, Rich wrote: Another option is to use LDAP's STARTTLS support on port 389. It seems the config to require it is a bit obscure; http://www.openldap.org/lists/openldap-technical/201202/msg00414.html might be useful.

RE: TLS authentication for ldap

Note, the above is for enforcing STARTTLS on the server. If the decision is left to the client, the configuration is less opaque. And less secure. :) If policy is to use SSL/TLS, then the server must enforce it; trusting the clients to do the right thing is bad. /r$ -- Principal

RE: TLS authentication for ldap

From: Salz, Rich rs...@akamai.com To: openssl-users@openssl.org openssl-users@openssl.org Date: 09/23/2013 10:29 AM Subject:RE: TLS authentication for ldap Sent by:owner-openssl-us...@openssl.org Note, the above is for enforcing STARTTLS on the server

Re: TLS authentication for ldap

On Mon, Sep 23, 2013 at 11:27:06AM -0400, Salz, Rich wrote: Note, the above is for enforcing STARTTLS on the server. If the decision is left to the client, the configuration is less opaque. And less secure. :) If policy is to use SSL/TLS, then the server must enforce it; trusting the

{resolved}Re: TLS authentication for ldap

From: Viktor Dukhovni openssl-us...@dukhovni.org To: openssl-users@openssl.org openssl-users@openssl.org Date: 09/23/2013 10:40 AM Subject:Re: TLS authentication for ldap Sent by:owner-openssl-us...@openssl.org On Mon, Sep 23, 2013 at 11:27:06AM -0400, Salz, Rich