Full_Name: Douglas Klima Version: 2.3. OS: Linux URL: Submission from: (NULL) (216.155.111.10)

I was looking for a way to make TLS the default in /etc/openldap/ldap.conf however it currently seems impossible. You can specify LDAP over clear text and LDAP over SSL but you can't specify LDAP over TLS (I'm talking about "start_tls"). It seems like ldaps:// is deprecated in favor of ldap:// + TLS, which is why I'm trying to configure this.

Currently my /etc/openldap/ldap.conf looks like: BASE dc=example,dc=com URI ldap://srv1.example.com ldap://srv2.example.com TLS_REQCERT demand TLS_CACERTDIR /etc/ssl/certs

If I do the following: $ ldapsearch ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required

If I change URI to have "ldaps://srv1.example.com:389", then $ ldapsearch just hangs until it times out. Clearly it's not using start_tls.

Now if I change URI back to it's original setting and do:

$ ldapsearch -Z .... # search result search: 3 result: 0 Success

# numResponses: 54 # numEntries: 53

I get a successful lookup. I'm basically looking for a way to pass "-Z" in /etc/openldap/ldap.conf and in .ldaprc

Initially I tried to send this to the OpenLDAP ML but was told by MacJobBz to submit this to ITS.