Craig said: [...]
I know about the "-x" option. But, once that happens, it looks like the passwords are sent in clear text. (I did some packet traces and that's what it looks like to me.)
That would only happen because an SSL or TLS connection is not being established. See slapd.conf(5) and ldap.conf(5) for information on forcing OpenLDAP to use SSL or TLS connections.
Using ldapsearch -d 7 -x -D <yourdn> -w <yourpassword> ... will show you if a successful SSL handshake is taking place. If it is not, then there will be no encryption.
I need to have passwords sent over an encrypted connection. "-x" doesn't give me that.
If you've set things up so that either an LDAP over SSL connection (ldaps) or an LDAP with TLS (StartTLS) connection is established then everything that is sent over the link, including passwords, is encrypted.
Unfortunately you've been handed a version of OpenLDAP that is years out of date. You will probably have better luck on this list (and ultimately with the software itself) if you upgrade to a current version of OpenLDAP. There are a number of newer packages available from various sources, including Symas. Failing that, you can contact your distro provider (Red Hat?).
Cheers,
Matthew Hardin Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanx for the thought, though. :)
Quanah Gibson-Mount wrote:
--On Tuesday, May 22, 2007 6:36 PM -0700 Craig craig5@pobox.com wrote:
I am running openldap 2.2.13. I am having a problem getting TLS to
work.
I have done numerous searches, but most web pages seem to deal with LDAP/kerberos issues. We do not run kerberos. I am only trying to
prevent
passwords from being sent in the clear.
I have followed the instructions on this page:
http://www.ibm.com/developerworks/linux/library/l-openldap/
I am able to run ldapsearch with simple auth:
ldapsearch -x
but, am not able to do any of the following:
ldapsearch ldapsearch -X u:myuid ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
The error is (with "-d 255"): ... SASL/GSSAPI authentication started
You need to use a lower case x to disable GSSAPI. i.e.,
ldapsearch -x <whatever>
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration