Option -X is for SASL configuration. If you want TLS, perhaps you mean -ZZ?
I'm not sure what pages you're looking at that confuse TLS and Kerberos. They are separate topics; for example, the OpenLDAP Administrator's Guide has separate chapters for TLS and Kerberos. That may be a better source to use as reference as you work this out.
You might also want to consider upgrading to 2.3.35. TLS bugs were fixed quite recently. See http://www.openldap.org/software/release/changes.html for details.
On Tue, 22 May 2007, Craig wrote:
I am running openldap 2.2.13. I am having a problem getting TLS to work. I have done numerous searches, but most web pages seem to deal with LDAP/kerberos issues. We do not run kerberos. I am only trying to prevent passwords from being sent in the clear.
I have followed the instructions on this page:
http://www.ibm.com/developerworks/linux/library/l-openldap/
I am able to run ldapsearch with simple auth:
ldapsearch -x
but, am not able to do any of the following:
ldapsearch ldapsearch -X u:myuid ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
The error is (with "-d 255"): ... SASL/GSSAPI authentication started ldap_perror ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)
It looks like the server is running fine. But, the logs don't really indicate what the problem is. (It seems to be more of a client issue, but still the server should give some hint in the logs.)
If you need more debugging info, just let me know.
Any help would be greatly appreciated.
TIA Craig