Hello all,<br><br>I hope someone could help me -- I&#39;m trying for almost one whole day already and couldn&#39;t get LDAP over SSL to work, without success.<br><br>The objective is to setup a development box for testing purposes, so, the simpler the better, however, it must be as simple as needed only.<br>
<br>I&#39;ve followed this tutorial: <a href="http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate">http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate</a>. I&#39;m on Mac OSX Snow Leopard, though.<br>
<br>slapd version: @(#) $OpenLDAP: slapd 2.4.11 (Feb 11 2010 02:23:14) //Installed from MacPorts<br><br>I have generated a self-signed certificate using this command:<br><br><code>sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem 
-keyout server.pem -days 3650</code><br><br>I&#39;ve set the Common Name to &quot;localhost&quot;.<br><br>The configuration files look like this (non-relevanted parts snipped):<br><br>slapd.conf:<br><br>TLSCipherSuite HIGH:MEDIUM:-SSLv2<br>

TLSCACertificateFile  /Users/myuser/Sandbox/server.pem<br>
TLSCertificateFile    /Users/myuser/Sandbox/server.pem<br>
TLSCertificateKeyFile /Users/myuser/Sandbox/server.pem<br><br>TLSVerifyUser never<br><br>ldap.conf<br><br>BASE dc=mycompany,dc=com<br>URI  ldaps://localhost/<br>TLS_REQCERT never<br><br>I&#39;m starting slapd with the following command:<br>
<br>sudo /usr/libexec/slapd -f /opt/local/etc/openldap/slapd.conf -d1 -h &quot;ldaps:///&quot;<br><br>And testing the connection with the following:<br><br>ldapsearch  -H ldaps://localhost -d255<br><br>When running ldapsearch, I get the following as output:<br>
<br><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">ldap_create<br>ldap_url_parse_ext(ldaps://localhost)<br>ldap_pvt_sasl_getmech<br>ldap_search<br>
put_filter: &quot;(objectclass=*)&quot;<br>put_filter: simple<br>put_simple_filter: &quot;objectclass=*&quot;<br>ldap_build_search_req ATTRS:<br>    supportedSASLMechanisms<br>ldap_send_initial_request<br>ldap_new_connection 1 1 0<br>
ldap_int_open_connection<br>ldap_connect_to_host: TCP localhost:636<br>ldap_new_socket: 3<br>ldap_prepare_socket: 3<br>ldap_connect_to_host: Trying ::1 636<br>ldap_connect_timeout: fd: 3 tm: -1 async: 0<br>TLS trace: SSL_connect:before/connect initialization<br>
tls_write: want=124, written=124<br>  0000:  80 7a 01 03 01 00 51 00  00 00 20 00 00 39 00 00   .z....Q... ..9..  <br>  0010:  38 00 00 35 00 00 16 00  00 13 00 00 0a 07 00 c0   8..5............  <br>  0020:  00 00 33 00 00 32 00 00  2f 00 00 07 05 00 80 03   ..3..2../.......  <br>
  0030:  00 80 00 00 05 00 00 04  01 00 80 00 00 15 00 00   ................  <br>  0040:  12 00 00 09 06 00 40 00  00 14 00 00 11 00 00 08   ......@.........  <br>  0050:  00 00 06 04 00 80 00 00  03 02 00 80 0c e4 9d 98   ................  <br>
  0060:  c1 ad 36 d0 88 fb 6b 92  32 a0 ce 22 63 82 99 3b   ..6...k.2..&quot;c..;  <br>  0070:  3b 3d 03 03 38 05 d0 a1  30 2d 9f d2               ;=..8...0-..      <br>TLS trace: SSL_connect:SSLv2/v3 write client hello A<br>
tls_read: want=7, got=0<br><br>TLS: can&#39;t connect.<br>ldap_perror<br>ldap_sasl_interactive_bind_s: Can&#39;t contact LDAP server (-1)<br></blockquote><br>As you can see, it fails with the &quot;TLS: can&#39;t connect&quot; error message. Not that obvious. I then switch to the terminal that has slapd running on the fg, and I see the following:<br>
<br>(snip)<br>connection_get(13): got connid=0<br>connection_read(13): checking for input on id=0<br><b>connection_read(13): TLS accept failure error=-1 id=0, closing</b><br>connection_closing: readying conn=0 sd=13 for close<br>
connection_close: conn=0 sd=13<br><br>What I don&#39;t understand is why it is failing if I&#39;ve set both sides to ignore certificates. What am I doing wrong?<br><br>Marcelo.<br><br><br>