On Wednesday, 7 July 2010 11:17:27 Cedric Jeanneret wrote:
Hello,
I'm trying to configure an openldap with TLS so that all connections are encrypted.
Here's the revelent part of my slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSVerifyClient never TLSCertificateFile /etc/ldap/ssl/server.crt TLSCertificateKeyFile /etc/ldap/ssl/server.key
Here's my ldap.conf:
URI ldaps://my.server.ltd BASE dc=my,dc=server,dc=ltd LDAP_VERSION 3
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never ssl start_tls ssl on
You should *either* use an ldaps:/// URI (for ldaps), or use an ldap:/// URI with 'ssl start_tls'. While you may have a working client configuration (probably trying ldaps), you'll probably confuse someone ....
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
While starting slapd with: slapd -h 'ldaps:///' -g openldap -u openldap -d 16383
You are only listening on ldaps, so unless you change your -h argument, you can't do START_TLS.
and trying to connect to it with: ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar" -S cn -h my.server.ltd -p 636 cn
So, you have just tried to do a START_TLS bind on the ldaps port, which is obviously not how things are supposed to work. Either use -H ldaps:///my.server.tld without -Z, or -H ldap://my.server.tld or -h my.server.tld *with -Z.
Please note that ldaps (usually port 636) is different to START_TLS, you can't use both, you can not do START_TLS on the ldaps port, and you can't do ldaps on the normal ldap port (which is where you do START_TLS).
Since your slapd is only listening on ldaps, you should probably try with -H ldaps://my.server.tld (no -Z).
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Regards, Buchan