Interesting. Is "-q" implemented after 2.4.9? It's not supported by my installation.
My man page says: "-Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful."

Which is what I did.

Thanks,
-Jake


On Wed, Jul 30, 2008 at 12:37 PM, Patrick Patterson <ppatters@gmail.com> wrote:
Hello

On Wed, Jul 30, 2008 at 9:59 AM, J Davis <mrsalty0@gmail.com> wrote:
Greetings,

I'm testing an installation of openldap 2.4.9. I want to enforce TLS for all access to the directory.
My problem is that I cannot get the client to meet the ssf restictions I have in place. The documentation I've seen on ssf and tls_ssf is very sparse so I don't really understand what it does.

I'm using self signed cert created using the openssl CA.sh script.

Relevant portions of the slapd.conf...

    TLSCACertificateFile /etc/ldap/ssl/cacert.pem
    TLSCertificateFile /etc/ldap/ssl/servercrt.pem
    TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
    ...
    access to *
        by tls_ssf=128 ssf=128 anonymous auth
        by tls_ssf=128 ssf=128 self write

Relevant portions of the lapd.conf...

    TLS_CACERT /etc/ldap/ssl/cacert.pem

With those ACLs in place I get the following error:

    $ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b "uid=jake,ou=people,dc=example,dc=com"
    ldap_bind: Invalid credentials (49)

You may want to try adding -q as one of the options to your ldapsearch. It appears that the tls_ssf turns on STARTTLS, instead of LDAP over SSL and in order to use that, you need to tell the client to use starttls as well, which is what (if I read the man page correctly), -q does.

Have fun.
 

--
Personal Mail from Patrick Patterson
No company affiliation