Le ven. mai 20 2011 � 01:04:52 +0200, Buchan Milne dit :
On Friday, 20 May 2011 11:50:05 David Dumortier wrote:
Hi everybody,
I try to setup a slapd with TLS.
Do you mean START_TLS on ldap://, or ldaps:// ? I don't think you can test START_TLS on ldap:// with gnutls-cli-debug.
ldaps:/// netstat -lataupe : tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 0 264360 29866/slapd
[...]
With what command-line arguments/options (specifically, what values provided to -h option)?
cat /etc/default/slapd : SLAPD_SERVICES="ldapi:/// ldaps:///"
but when I try a debug I have : # gnutls-cli-debug -p 636 myip Checking for TLS 1.1 support... no Checking fallback from TLS 1.1 to... failed Checking for TLS 1.0 support... no Checking for SSL 3.0 support... no
Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
Before doing this, did you verify that slapd is actually listening for ldaps on port 636?
I suspect you are running ldap:// on port 636.
ldapsearch -W -H ldap://myip:636/ ldap_result: Can't contact LDAP server (-1)
ldapsearch -W -H ldaps://myip/ TLS: can't connect: Error in the push function.. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldapsearch -ZZW -H ldaps://myip/ TLS: can't connect: Error in the push function.. ldap_start_tls: Can't contact LDAP server (-1) additional info: Error in the push function.
Here is my slapd conf : olcTLSVerifyClient: demand olcTLSCertificateFile: /etc/ldap/ssl/mycsr.csr olcTLSCertificateKeyFile: /etc/ldap/ssl/mykey.key
Regards, Buchan