On Tuesday 29 January 2008 19:18:15 Carr, Chris wrote:
It seems that no matter what you select here, if the port is 389, it does STARTTLS:
Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from IP=127.0.0.1:53243 (IP=0.0.0.0:389) Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid= err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
This is encouraging - I guess you are not using the same version of slapd as I am? (I'm using 2.4.7, which apparently has a bug with STARTTLS, at least in Debian it does).
I don't use Debian, and on production platforms I don't use the packages supplied by the distro, but the rebuilds (which are available at http://staff.telkomsa.net/packages/) of the Mandriva package, for which I am the maintainer. The output in my reply was from my Mandriva 2008.0 x86_64, running the 2.3.38 package supplied with the distro. I will try and test the 2.4.7 packages sometime later today.
What log level are you choosing to get this output? Is it just "conns"?
stats (256).
However, if you select 636 as the port, it greys out the "Use secure connection" drop-down box, and does ldaps.
Yes.
Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from IP=127.0.0.1:54153 (IP=0.0.0.0:636) Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed (TLS negotiation failure) Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from IP=127.0.0.1:45074 (IP=0.0.0.0:389)
(Can't get it to work right right now with ldaps ...).
Note that this may simply be due to me using self-signed certs ...
Me neither, though I had assumed that was password-related.
Note however that evo caches LDAP connections, it seems you need to restart it for your config changes to take effect.
Ah, I didn't know that - thanks.
And, it will only prompt you for the password once the connection is up ...
Hmmm. If I understand the output correctly, it's rejecting the connection before asking for a password. I will have to investigate this again.
Could somebody explain to me how to tell slapd to accept secure connections on port 389?
start slapd with with no -h flag, or -h "ldaps:/// ldap:///" so it listens on port 636 for ldaps connections, and 389 for ldap connections (which could use START_TLS to upgrade).
I just have -h "ldaps:///" - I presumed the ldap:/// was covered automatically as the default.
No, logically there should be a way to prevent the use of a port which could be used by some other application ...
Sorry if this is a really stupid question, but according to the docs the "startTLS" process should be automatic if a secure connection comes in on port 389. Something is obviously not quite right.
Hmm, SSL/TLS isn't really automatic ...
Sorry, I meant that the connection is upgraded to SSL/TLS if the STARTTLS command is sent by the client (which you have verified Evolution does).
Thanks muchly for your help. I will do some more testing with Evolution until I lose the will to live once again.
I am now even getting errors with Outlook. It seems to connect ok, but whenever I do a search it says "The Properties dialog box could not be displayed. To display the Properties dialog box, you must select exactly one item." - I don't know what this is about, I get the same message whether my search is gibberish (should return no matches), unique (should return a single match) or general (should return multiple matches). No results are returned. It seems to be a completely incorrect error message.
It seems Outlook doesn't like self-signed certs, so I'll look at this later once I've had time to sort out certificates for these boxes.
Regards, Buchan