On Tuesday 29 January 2008 19:18:15 Carr, Chris wrote:
> It seems that no matter what you select here, if the port is
> 389, it does STARTTLS:
>
> Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from
> IP=127.0.0.1:53243 (IP=0.0.0.0:389)
> Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS
> Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid=
> err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0
> fd=15 TLS established tls_ssf=256 ssf=256
This is encouraging - I guess you are not using the same version of
slapd as I am? (I'm using 2.4.7, which apparently has a bug with
STARTTLS, at least in Debian it does).
I don't use Debian, and on production platforms I don't use the packages
supplied by the distro, but the rebuilds (which are available at
http://staff.telkomsa.net/packages/) of the Mandriva package, for which I am
the maintainer. The output in my reply was from my Mandriva 2008.0 x86_64,
running the 2.3.38 package supplied with the distro. I will try and test the
2.4.7 packages sometime later today.
What log level are you choosing to get this output? Is it just
"conns"?
stats (256).
> However, if you select 636 as the port, it greys out the
"Use secure
> connection" drop-down box, and does ldaps.
Yes.
> Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from
> IP=127.0.0.1:54153 (IP=0.0.0.0:636)
> Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed
> (TLS negotiation
> failure)
> Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from
> IP=127.0.0.1:45074 (IP=0.0.0.0:389)
>
> (Can't get it to work right right now with ldaps ...).
Note that this may simply be due to me using self-signed certs ...
Me neither, though I had assumed that was password-related.
> Note however that evo caches LDAP connections, it seems you
> need to restart it for your config changes to take effect.
Ah, I didn't know that - thanks.
> And, it will only prompt you for the password once the
> connection is up ...
Hmmm. If I understand the output correctly, it's rejecting the
connection before asking for a password. I will have to investigate this
again.
> > Could somebody explain to me how to tell slapd to accept secure
> > connections on port 389?
>
> start slapd with with no -h flag, or -h "ldaps:/// ldap:///"
> so it listens on port 636 for ldaps connections, and 389 for
> ldap connections (which could use START_TLS to upgrade).
I just have -h "ldaps:///" - I presumed the ldap:/// was covered
automatically as the default.
No, logically there should be a way to prevent the use of a port which could
be used by some other application ...
> > Sorry if this is a really stupid question, but according
to
> > the docs the "startTLS" process should be automatic if a
> > secure connection comes in on port 389. Something is
> > obviously not quite right.
>
> Hmm, SSL/TLS isn't really automatic ...
Sorry, I meant that the connection is upgraded to SSL/TLS if the
STARTTLS command is sent by the client (which you have verified
Evolution does).
Thanks muchly for your help. I will do some more testing with Evolution
until I lose the will to live once again.
I am now even getting errors with Outlook. It seems to connect ok, but
whenever I do a search it says "The Properties dialog box could not be
displayed. To display the Properties dialog box, you must select exactly
one item." - I don't know what this is about, I get the same message
whether my search is gibberish (should return no matches), unique
(should return a single match) or general (should return multiple
matches). No results are returned. It seems to be a completely incorrect
error message.
It seems Outlook doesn't like self-signed certs, so I'll look at this later
once I've had time to sort out certificates for these boxes.
Regards,
Buchan