Thanks Ryan and Udai. Don't really have to use ldaps. I understand now that the documentation https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls is for StartTLS an can use that.
LDAPTLS_CACERT=/etc/ssl/certs/vijay_slapd_cert.pem ldapwhoami -H ldap://localhost -x -ZZ gives: *ldap_start_tls: Connect error (-11)* * additional info: A TLS packet with unexpected length was received.*
with '-d1' I get the following which looks like it can connect but subsequent communication fails:
ldap_url_parse_ext(ldap://localhost) ldap_create ldap_url_parse_ext(ldap://localhost:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x7f2c70eef160 msgid 1 wait4msg ld 0x7f2c70eef160 msgid 1 (infinite timeout) wait4msg continue ld 0x7f2c70eef160 msgid 1 all 1 ** ld 0x7f2c70eef160 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Mon Sep 8 07:56:01 2014
** ld 0x7f2c70eef160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x7f2c70eef160 request count 1 (abandoned 0) ** ld 0x7f2c70eef160 Response Queue: Empty ld 0x7f2c70eef160 response count 0 ldap_chkResponseList ld 0x7f2c70eef160 msgid 1 all 1 ldap_chkResponseList returns ld 0x7f2c70eef160 NULL ldap_int_select read1msg: ld 0x7f2c70eef160 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x7f2c70eef160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x7f2c70eef160 0 new referrals read1msg: mark request completed, ld 0x7f2c70eef160 msgid 1 request done: ld 0x7f2c70eef160 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string ldap_start_tls: Connect error (-11) additional info: A TLS packet with unexpected length was received. ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed
On Mon, Sep 8, 2014 at 7:13 AM, Ryan Tandy ryan@nardis.ca wrote:
On 07/09/14 10:28 PM, Vijay Ganesan wrote:
But I can't seem to connect using ldaps://localhost:636 using Apache Directory Studio client. I get a "Error while opening connection - Cannot connect on the server: Connection refused" error. I can connect fine using ldap://localhost:389.
Like Udai wrote, ldaps is deprecated, and if possible you should use STARTTLS on the LDAP port (389) instead. But if you really need ldaps, then edit /etc/default/slapd, add ldaps:/// to the SLAPD_SERVICES line, and restart slapd.
What diagnostics can be run to figure out if TLS is working correctly?
LDAPTLS_CACERT=/path/to/ca.pem ldapwhoami -H ldap://server -x -ZZ
Add '-d1' to see some debugging information, including more detailed info from the TLS library.