Thanks Ryan and Udai. Don't really have to use ldaps. I understand now that the documentation is for StartTLS an can use that.

LDAPTLS_CACERT=/etc/ssl/certs/vijay_slapd_cert.pem ldapwhoami -H ldap://localhost -x -ZZ
ldap_start_tls: Connect error (-11)
additional info: A TLS packet with unexpected length was received.

with '-d1' I get the following which looks like it can connect but subsequent communication fails:

ldap_new_connection 1 1 0
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7f2c70eef160 msgid 1
wait4msg ld 0x7f2c70eef160 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f2c70eef160 msgid 1 all 1
** ld 0x7f2c70eef160 Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Sep  8 07:56:01 2014

** ld 0x7f2c70eef160 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f2c70eef160 request count 1 (abandoned 0)
** ld 0x7f2c70eef160 Response Queue:
  ld 0x7f2c70eef160 response count 0
ldap_chkResponseList ld 0x7f2c70eef160 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f2c70eef160 NULL
read1msg: ld 0x7f2c70eef160 msgid 1 all 1
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x7f2c70eef160 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f2c70eef160 0 new referrals
read1msg:  mark request completed, ld 0x7f2c70eef160 msgid 1
request done: ld 0x7f2c70eef160 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ber_scanf fmt ({eAA) ber:
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_start_tls: Connect error (-11)
additional info: A TLS packet with unexpected length was received.
ldap_free_connection 1 1
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

On Mon, Sep 8, 2014 at 7:13 AM, Ryan Tandy <> wrote:
On 07/09/14 10:28 PM, Vijay Ganesan wrote:
But I can't seem to connect using ldaps://localhost:636 using Apache
Directory Studio client. I get a "Error while opening connection -
Cannot connect on the server: Connection refused" error.
I can connect fine using ldap://localhost:389.

Like Udai wrote, ldaps is deprecated, and if possible you should use STARTTLS on the LDAP port (389) instead. But if you really need ldaps, then edit /etc/default/slapd, add ldaps:/// to the SLAPD_SERVICES line, and restart slapd.

What diagnostics can be run to figure out if TLS is working correctly?

LDAPTLS_CACERT=/path/to/ca.pem ldapwhoami -H ldap://server -x -ZZ

Add '-d1' to see some debugging information, including more detailed info from the TLS library.

- Vijay