Thanks Ryan and Udai. Don't really have to use ldaps. I understand now that the documentation is for StartTLS an can use that.

LDAPTLS_CACERT=/etc/ssl/certs/vijay_slapd_cert.pem ldapwhoami -H ldap://localhost -x -ZZ

gives:

ldap_start_tls: Connect error (-11)

additional info: A TLS packet with unexpected length was received.

with '-d1' I get the following which looks like it can connect but subsequent communication fails:

ldap_url_parse_ext(ldap://localhost)

ldap_create

ldap_url_parse_ext(ldap://localhost:389/??base)

ldap_extended_operation_s

ldap_extended_operation

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP localhost:389

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:389

ldap_pvt_connect: fd: 3 tm: -1 async: 0

ldap_open_defconn: successful

ldap_send_server_request

ber_scanf fmt ({it) ber:

ber_scanf fmt ({) ber:

ber_flush2: 31 bytes to sd 3

ldap_result ld 0x7f2c70eef160 msgid 1

wait4msg ld 0x7f2c70eef160 msgid 1 (infinite timeout)

wait4msg continue ld 0x7f2c70eef160 msgid 1 all 1

** ld 0x7f2c70eef160 Connections:

* host: localhost port: 389 (default)

refcnt: 2 status: Connected

last used: Mon Sep 8 07:56:01 2014

** ld 0x7f2c70eef160 Outstanding Requests:

* msgid 1, origid 1, status InProgress

outstanding referrals 0, parent count 0

ld 0x7f2c70eef160 request count 1 (abandoned 0)

** ld 0x7f2c70eef160 Response Queue:

Empty

ld 0x7f2c70eef160 response count 0

ldap_chkResponseList ld 0x7f2c70eef160 msgid 1 all 1

ldap_chkResponseList returns ld 0x7f2c70eef160 NULL

ldap_int_select

read1msg: ld 0x7f2c70eef160 msgid 1 all 1

ber_get_next

ber_get_next: tag 0x30 len 12 contents:

read1msg: ld 0x7f2c70eef160 msgid 1 message type extended-result

ber_scanf fmt ({eAA) ber:

read1msg: ld 0x7f2c70eef160 0 new referrals

read1msg: mark request completed, ld 0x7f2c70eef160 msgid 1

request done: ld 0x7f2c70eef160 msgid 1

res_errno: 0, res_error: <>, res_matched: <>

ldap_free_request (origid 1, msgid 1)

ldap_parse_extended_result

ber_scanf fmt ({eAA) ber:

ldap_parse_result

ber_scanf fmt ({iAA) ber:

ber_scanf fmt (}) ber:

ldap_msgfree

TLS: can't connect: A TLS packet with unexpected length was received..

ldap_err2string

ldap_start_tls: Connect error (-11)

additional info: A TLS packet with unexpected length was received.

ldap_free_connection 1 1

ldap_send_unbind

ber_flush2: 7 bytes to sd 3

ldap_free_connection: actually freed

On Mon, Sep 8, 2014 at 7:13 AM, Ryan Tandy <ryan@nardis.ca> wrote:

On 07/09/14 10:28 PM, Vijay Ganesan wrote:

But I can't seem to connect using ldaps://localhost:636 using Apache
Directory Studio client. I get a "Error while opening connection -
Cannot connect on the server: Connection refused" error.
I can connect fine using ldap://localhost:389.

Like Udai wrote, ldaps is deprecated, and if possible you should use STARTTLS on the LDAP port (389) instead. But if you really need ldaps, then edit /etc/default/slapd, add ldaps:/// to the SLAPD_SERVICES line, and restart slapd.

What diagnostics can be run to figure out if TLS is working correctly?

LDAPTLS_CACERT=/path/to/ca.pem ldapwhoami -H ldap://server -x -ZZ

Add '-d1' to see some debugging information, including more detailed info from the TLS library.

- Vijay