Patrick Patterson writes:
On Wed, Jul 30, 2008 at 9:59 AM, J Davis mrsalty0@gmail.com wrote:
Pet peeve: While it doesn't help your problem, you should in addition to this:
access to * by tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write
use something like 'security simple_bind=128 update_ssf=128'. This gives the result code confidentialityRequired instead of invalidCredentials when the ssf is insufficient. Thus users who did not use TLS don't get the impression that they just sent the wrong password - and maybe then send the unprotected password again.
You may want to try adding -q as one of the options to your ldapsearch.
No, OpenLDAP ldapsearch has no -q option. There is a -Q option, but that's for SASL which is something else than SSL.
It appears that the tls_ssf turns on STARTTLS, instead of LDAP over SSL and in order to use that, you need to tell the client to use starttls as well, which is what (if I read the man page correctly), -q does.
No. STARTTLS is turned on in the client, not the server. And whether you use SSL aka TLS via STARTTLS or ldaps:// is irrelevant for the tls_ssf access control clause.