Hi Dieter,

I understand. But my concern is if ssl was not enabled properly, then I should not be able to use -ZZ or ldaps url in commands like ldapsearch. Please correct me if I am wrong.

If ssl is enabled already, then I am unable to understand why ldaps doesn't work from apache point of view.


On Thu, Sep 17, 2009 at 5:27 PM, Dieter Kluenter <dieter@dkluenter.de> wrote:
Asimananda Mohanty <asimananda.mohanty@gmail.com> writes:

> Hi Dieter,
> I already have the certificates and here is my ldap.conf :
> TLS_REQCERT demand
> TLS_CACERT /etc/ssl/certs/ca-cert.pem
> With these settings, it's working fine. As I already mentioned, ldapsearch
> command runs fine with "ldaps" url and also with "ldap" url WITH "-ZZ" option.
> I think that indicates that TLS is enabled on the server.
> Is there any difference in behavior when slapd used libgnutls and when it uses
> libssl ? Or they both serve the same purpose (this was my idea till now)?
> Does apache expect slapd to use libssl and not libgnutls ?

Apache doesn't know anything about slapd, all it does is, to connect
to a defined port and tries to verify the certificate presented and
establish a secured ldap session. If apache fails to verify the
certificate or is otherwise not able to establish a secured ldap
session it will not connect, unless the configuration allows to
establish an unsecured session.


Dieter Klünter | Systemberatung
sip: +49.180.1555.7770535