Hi,
On Thu, 3 Oct 2013, Axel Grosse wrote:
Hi Ben, Dieter can we focus on LDAPS because TLS1 is not an option and even if LDAPS is deprecated I should be able to configure it ..
TLSCACertificateFile /etc/openldap/ssl/VordelCA.crt TLSCertificateFile /etc/openldap/ssl/VordelDev.crt TLSCertificateKeyFile /etc/openldap/ssl/VordelDev.key TLSVerifyClient never
are this entries in the slapd.conf sutable for LDAPS ? if not whats missing ?
start the server with /usr/sbin/slapd -h ldap://192.168.30.169:636 -u ldap
in that case you need ldaps:// and not ldap:/ in the url. Now you are starting plaintext ldap on port 636.
Please just start slapd without any host specification and test using openssl s_client connect target:636
After that works start trimming down the ports slapd binds to.
Greetings Christian
thanks a lot Axel
AXEL GROSSE Principal Solution Architect, Sales Solution Center, Axway P: +61-405-995-768 828 Pacific Highway Gordon, 2072 NSW agrosse@axway.com http://www.axway.com
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter Klünter Sent: Thursday, 3 October 2013 6:46 PM To: openldap-technical@openldap.org Subject: Re: Openldap server with TLS not working
Am Thu, 3 Oct 2013 00:16:28 +0000 schrieb Axel Grosse agrosse@axway.com:
Hi ben, thanks for the comment. agree with you on TLS usage should be perferred but the client that is connecting is only capable of LDAPS ... he has not implemented TLS Client jet .
But can you please take a look to the error I am facing
openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile ./ssl/VordelCA.crt CONNECTED(00000003) 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
any idea what can cause this ?
AXEL GROSSE Principal Solution Architect, Sales Solution Center, Axway P: +61-405-995-768 828 Pacific Highway Gordon, 2072 NSW agrosse@axway.com http://www.axway.com
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of btb Sent: Wednesday, 2 October 2013 10:57 PM To: openldap-technical@openldap.org Subject: Re: Openldap server with TLS not working
On 2013.10.02 07.29, Axel Grosse wrote:
when I test on the server itself .. openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile ./ssl/VordelCA.crt CONNECTED(00000003) 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
ldaps [port 636] is deprecated. use starttls with the standard port [389]. to test, just use ldapsearch [see the reference to -Z in the man page]
You are connnecting to port 389, but s_client is not able to initiate a LDAP startTLS session (only SMTP and IMAP), so you have to connect ldaps and port 636.
-Dieter