On Monday 28 January 2008 16:57:28 Chris Carr wrote:
Hi All,
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
Which version of Evolution? Mine has a "Use secure connection" drop-down box, with "SSL encryption", "TLS encryption" and "No encryption" options. Since the port doesn't change based on your selection, I'll assume what they actually mean is "ldaps", "STARTTLS", and "No encryption". Naturally, STARTTLS would run on the normal unencrypted port (389 by default), and "upgrade" to SSL/TLS with a STARTTLS command.
It seems that no matter what you select here, if the port is 389, it does STARTTLS:
Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from IP=127.0.0.1:53243 (IP=0.0.0.0:389) Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid= err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
However, if you select 636 as the port, it greys out the "Use secure connection" drop-down box, and does ldaps.
Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from IP=127.0.0.1:54153 (IP=0.0.0.0:636) Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed (TLS negotiation failure) Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from IP=127.0.0.1:45074 (IP=0.0.0.0:389)
(Can't get it to work right right now with ldaps ...).
Note however that evo caches LDAP connections, it seems you need to restart it for your config changes to take effect.
And, it will only prompt you for the password once the connection is up ...
When I type
openssl s_client -connect my.server.com:389
It says connection refused. When I type the same command with :636 at the end it connects fine.
Could somebody explain to me how to tell slapd to accept secure connections on port 389? I am using the new version of slapd in Debian Testing (2.4.7-1).
start slapd with with no -h flag, or -h "ldaps:/// ldap:///" so it listens on port 636 for ldaps connections, and 389 for ldap connections (which could use START_TLS to upgrade).
Sorry if this is a really stupid question, but according to the docs the "startTLS" process should be automatic if a secure connection comes in on port 389. Something is obviously not quite right.
Hmm, SSL/TLS isn't really automatic ...
Regards, Buchan