--On Monday, November 2, 2020 9:32 PM +0000 "Heinemann, Peter G" phei@isc.upenn.edu wrote:
Good Day,
Working on moving from RHEL6 to RHEL8. Given the drop in support for openldap in RHEL8 I've installed the symas-openldap distros.
Hi Peter,
You haven't provided any configuration information, so that makes it difficult to assist. I would note that TLS works just fine for me with RHEL8 and the 2.4.55 packages.
First, with startTLS:
ldapsearch -LLL -ZZ -x -H ldap://127.0.0.1 No such object (32)
Second, with 636:
ldapsearch -LLL -x -H ldaps://127.0.0.1:636 No such object (32)
openssl version OpenSSL 1.1.1c FIPS 28 May 2019
nmap --script ssl-enum-ciphers -p 636 localhost -Pn Starting Nmap 7.70 ( https://nmap.org ) at 2020-11-02 23:51 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00011s latency). Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (secp256r1) of lower strength than certificate key |_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com