I'm pretty confused, because my clients are setup with almost identical configs, and the server(localhost), and one of my client PC's can connect and use SSL (ldapsearch -H ldaps://heracross.corpedia.internal/ -b dc=corpedia,dc=internal -x -Z), and it returns the correct results, and I can see it using TLS in the slapd log.
I copied the same configs to both boxes
/etc/ldap.conf ---- #host heracross.corpedia.internal
base dc=corpedia,dc=internal uri heracross.corpedia.internalheracross.corpedia.internal ldap://heracross.corpedia.internal/ binddn cn=root,dc=corpedia,dc=internal bindpw ***************** scope sub bind_policy hard nss_base_passwd dc=corpedia,dc=internal?sub nss_base_shadow dc=corpedia,dc=internal?sub nss_base_group dc=corpedia,dc=internal?sub pam_password md5
ssl yes tls_cacertdir /etc/openldap/cacerts -----
I see the following in my slapd error log as I connect as one of the nonworking boxes
root@kyle-laptop:/etc/ldap# ldapsearch -H ldaps://heracross.corpedia.internal/ -b dc=corpedia,dc=internal -x -Z ldap_start_tls: Can't contact LDAP server (-1) ldap_bind: Can't contact LDAP server (-1) ----- connection_get(14): got connid=25 connection_read(14): checking for input on id=25 TLS trace: SSL_accept:before/accept initialization TLS: can't accept. connection_read(14): TLS accept failure error=-1 id=25, closing connection_closing: readying conn=25 sd=14 for close connection_close: conn=25 sd=14 -----
Here is a nopaste link for my slapd.conf file http://rafb.net/p/NHjV1a33.html
--On May 19, 2008 1:26:34 PM -0700 Kyle Corupe kcorupe@corpedia.com wrote:
I'm pretty confused, because my clients are setup with almost identical
ldap://heracross.corpedia.internal/ ldaps://heracross.corpedia.internal/ -b dc=corpedia,dc=internal -x -Z
ldaps:// uses SSL (via LDAPv2), not startTLS (LDAPv3). You cannot combine startTLS (-Z) with SSL. Fix your configuration.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
ldaps:// uses SSL (via LDAPv2),
ldaps:// is not limited to LDAPv2! Please be more precise.
I've made also some hopefully correct sounding changes to the relevant FAQ entry:
http://www.openldap.org/faq/data/cache/605.html
Ciao, Michael.
--On Tuesday, May 20, 2008 11:11 AM +0200 Michael Ströder michael@stroeder.com wrote:
Quanah Gibson-Mount wrote:
ldaps:// uses SSL (via LDAPv2),
ldaps:// is not limited to LDAPv2! Please be more precise.
I never said it was limited. It is something that was implemented in LDAPv2, although it is not part of any specification. It's just a hack.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Tuesday, May 20, 2008 11:11 AM +0200 Michael Ströder michael@stroeder.com wrote:
Quanah Gibson-Mount wrote:
ldaps:// uses SSL (via LDAPv2),
ldaps:// is not limited to LDAPv2! Please be more precise.
I never said it was limited.
But it could be understood that way. I know that *you* know better. Let's simply avoid terms which could be misunderstood by newbies.
Ciao, Michael.
openldap-technical@openldap.org
-
Kyle Corupe -
Michael Ströder -
Quanah Gibson-Mount