I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system:
I find that TLS will not work if I use uri ldap://10.3.5.207/ in /etc/ldap.conf on my clients.
TLS magically starts working if I use the deprecated host directive instead:
So if I use host 10.3.5.207 instead everything starts working:
Any insight as to what might be going on?..Possibly a bug?
Here are my TLS directives on my clients:
#TLS settings ssl start_tls ssl on tls_cacertdir /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/slapdcert.pem tls_checkpeer no
-Mike
On 1/6/2011 19:18, Michael Starling wrote:
I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system:
I find that TLS will not work if I use *uri ldap://10.3.5.207/ *in /etc/ldap.conf on my clients.
TLS magically starts working if I use the deprecated host directive instead:
So if I use *host 10.3.5.207* instead everything starts working:
Any insight as to what might be going on?..Possibly a bug?
Here are my TLS directives on my clients:
#TLS settings ssl start_tls ssl on tls_cacertdir /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/slapdcert.pem tls_checkpeer no
-Mike
try using uri ldaps://10.3.5.207/ .
Thank you, that did it. I was under the impression that you didn't need to specify ldaps because the ssl on and start_tls directives took care of that.
Thanks again.
-Mike
Date: Thu, 6 Jan 2011 19:43:11 -0800 From: lists@aarcane.org To: openldap-technical@openldap.org Subject: Re: Strange behavior with TLS with self-signed certs
On 1/6/2011 19:18, Michael Starling wrote:
I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system:
I find that TLS will not work if I use uri ldap://10.3.5.207/ in /etc/ldap.conf on my clients.
TLS magically starts working if I use the deprecated host directive instead:
So if I use host 10.3.5.207 instead everything starts working:
Any insight as to what might be going on?..Possibly a bug?
Here are my TLS directives on my clients:
#TLS settings
ssl start_tls
ssl on
tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/slapdcert.pem
tls_checkpeer no
-Mike
try using uri ldaps://10.3.5.207/ .
On Friday 07 January 2011 04:18:40 Michael Starling wrote:
#TLS settings ssl start_tls ssl on
That should be either "ssl start_tls" OR "ssl on", not both. If you specify "ssl start_tls" then you should use the ldap:// URL schema, if you specify "ssl on" then you should use ldaps://.
Andreas
Yeah, that's the trick though. The OP indicated if they used uri ldap://[hostname] StartTLS doesn't work.
- chris
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Andreas Ntaflos Sent: Friday, January 07, 2011 10:46 AM To: openldap-technical@openldap.org Subject: Re: Strange behavior with TLS with self-signed certs
On Friday 07 January 2011 04:18:40 Michael Starling wrote:
#TLS settings ssl start_tls ssl on
That should be either "ssl start_tls" OR "ssl on", not both. If you specify "ssl start_tls" then you should use the ldap:// URL schema, if you specify "ssl on" then you should use ldaps://.
Andreas
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
I see now. Thank you for explaining.
-Mike
From: daff@pseudoterminal.org To: openldap-technical@openldap.org Subject: Re: Strange behavior with TLS with self-signed certs Date: Fri, 7 Jan 2011 19:45:46 +0100
On Friday 07 January 2011 04:18:40 Michael Starling wrote:
#TLS settings ssl start_tls ssl on
That should be either "ssl start_tls" OR "ssl on", not both. If you specify "ssl start_tls" then you should use the ldap:// URL schema, if you specify "ssl on" then you should use ldaps://.
Andreas
Ok..I implemented what you explained for testing purposes and found the following to be true:
If I use ssl start_tls with the ldap:// URL schema then my client connects to my LDAP server on port 389. If I use ssl on with ldaps://. then my client connects on port 636.
I think i remember reading somewhere that TLS could use either port so my question is when my client connects on 389 using ssl start_tls is the session encrypted? My other question would be why the two different means to the same end? Is it just a matter of which port you want to use?
-Mike
From: daff@pseudoterminal.org To: openldap-technical@openldap.org Subject: Re: Strange behavior with TLS with self-signed certs Date: Fri, 7 Jan 2011 19:45:46 +0100
On Friday 07 January 2011 04:18:40 Michael Starling wrote:
#TLS settings ssl start_tls ssl on
That should be either "ssl start_tls" OR "ssl on", not both. If you specify "ssl start_tls" then you should use the ldap:// URL schema, if you specify "ssl on" then you should use ldaps://.
Andreas
Equipment limitation: Our old load balancers could load balance StartTLS, not SSL. Our new ones can load balance SSL, not StartTLS. Paranoia: If you wish to encrypt the entire session, from the very beginning, use SSL. Firewall limits you to port 389 (corp policy, difficult network/firewall team, etc): ... and want encryption, then use StartTLS.
- chris
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Michael Starling Sent: Friday, January 07, 2011 11:45 AM To: daff@pseudoterminal.org; openldap-technical@openldap.org Subject: RE: Strange behavior with TLS with self-signed certs
Ok..I implemented what you explained for testing purposes and found the following to be true:
If I use ssl start_tls with the ldap:// URL schema then my client connects to my LDAP server on port 389. If I use ssl on with ldaps://. then my client connects on port 636.
I think i remember reading somewhere that TLS could use either port so my question is when my client connects on 389 using ssl start_tls is the session encrypted? My other question would be why the two different means to the same end? Is it just a matter of which port you want to use?
-Mike
From: daff@pseudoterminal.org To: openldap-technical@openldap.org Subject: Re: Strange behavior with TLS with self-signed certs Date: Fri, 7 Jan 2011 19:45:46 +0100
On Friday 07 January 2011 04:18:40 Michael Starling wrote:
#TLS settings ssl start_tls ssl on
That should be either "ssl start_tls" OR "ssl on", not both. If you specify "ssl start_tls" then you should use the ldap:// URL schema, if you specify "ssl on" then you should use ldaps://.
Andreas
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Ahh.. Thanks for the explanations.
-Mike
From: Chris.Jacobs@apollogrp.edu To: mlstarling31@hotmail.com; daff@pseudoterminal.org; openldap-technical@openldap.org Date: Fri, 7 Jan 2011 12:55:57 -0700 Subject: RE: Strange behavior with TLS with self-signed certs
Equipment limitation: Our old load balancers could load balance StartTLS, not SSL. Our new ones can load balance SSL, not StartTLS. Paranoia: If you wish to encrypt the entire session, from the very beginning, use SSL.
Firewall limits you to port 389 (corp policy, difficult network/firewall team, etc): … and want encryption, then use StartTLS.
- chris
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Michael Starling
Sent: Friday, January 07, 2011 11:45 AM
To: daff@pseudoterminal.org; openldap-technical@openldap.org
Subject: RE: Strange behavior with TLS with self-signed certs
Ok..I implemented what you explained for testing purposes and found the following to be true:
If I use ssl start_tls with the ldap:// URL schema then my client connects to my LDAP server on port 389.
If I use ssl on with ldaps://. then my client connects on port 636.
I think i remember reading somewhere that TLS could use either port so my question is when my client connects on 389 using ssl start_tls is the session encrypted?
My other question would be why the two different means to the same end? Is it just a matter of which port you want to use?
-Mike
From: daff@pseudoterminal.org
To: openldap-technical@openldap.org
Subject: Re: Strange behavior with TLS with self-signed certs
Date: Fri, 7 Jan 2011 19:45:46 +0100
On Friday 07 January 2011 04:18:40 Michael Starling wrote:
#TLS settings
ssl start_tls
ssl on
That should be either "ssl start_tls" OR "ssl on", not both. If you
specify "ssl start_tls" then you should use the ldap:// URL schema, if
you specify "ssl on" then you should use ldaps://.
Andreas
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org
-
Andreas Ntaflos -
Chris Jacobs -
Christ Schlacta -
Michael Starling