[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5273) ldap.conf and TLS as a default



This appears to be the same as ITS#5039. This ITS will be closed, you can 
followup to #5039.

cardoe@gentoo.org wrote:
> Full_Name: Douglas Klima
> Version: 2.3.
> OS: Linux
> URL:
> Submission from: (NULL) (216.155.111.10)
> 
> 
> I was looking for a way to make TLS the default in
> /etc/openldap/ldap.conf however it currently seems impossible. You can
> specify LDAP over clear text and LDAP over SSL but you can't specify
> LDAP over TLS (I'm talking about "start_tls"). It seems like ldaps:// is
> deprecated in favor of ldap:// + TLS, which is why I'm trying to
> configure this.
> 
> Currently my /etc/openldap/ldap.conf looks like:
> BASE	dc=example,dc=com
> URI	ldap://srv1.example.com	ldap://srv2.example.com
> TLS_REQCERT	demand
> TLS_CACERTDIR	/etc/ssl/certs
> 
> If I do the following:
> $ ldapsearch
> ldap_bind: Confidentiality required (13)
> 	additional info: TLS confidentiality required
> 
> If I change URI to have "ldaps://srv1.example.com:389", then
> $ ldapsearch
> just hangs until it times out. Clearly it's not using start_tls.
> 
> Now if I change URI back to it's original setting and do:
> 
> $ ldapsearch -Z
> ....
> # search result
> search: 3
> result: 0 Success
> 
> # numResponses: 54
> # numEntries: 53
> 
> I get a successful lookup. I'm basically looking for a way to pass "-Z"
> in /etc/openldap/ldap.conf and in .ldaprc
> 
> Initially I tried to send this to the OpenLDAP ML but was told by MacJobBz to
> submit this to ITS.
> 
> 
> 


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/