Re: about TLS and Openldap ...

[Johann Botha <joe@frogfoot.net>]

Hi Susanne!

> >Your slapd binds to port 636/ldapssl and 389/ldap.
> >If you don't remove 'ldap:///' your server will also respond on non
> >encrypted traffic.
> 
> 
> I removed "ldap:///"; and tested it with PHP - the same log as before. 
> But testing with GQ and pam/nss does'nt work properly. I think it's 
> because these clients don't use ldaps over port 636 but start_tls over 
> port 389. Is this a security problem? Also I tried they don't use Port 
> 636, but I thought start_tls is as save as ldaps?????

a problem i had with getting ldaps running was that my SSL cert was not
created with the correct hostname.

when you create the SSL cert, make sure your forward,reverse lookups match
the Common Name value you give:

openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 0

Common Name (eg, YOUR name) []: myserver.mydomain.com

..just a shot in the dark. (:

-- 
Regards
Johann

  "FreD is not dead"
        - echo $(uname) is not dead | sed "s/eBS//"
_________________________________________________________
 Johann L. Botha          Debian GNU Jedi: joe@debian.org
 
    email: joe@frogfoot.net      snail mail: PO Box 3472
   mobile: +27 82 5626 167                   Matieland
 workpage: http://www.frogfoot.net           Stellenbosch
 homepage: http://blue.frogfoot.net          7602
      gps: 33deg 56.09S, 18deg 25.31E, 64m   South Africa
      ham: ZR1JOE

Copyright (c) 2001. The Sovereigns of Frogfoot. All rights reserved.
Disclaimer available upon request.