[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and TLS/SSL (was: Re: Afg! Client won't use LDAP)



Phil Dibowitz wrote:

Phil Dibowitz wrote:

The server is setup with its SSL and TLS certs.

IF I put 'ssl start_tls' in ldap.conf on the clients, I can see the traffic on port 389 and it's in _plain text_. At some point the client should issue 'start_tls' and from then on it should be encrypted. But its not.

BUT IF I put "URI ldaps://ip.of.my.host/" in the ldap.conf on the clients, and then I sniff 636 I see encrypted channel with no plain text data (other than the SSL certificate being passed). And of course I see no traffic on port 389.



I need to qualify this. I was slightly incorrect in my report. TLS *DOES* seem to work for clients that are not the server.


TLS does *not* seem to work for the server being a client unto itself.

It could be a hostname/certificate problem. If the server's cert is tied to the FQDN then the outside clients
work as the cert is correct, but if you connect from the server itself to "localhost" then the certificate
is no longer valid. By the way,I think the SSL/TLS could be set up using "minssf" directive.


hth,
mitu