Re: LDAP and TLS/SSL (was: Re: Afg! Client won't use LDAP)

[Mitrana Cristian <cmitrana@xnet.ro>]

Phil Dibowitz wrote:

> Phil Dibowitz wrote:
>
> > The server is setup with its SSL and TLS certs.
> >
> > IF I put 'ssl start_tls' in ldap.conf on the clients, I can see the 
> > traffic on port 389 and it's in _plain text_. At some point the 
> > client should issue 'start_tls' and from then on it should be 
> > encrypted. But its not.
> >
> > BUT IF I put "URI ldaps://ip.of.my.host/" in the ldap.conf on the 
> > clients, and then I sniff 636 I see encrypted channel with no plain 
> > text data (other than the SSL certificate being passed). And of 
> > course I see no traffic on port 389.
>
>
>
> I need to qualify this. I was slightly incorrect in my report. TLS 
> *DOES* seem to work for clients that are not the server.
>
> TLS does *not* seem to work for the server being a client unto itself.
It could be a hostname/certificate problem. If the server's cert is tied 
to the FQDN then the outside clients
work as the cert is correct, but if you connect from the server itself 
to "localhost" then the certificate
is no longer valid. By the way,I think the SSL/TLS could be set up using 
"minssf" directive.

hth,
mitu