Re: ldaps vs -ZZ

[Adam Gautier <adam_gautier@yahoo.com>]

Thanks to all who answered this made me step back and say, "DUH!".  Since it is in the documenetation I should have seen it but I was just unable to put it all together until now.  This was a big sticking block with my LDAP implementation but this clears it up completely.  Would it make sense to use TLS for pam_ldap, clients, mozilla, etc... and use LDAPs for replication?

Dieter Kluenter wrote:

Hi,

Adam Gautier <adam_gautier@yahoo.com> writes:

  

Why does 'ldapsearch -x -H ldaps://myserver.com "cn=*"' work but
'ldapsearch -x -h myserver.com -p 636 "cn=*" -ZZ' fails.  Both are
using TLS but the second one returns:

Client:
%> ldapsearch -x -h myserver.com -p 636 "cn=*" -ZZ
ldap_bind: Can't contact LDAP server (81)
    

[...]
  

Any help would be great and I  can provide more info if needed.  I
have search message archives about this to no avail. Any help would be
great and greatly appreciated, Thanks.
    

You have to distinguish between STARTTLS and ldap over SSL. While
ldap_start_tls requires a slapd listening on the defined default
ldap port (389), thus ldap_start_tls is invoked by the -Z option; ldap
over SSL requires slapd listening on a definded secure ldaps port
(636) without invocation of ldap_start_tls. In order to make both
methods available, you should start ./slapd -h "ldap:/// ldaps:///" 

-Dieter