[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ldapsearch and TLS

To: "Vsevolod (Simon) Ilyushchenko" <simonf@cshl.edu>
Subject: Re: Problem with ldapsearch and TLS
From: D.M.Lewney@sussex.ac.uk (Dave Lewney)
Date: Thu, 18 Mar 2004 08:42:41 +0000
Cc: openldap-software@OpenLDAP.org
References: <40590160.20204@cshl.edu>
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.1) Gecko/20020827

Vsevolod (Simon) Ilyushchenko wrote:

Hi,
I am trying to get ldapseach to work over TLS. I tried to use TLS_REQCERT never in /etc/ldap.conf to circumvent the problem of self-signed certificate, but then I get this (ldapsearch -d 9 -Z):

ber_scanf fmt ([v]) ber: ldap_msgfree ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5 ldap_int_sasl_bind: GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5 SASL/GSSAPI authentication started ldap_perror ldap_sasl_interactive_bind_s: Local error (82) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)

It looks like it's trying to use Kerberos authentication, which is not available. Is there a way to force ldapsearch to use TLS authentication?
Thanks,
Simon
P.S. I know that the right way to do it is to sign certificates properly, but I'd like to figure out what happens with TLS_REQCERT never.


Use the -x option with ldapsearch - no SASL
Use the -ZZ option to force TLS.
This should all work with self-signed certs.

Note the gotcha: ldapsearch (and other openldap *clients*) make use of /etc/openldap/ldap.conf by default. /etc/ldap.conf is used by the PADL libraries.


Dave
--
Dave Lewney
Principal Systems Programmer, IT Services
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956

References:
- Problem with ldapsearch and TLS
  - From: "Vsevolod (Simon) Ilyushchenko" <simonf@cshl.edu>

Prev by Date: Small problem while x-compile without enable-dynamic
Next by Date: RE: Small problem while x-compile without enable-dynamic
Index(es):
- Chronological
- Thread