[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: debugging tls (apache2 mod_ldap)

To: openldap-software@OpenLDAP.org
Subject: Re: debugging tls (apache2 mod_ldap)
From: Dick Davies <rasputnik@hellooperator.net>
Date: Tue, 13 Jul 2004 12:57:13 +0100
Content-disposition: inline
In-reply-to: <20040708003951.GB23967@lb.tenfour>
References: <20040707141822.GB42@lb.tenfour> <6.0.1.1.0.20040707135759.0485d0d8@127.0.0.1> <20040708003951.GB23967@lb.tenfour>
User-agent: Mutt/1.4.2.1i

* Dick Davies <rasputnik@hellooperator.net> [0721 15:21]:
> * Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0709 22:09]:


Sorry to reply to my own post, but I've just been reading

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#7.0

and am confused by Kurts earlier post which stated:


>>Ideally I'd happily just use SSL, it looks to me like it's trying to
>>to TLS inside the SSL session, which just seems silly.
                                                                                                                            
>SSL and TLS are two names for the same thing (see archives).
>OpenLDAP Software (including libraries) will error if you
>attempt to do so.
                                                                                                                            
>>Do I have an option to just do SSL without TLS,
                                                                                                                            
>Since SSL is TLS (and TLS is SSL), no.

The url I mentioned seems to back up my earlier assumption that you could 
do SSL without TLS, and vice versa.

What I think is happening is mod_auth_ldap
is trying to do both - presumably that works fine with many configurations, but
no mine. I need to have an SSL tunnel and not worry about TLS.

To illustrate:


[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -x -H 'ldaps://ldaphost.domain/o=org' uid=user
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=user
# requesting: ALL
#

[returns the requested entry, no problems]
but requesting TLS fails:

[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -ZZ -x -H 'ldaps://ldaphost.domain/o=org' uid=user
ldap_start_tls: Operations error (1)
        additional info: TLS is is already established
[user@server httpd-2.0.49]$

Does that make any sense?
Maybe we're getting startTLS and TLS confused here?

-- 
We are all worms.  But I do believe I am a glowworm.
		-- Winston Churchill
Rasputin :: Jack of All Trades - Master of Nuns

Follow-Ups:
- Re: debugging tls (apache2 mod_ldap)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: debugging tls (apache2 mod_ldap)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: debugging tls (apache2 mod_ldap)
  - From: D.M.Lewney@sussex.ac.uk (Dave Lewney)
- Re: debugging tls (apache2 mod_ldap)
  - From: Dieter Kluenter <dieter@dkluenter.de>

References:
- debugging tls (apache2 mod_ldap)
  - From: Dick Davies <rasputnik@hellooperator.net>
- Re: debugging tls (apache2 mod_ldap)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: debugging tls (apache2 mod_ldap)
  - From: Dick Davies <rasputnik@hellooperator.net>

Prev by Date: Adding cn entry
Next by Date: Re: Adding cn entry
Index(es):
- Chronological
- Thread