* Dick Davies <rasputnik@hellooperator.net> [0721 15:21]:
* Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0709 22:09]:
Sorry to reply to my own post, but I've just been reading
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#7.0
and am confused by Kurts earlier post which stated:
Ideally I'd happily just use SSL, it looks to me like it's trying to
to TLS inside the SSL session, which just seems silly.
SSL and TLS are two names for the same thing (see archives).
OpenLDAP Software (including libraries) will error if you
attempt to do so.
Do I have an option to just do SSL without TLS,
Since SSL is TLS (and TLS is SSL), no.
The url I mentioned seems to back up my earlier assumption that you could
do SSL without TLS, and vice versa.
What I think is happening is mod_auth_ldap
is trying to do both - presumably that works fine with many configurations, but
no mine. I need to have an SSL tunnel and not worry about TLS.
To illustrate:
[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -x -H 'ldaps://ldaphost.domain/o=org' uid=user
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=user
# requesting: ALL
#
[returns the requested entry, no problems]
but requesting TLS fails:
[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -ZZ -x -H 'ldaps://ldaphost.domain/o=org' uid=user
ldap_start_tls: Operations error (1)
additional info: TLS is is already established
[user@server httpd-2.0.49]$
Does that make any sense?
Maybe we're getting startTLS and TLS confused here?