Re: TLS/SSL problems

[Aaron Richton <richton@nbcs.rutgers.edu>]

Option -X is for SASL configuration. If you want TLS, perhaps you mean 
-ZZ?

I'm not sure what pages you're looking at that confuse TLS and Kerberos. 
They are separate topics; for example, the OpenLDAP Administrator's Guide 
has separate chapters for TLS and Kerberos. That may be a better source to 
use as reference as you work this out.

You might also want to consider upgrading to 2.3.35. TLS bugs were fixed 
quite recently. See http://www.openldap.org/software/release/changes.html
for details.

On Tue, 22 May 2007, Craig wrote:

> I am running openldap 2.2.13. I am having a problem getting TLS to work. I 
> have done numerous searches, but most web pages seem to deal with 
> LDAP/kerberos issues. We do not run kerberos. I am only trying to prevent 
> passwords from being sent in the clear.
>
> I have followed the instructions on this page:
>
> http://www.ibm.com/developerworks/linux/library/l-openldap/
>
>
> I am able to run ldapsearch with simple auth:
> > ldapsearch -x
>
> but, am not able to do any of the following:
> > ldapsearch
> > ldapsearch -X u:myuid
> > ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
>
> The error is (with "-d 255"):
> ...
> SASL/GSSAPI authentication started
> ldap_perror
> ldap_sasl_interactive_bind_s: Local error (-2)
>       additional info: SASL(-1): generic failure: GSSAPI Error: 
> Miscellaneous failure (No credentials cache found)
>
> It looks like the server is running fine. But, the logs don't really indicate 
> what the problem is. (It seems to be more of a client issue, but still the 
> server should give some hint in the logs.)
>
> If you need more debugging info, just let me know.
>
> Any help would be greatly appreciated.
>
> TIA
> Craig