[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with enabling TLS

To: Padmavathi Dt <padmavathi.dt@tcs.com>
Subject: Re: problem with enabling TLS
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Tue, 4 Mar 2008 14:20:52 -0700
Cc: openldap-software@openldap.org
In-reply-to: <OF679F4546.CBE84F66-ON65257402.001FC2DF-65257402.0020B03F@tcs.com>
References: <OF679F4546.CBE84F66-ON65257402.001FC2DF-65257402.0020B03F@tcs.com>
User-agent: Alpine 1.00 (BSO 882 2007-12-20)

On Tue, 4 Mar 2008, Padmavathi Dt wrote:

We have installed and configured our openLDAP-2.4.7 on RedHat LINUX
machine using simple configure( . /configure) without any options.
It has been working fine.Now we want to use SSL with that
we are using openssl-0.9.7g package.We got all the required certificates.
Now the problem is that,when I run the following command:

/usr/local/etc/openldap/slapd.conf -d127 -h "ldap:/// ldaps:///"

It is giving the following error message:

...

daemon: TLS not supported (ldaps:///)

Your build didn't include TLS support. You're going to have to reconfigure and rebuild and this time you should read the output from 'configure' to see why it didn't find your OpenSS install. Did you install OpenSSL in a non-standard location? If you, you probably need to set the CPPFLAGS and LDFLAGS environment variables so that configure can find and build against it, ala:

env CPPFLAGS=-I/usr/local/openssl/include \
    LDFLAGS=-L/usr/local/openssl/lib \
    ./configure --enable-tls=openssl --with-other-stuff --enable-bits-here
...etc

One more question.  Is there any difference between enabling SSL and
TLS?


Unfortunately, different people use those terms in different ways.

"SSL" is a protocol for carrying other protocols with confidentiality, integrity, authentication, etc. "TLS" is the standardized and revised version of that protocol.

For many people, "enabling SSL" means "using the negotiate-SSL-on-connect" version of the protocol. I.e., "ldaps" instead of "ldap". TLS is then generally associated with using the "upgrade-to-TLS" method where you connect normally (in cleartext) and then use a protocol request to initiate the SSL/TLS handshake, aka STARTTLS. e.g., the -Z option to ldap{search,modify,etc}.

please help me( It is difficult to rebuild openldap again,as there are
many applications that are using our current LDAP)

Why is that a problem? Rebuild and test before installing, then do the install when you're sure it's working properly.


Philip Guenther

Follow-Ups:
- What happens to the old data if rebuilt?
  - From: Padmavathi Dt <padmavathi.dt@tcs.com>

References:
- problem with enabling TLS
  - From: Padmavathi Dt <padmavathi.dt@tcs.com>

Prev by Date: Re: null_callbacks after initial sync
Next by Date: RE: Testing the state of replicates
Index(es):
- Chronological
- Thread