[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Openldap server with TLS not working
Hi all, Ben, Dieter,
thank you for your help ...
got it working on ldaps without TLS :-))
we can close that thread
cheers Axel
AXEL GROSSE
Principal Solution Architect, Sales Solution Center, Axway
P: +61-405-995-768
828 Pacific Highway
Gordon, 2072 NSW
agrosse@axway.com
http://www.axway.com
-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of btb
Sent: Friday, 4 October 2013 6:20 AM
To: openldap-technical@openldap.org
Subject: Re: Openldap server with TLS not working
On 2013.10.03 08.22, Axel Grosse wrote:
-----Original Message-----
> From: openldap-technical-bounces@OpenLDAP.org
> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter
> KlÃnter
> Sent: Thursday, 3 October 2013 6:46 PM
> To: openldap-technical@openldap.org
> Subject: Re: Openldap server with TLS not working
>
> Am Thu, 3 Oct 2013 00:16:28 +0000
> schrieb Axel Grosse <agrosse@axway.com>:
>
>> Hi ben,
>> thanks for the comment.
>> agree with you on TLS usage should be perferred but the client that
>> is connecting is only capable of LDAPS ... he has not implemented TLS
>> Client jet .
>>
>> But can you please take a look to the error I am facing
>>
>> openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile
>> ./ssl/VordelCA.crt CONNECTED(00000003) 710:error:140790E5:SSL
>> routines:SSL23_WRITE:ssl handshake
>> failure:s23_lib.c:188:
>>
>> any idea what can cause this ?
>>
>> -----Original Message-----
>> From: openldap-technical-bounces@OpenLDAP.org
>> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of btb
>> Sent: Wednesday, 2 October 2013 10:57 PM To:
>> openldap-technical@openldap.org Subject: Re: Openldap server with TLS
>> not working
>>
>> On 2013.10.02 07.29, Axel Grosse wrote:
>>
>>> when I test on the server itself ..
>>> openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile
>>> ./ssl/VordelCA.crt
>>> CONNECTED(00000003)
>>> 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>> failure:s23_lib.c:188:
>>
>> ldaps [port 636] is deprecated. use starttls with the standard port
>> [389]. to test, just use ldapsearch [see the reference to -Z in the
>> man page]
>
> You are connnecting to port 389, but s_client is not able to initiate
> a LDAP startTLS session (only SMTP and IMAP), so you have to connect
> ldaps and port 636.
>
> -Dieter
>
> Hi Ben, Dieter
> can we focus on LDAPS because TLS1 is not an option and even if LDAPS > is deprecated I should be able to configure it ..
>
> TLSCACertificateFile /etc/openldap/ssl/VordelCA.crt > TLSCertificateFile /etc/openldap/ssl/VordelDev.crt > TLSCertificateKeyFile /etc/openldap/ssl/VordelDev.key > TLSVerifyClient never > > > are this entries in the slapd.conf sutable for LDAPS ?
> if not whats missing ?
nothing more is required
> start the server with
> /usr/sbin/slapd -h ldap://192.168.30.169:636 -u ldap
/usr/sbin/slapd -h 'ldaps:///' [...]
you must specify ldaps, and you do not need to explicitly specify the port. 636 is the default. see man 8 slapd for details.