ldapi and StartTLS

["Norman Gray" <gray@nxg.name>]

Greetings.

I would have thought (possibly naively) that StartTLS was unnecessary 
when connecting to slapd through a unix socket -- the client and the 
server are on the same machine, and so don't need to be reassured about 
each other's identity.  However this seems not to be be the case:

    % ldapsearch -LLL -H ldapi://%2Fvar%2Frun%2Fopenldap%2Fldapi 
'(uid=foo)'
    ldap_sasl_interactive_bind_s: Confidentiality required (13)
         additional info: stronger confidentiality required

(same result with ldapi:///).

What am I misunderstanding?

In the slapd.ldif I have:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcSecurity: ssf=128
olcTLSCertificateFile: /usr/local/etc/openldap/certs/XXX.crt
olcTLSCertificateKeyFile: /usr/local/etc/openldap/certs/XXX.key
olcTLSCACertificateFile: /usr/local/etc/openldap/certs/FOO
olcLogLevel: 0

The machine is also listening on ldap://0.0.0.0 and requiring TLS.  I 
don't see anything in the documentation which seems to suggest I can 
have different TLS rules on different interfaces or protocols (ie, ldap: 
vs ldapi:) -- am I just missing that?

The /usr/local/etc/ldap.conf doesn't mention TLS, so the TLS requirement 
isn't coming in from there.

My practical problem is that I'm trying to get nslcd (on the same 
machine) to talk to OpenLDAP locally.  If there's a certificate problem 
I can sort that out, but I can't help feeling that that ought to be 
unnecessary -- that I'm missing something simple.

This is 2.4.45 on FreeBSD.

Best wishes,

Norman


--
Norman Gray  :  https://nxg.me.uk