Hello Eric,
Tuesday, August 20, 2002, 2:03:27 PM, you wrote:
ER> I've tested this same auth against using ldapsearch using -ZZ to make sure it
ER> worked over TLS, and it succeeded.
ER> Also, the same thing worked, using ldap, versus ldaps. I just would prefer it
ER> over TLS for obvious security reasons.
I guess the certificate verification fails.
Which LDAP do You use? If it's OpenLDAP, try debugging (slapd -d -1).
Verification might fail if the server or client certificates are bad
or TLS library founds untrusted self-signed certificate in chain (You
must specify CA certificate).
Regarding OpenLDAP.
You can try to set TLSCACertificateFile in slapd.conf and TLS_CACERT
in /etc/ldap.conf. OpenLDAP library uses environment, which is
*INSECURE* in this circumstances. There is no complete workaround at
this time. Local user can set variable to disable /etc/ldap.conf
processing, that is, to disable CA You supplied.
See my post in openldap-software list:
http://www.openldap.org/lists/openldap-software/200208/msg00285.html
I suggest You to use ldapi:// url scheme. The patch is available.
--
Best regards,
Peter mailto:spam4octan@highway.ru
