On Tuesday 20 August 2002 02:12 pm, Peter A. Savitch wrote:
> Hello Eric,
>
> Tuesday, August 20, 2002, 2:03:27 PM, you wrote:
>
> ER> I've tested this same auth against using ldapsearch using -ZZ to make
> sure it ER> worked over TLS, and it succeeded.
>
> ER> Also, the same thing worked, using ldap, versus ldaps. I just would
> prefer it ER> over TLS for obvious security reasons.
>
> I guess the certificate verification fails.
> Which LDAP do You use? If it's OpenLDAP, try debugging (slapd -d -1).
> Verification might fail if the server or client certificates are bad
> or TLS library founds untrusted self-signed certificate in chain (You
> must specify CA certificate).
>
> Regarding OpenLDAP.
> You can try to set TLSCACertificateFile in slapd.conf and TLS_CACERT
> in /etc/ldap.conf. OpenLDAP library uses environment, which is
> *INSECURE* in this circumstances. There is no complete workaround at
> this time. Local user can set variable to disable /etc/ldap.conf
> processing, that is, to disable CA You supplied.
Hrmmm..
I just added -h "ldap:/// ldaps:///" to my slapd startup, so now it's actually
STARTING the ldaps server.
And, it's not working very well, even still. ldapsearch -ZZ over ldaps://blah/
fails, complaining:
ldapsearch -ZZ -LL -H ldaps://ldap.mydomain.com/ -b"dc=mydomain,dc=com" -W -x
-D "uid=psi-jack,ou=People,dc=mydomain,dc=com" "(uid=psi-jack)"
ldap_start_tls: Operations error
additional info: TLS already started
In addition to that, TLS runs over the standard port of the service, rather
than SSL running in a different port. Does exim's ldap:/// attempt to try TLS
at all, or is that only done through ldaps:/// url's?
Eric Renfro
