Re[2]: [Exim] LDAP over TLS failing to bind/lookup.

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Peter A. Savitch
Datum:  
To: Eric Renfro
Betreff: Re[2]: [Exim] LDAP over TLS failing to bind/lookup.
Hello Eric,

Tuesday, August 20, 2002, 10:24:56 PM, you wrote:

ER> I just added -h "ldap:/// ldaps:///" to my slapd startup, so now it's actually
ER> STARTING the ldaps server.


You'd also better begin with `exim -be'. That's the expansion testing
mode. LDAP(S) is tricky, so make Your life easier ;-)

ER> And, it's not working very well, even still. ldapsearch -ZZ over ldaps://blah/
ER> fails, complaining:


ER> ldapsearch -ZZ -LL -H ldaps://ldap.mydomain.com/ -b"dc=mydomain,dc=com" -W -x
ER> -D "uid=psi-jack,ou=People,dc=mydomain,dc=com" "(uid=psi-jack)"
ER> ldap_start_tls: Operations error
ER>         additional info: TLS already started


You don't have to -ZZ (TLS critical) on ldaps://, that's *only* for
ldap://. STARTTLS is used to `convert' the active plain-text
connection into encrypted one (that's for all protocols I know,
including SMTP).

ER> In addition to that, TLS runs over the standard port of the service, rather
ER> than SSL running in a different port. Does exim's ldap:/// attempt to try TLS
ER> at all, or is that only done through ldaps:/// url's?


Yes. Exim acts like -Z (TLS try) with ldap://, and makes (TLS hard)
with ldaps://. But *note* that `hard' is not the same as `STARTTLS
critical' (-ZZ)!

If You want to disable TLS with Exim, turn it off at the server-side.

--
Best regards,
 Peter                            mailto:spam4octan@highway.ru