Hello Eric,
Tuesday, August 20, 2002, 10:24:56 PM, you wrote:
ER> I just added -h "ldap:/// ldaps:///" to my slapd startup, so now it's actually
ER> STARTING the ldaps server.
You'd also better begin with `exim -be'. That's the expansion testing
mode. LDAP(S) is tricky, so make Your life easier ;-)
ER> And, it's not working very well, even still. ldapsearch -ZZ over ldaps://blah/
ER> fails, complaining:
ER> ldapsearch -ZZ -LL -H ldaps://ldap.mydomain.com/ -b"dc=mydomain,dc=com" -W -x
ER> -D "uid=psi-jack,ou=People,dc=mydomain,dc=com" "(uid=psi-jack)"
ER> ldap_start_tls: Operations error
ER> additional info: TLS already started
You don't have to -ZZ (TLS critical) on ldaps://, that's *only* for
ldap://. STARTTLS is used to `convert' the active plain-text
connection into encrypted one (that's for all protocols I know,
including SMTP).
ER> In addition to that, TLS runs over the standard port of the service, rather
ER> than SSL running in a different port. Does exim's ldap:/// attempt to try TLS
ER> at all, or is that only done through ldaps:/// url's?
Yes. Exim acts like -Z (TLS try) with ldap://, and makes (TLS hard)
with ldaps://. But *note* that `hard' is not the same as `STARTTLS
critical' (-ZZ)!
If You want to disable TLS with Exim, turn it off at the server-side.
--
Best regards,
Peter mailto:spam4octan@highway.ru
