the openldap ldapsearch -Z does startTLS, which tries to startup a secure connection using the non-secure port - basically, so you can have ldap listen only to 389 and have SSL/TLS on that port. So then you may ask "Ok, that's fine, but how do I disable non-secure connections on 389?" I'm not sure how you can do that at the connection level, but at the entry level you can set ACIs to allow access only if using SSL/TLS. Susan wrote: >Hi, everybody. > >I turned ssl on the server and it seemed to be working OK, I was getting replies with >ldapsearch -x -ZZ. (access log saying startTLS, aes256 SSL), tcpdump showing encrypted >traffic (on port 389 tho, not 636 but OK) > >However, ldapsearch -x was also working, transmitting in clear text (as seen on tcpdump). > I went ahead and set the nsslapd-port to 0: > >[05/Jan/2006:11:50:59 -0500] - Information: Non-Secure Port Disabled, server only >contactable via secure port >[05/Jan/2006:11:50:59 -0500] - Fedora-Directory/1.0.1 B2005.342.161 starting up >[05/Jan/2006:11:50:59 -0500] - Listening on All Interfaces port 636 for LDAPS requests > >OK, good. Now, however, ldapsearch -x -ZZ doesn't work anymore: > >$>ldapsearch -x -ZZ >ldap_start_tls: Can't contact LDAP server (-1) > >And ldapsearch -x -ZZ -p 636 -h cnyldap01 just hangs.. I get nothing back. > >What am I doing wrong??? > > > >__________________________________________ >Yahoo! DSL ? Something to write home about. >Just $16.99/mo. or less. >dsl.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060105/a409ed58/attachment.bin
