On Fri, Feb 07, 2003 at 01:03:10PM -0800, Saqib.N.Ali@seagate.com wrote: > I am trying to connect to LDAP server using the OpenLDP "ldapsearch" > command line utility that comes with RH 8.0. > > The command line that I am using is as follow: > $ ldapsearch -x -ZZ -h my.ldap.server -b "o=SC" "uid=saqib" > ldap_start_tls: Protocol error (2) > > As the error shows, the START_TLS failed. > > I am connecting to a SunOne Directory Server, that supports TLS. > > I am wondering if the "ldapsearch" (part of OpenLDAP) utility that ships > with RH 8.0 supports TLS. Or should I compile my own OpenLDAP from source? > Has anyone tried TLS connection using the ldapsearch that comes with RH > 8.0? Yes, ldapsearch (actually, OpenLDAP) is built with TLS support enabled. First, be certain that you should be using STARTTLS instead of the older "LDAP over SSL" method which you'd get by specifying: -H ldaps://my.ldap.server/ insetad of -ZZ -h my.ldap.server Given that that's alright, check that the server supports the version of the LDAP protocol that the client is attempting to use, by specifying either "-P 2" or "-P 3" on the command line. IIRC using TLS forces use of LDAPv3, and not all servers support both LDAPv2 and LDAPv3. If the protocol's all correct, and it's actually an error starting up TLS, you can use OpenSSL to verify that the certificate looks alright. Use OpenSSL to dump out the contents of the certificate which you'd get connecting to the ldaps port: openssl s_client -connect my.ldap.server:ldaps Copy and paste the text between (and including) the lines which read "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE----", and paste them into: openssl x509 -noout -text Check that the validity dates are correct, and check that the common name encoded in the certificate (the "CN" part of the subject's name) matches how you're giving ldapsearch the name of the server -- they must match *exactly*. HTH, Nalin -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
