Thanks Henrik. I have the link created to my cert as you suggested. [root@proxy2 cacerts]# ls -altr total 32 -rw-r--r-- 1 root root 4245 Jan 18 11:41 cert.pem drwxr-xr-x 2 root root 4096 Jan 18 11:42 . lrwxrwxrwx 1 root root 8 Apr 24 16:57 9ac40248.0 -> cert.pem drwxr-xr-x 3 root root 4096 Jun 15 12:22 .. [root@proxy2 cacerts]# pwd /etc/openldap/cacerts Using -Z option still returns me "Could not Activate TLS connection" I also tried with -p 636, which does not return me anything . Somehow I need to implement this to meet the deadline (tomorrow). Can you/someone please help in configuring ? Fyi: I have the connectivity over 636 port to my ldap server from proxy server. Thanks a ton. Bhagwan -----Original Message----- From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] Sent: Thursday, June 14, 2007 10:25 AM To: Vootla, Bhagwan Cc: squid-users@xxxxxxxxxxxxxxx; squid-dev@xxxxxxxxxxxxxxx Subject: Re: Squid + ldap +ssl Secure authentication tor 2007-06-14 klockan 07:47 -0400 skrev Vootla, Bhagwan: > 1) I have read that SSL encryption can be achieved from proxy > server to ldap server only. How can I achieve from browser to proxy > server ? Squid has all the support that is needed on the proxy side of things for this, by using the https_port directive. However, there is no known browsers supporting SSL to proxies. > 2) I created a cert in /etc/openldap/cacerts/cert.pem. How do I > tell squid_ldap_auth to use this cert and encrypt the password. (my ldap > server listens on 389,636 ports). By asking it to use TLS. > I also tried with -Z option from the command line, But I get "Could not > Activate TLS connection" Then it probably didn't find the CA certificate. /etc/openldap/cacers is an openssl hashed certificate directory. It's not sufficient to just place the certificate file there, it also needs to be named properly for OpenSSL to find it.. There is a tool somewhere which sets up symbolic links for the hashed certificate names, unfortunately I don't remember it's name. But the following should work: cd /etc/openldap/cacerts/ ln cert.pem `openssl x509 -in cert.pem -hash -noout`.0 Also make sure the file is world-readable. chmod a+r cert.pem Regards Henrik