On Mon, Sep 23, 2013 at 10:36:34AM -0400, Salz, Rich wrote:
> > I can use the showcerts command on port 636 and see the certs
> > but wheh I try to do this on port
> > 389 to use TLS I get the following error.
>
> 389 is the "plaintext" LDAP port; 636 is for LDAP over SSL/TLS
> so your system is doing the right thing. If you want to force
> SSL/TLS, then you'll have to configure your directory to not listen
> on 389.
Another option is to use LDAP's "STARTTLS" support on port 389.
Do not use "ldaps://ldap.example.com:389/..." LDAP URIs. STARTTLS
for LDAP on port 389 needs to be enabled via out-of-band policy,
perhaps in the future via DANE TLSA for LDAP:
_389._tcp.ldap.example.com. IN TLSA 3 1 1 <SPKI SHA256 digest>
I'm not aware of any progress on DANE support for LDAP, so for now
STARTTLS is enabled on a case-by-case basis by the client system's
administrator.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
