On Mon, Oct 17, 2005 at 09:29:57AM -0400, Aaron Richton wrote: > > If I run ldapsearch from another machine which has another version of > > openldap that is not 2.3.11 nor 2.3.10, then it works. > > So this is against your 2.3.11 slapd, 2.3.11 ldapsearch -ZZ fails while > <2.3.10 connects OK (2.3.11 server held constant)?
Correct. > Do you have identical ldap.conf and/or .ldaprc on the 2.3.11 machines, and > of course identical file contents referenced? Also, your logs are from Using the machine with ldapsearch that works, if I remove "TLS_REQCERT allow" from ~/.ldaprc or /etc/openldap/ldap.conf, then I get a self-signed certificate error as expected. > slapd -d -1 (which is a good debugging step), but you might want to try a > ldapsearch -d -1 too so we can see the other side of the equation. The same error code appears at the client side (either -11 with start_tls or -1 with ldaps). > The "telnet" seems to me a bad example, I'm pretty sure that will get > "TLS: can't accept" in all situations. (Unless you know how to perform a > TLS handshake by hand.) telnet? I used: openssl s_client -connect ldapserver:636 to test ldaps:// connection and SSL was established. Obviously I didn't do any ldap queries. I reversed the ITS4072 patch in 2.3.11 (so that the affected files got back to the 2.3.9 release state) and tls started working again.