Le ven. mai 20 2011 � 01:04:52 +0200, Buchan Milne dit : > On Friday, 20 May 2011 11:50:05 David Dumortier wrote: > > Hi everybody, > > > > I try to setup a slapd with TLS. > > Do you mean START_TLS on ldap://, or ldaps:// ? I don't think you can test > START_TLS on ldap:// with gnutls-cli-debug.
ldaps:/// netstat -lataupe : tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 0 264360 29866/slapd [...] > With what command-line arguments/options (specifically, what values provided > to -h option)? cat /etc/default/slapd : SLAPD_SERVICES="ldapi:/// ldaps:///" > > > but when I try a debug I have : > > # gnutls-cli-debug -p 636 myip > > Checking for TLS 1.1 support... no > > Checking fallback from TLS 1.1 to... failed > > Checking for TLS 1.0 support... no > > Checking for SSL 3.0 support... no > > > > Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 > > Before doing this, did you verify that slapd is actually listening for ldaps > on port 636? > > I suspect you are running ldap:// on port 636. ldapsearch -W -H ldap://myip:636/ ldap_result: Can't contact LDAP server (-1) ldapsearch -W -H ldaps://myip/ TLS: can't connect: Error in the push function.. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ldapsearch -ZZW -H ldaps://myip/ TLS: can't connect: Error in the push function.. ldap_start_tls: Can't contact LDAP server (-1) additional info: Error in the push function. > > > Here is my slapd conf : > > olcTLSVerifyClient: demand > > olcTLSCertificateFile: /etc/ldap/ssl/mycsr.csr > > olcTLSCertificateKeyFile: /etc/ldap/ssl/mykey.key > > > Regards, > Buchan -- David Dumortier
