ldaps has been deprecated in favour of keeping all communication open only at one port. try to use
ldap://host:389 port 0 enable tls Use above settings based on your client I am using sssd client with following setting and it works on TLS. [sssd] config_file_version = 2 services = nss, pam, sudo domains = default [nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,ubuntu [pam] pam_verbosity = 3 [domain/default] ldap_tls_reqcert = allow auth_provider = ldap ldap_schema = rfc2307bis krb5_realm = EXAMPLE.COM ldap_search_base = ldap_group_member = uniquemember id_provider = ldap sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=xxxx,dc=xxxx,dc=xxxx netgroup_provider = ldap ldap_netgroup_search_base = ou=Netgroup,dc=xxxx,dc=xxxx,dc=xxxx ldap_id_use_start_tls = True chpass_provider = ldap ldap_uri = ldap://host1:389/,ldap://ldap2:389/,ldap://ldap3:389/ ldap_chpass_uri = ldap://host1:389/ cache_credentials = True entry_cache_timeout = 600 ldap_network_timeout = 3 ldap_access_filter = (&(object)(object)) On Mon, Sep 8, 2014 at 10:58 AM, Vijay Ganesan <[email protected]> wrote: > > Thanks Ryan for pointing me to the right link. I've configured TLS > following those instructions. > But I can't seem to connect using ldaps://localhost:636 using Apache > Directory Studio client. I get a "Error while opening connection - Cannot > connect on the server: Connection refused" error. > I can connect fine using ldap://localhost:389. > What diagnostics can be run to figure out if TLS is working correctly? > > Thanks > Vijay > > > On Sun, Sep 7, 2014 at 3:00 PM, Ryan Tandy <[email protected]> wrote: > >> The Ubuntu server guide has a chapter on setting up OpenLDAP, including a >> section on configuring TLS. Have you followed it? >> >> https://help.ubuntu.com/12.04/serverguide/openldap-server.html >> >> On 07/09/14 02:20 PM, Vijay Ganesan wrote: >> >>> 2. Added following entries to /usr/share/slapd/slapd.conf: >>> >> >> Are you sure that's the right file? By default Ubuntu 12.04 uses >> LDAP-based configuration (cn=config) instead of a slapd.conf file; and even >> if it did, it would usually be found in /etc/ldap/slapd.conf and not in >> /usr/share. >> > > > > -- > - Vijay > > > -- Udai Singh Mehra Infrastructure Engineering and Operations --
