(I'm posting this here since it didn't seem to get propagated when I placed it via Google groups. Apologies to all of you who see it twice.)
The usual value in brackets is -91, but studying those messages hasn't helped. I've built openldap in a Solaris 10 zone, including sasl using the following command line: ./configure \ --sysconfdir=/etc \ --enable-syslog=yes \ --with-cyrus-sasl=yes \ --with-threads=yes \ --with-tls=yes \ --enable-crypt=yes \ --enable-spasswd=yes \ --enable-modules=yes \ --enable-rlookups=yes \ --enable-perl=yes \ --enable-slurpd=yes I've populated the database with an organization and a manager, and I can do an ldapsearch from the server to itself before I set up security. I have created a ca-certificate - since this is primarily for internal use I'm not prepared to buy one - which is located in /usr/local/ssl/demoCA, the private part in demoCA/private. I have created a server certificate and signed it with my ca-cetificate. This certificate and its key are placed in /etc/openldap as slapd_cert.pem and slapd_key.pem. I've added the lines: TLSCACertificateFile /usr/local/ssl/demoCA/cacert.pem TLSCertificateFile /etc/openldap/slapd_cert.pem TLSCertificateKeyFile /etc/openldap/slapd_key.pem TLS_REQCERT allow TLSCipherSuite HIGH:MEDIUM:+SSLv2 security ssf=1 update_ssf=112 simple_bind=64 (The suggestion TLC_REQCERT allow I got from searching the net. The rest is bog standard RedHat.) And my ldap.conf looks like this: BASE dc=glocalnet,dc=net TLS_CACERT cacert.pem TLS_CACERTDIR /usr/local/ssl/demoCA URI ldap:/// ldaps:/// #ssl start_tls When I now test a ldapsearch I get: [EMAIL PROTECTED] ldapsearch -Z -D "cn=Manager,dc=glocalnet,dc=net" -W -b 'dc=glocalnet,dc=net' '(objectclass=*)' ldap_start_tls: Connect error (-11) Enter LDAP Password: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) (the first two rows from 'ldapsearch' to 'objectclass' are entered on one line) Sorry this is so long a message, but I've done a fair bit of research and needed to recount both this and the configuration. Can anyone suggest what the problem might be now? It appears that the client is now able to find the ca certificate, which was my earlier problem. Thanks a lot in advance for any help. //james ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]