With some finagling on my local machine to add a certificate in /etc/ldap, and to add the following lines to /etc/ldap/ldap.conf :

TLS_CACERT      /etc/ldap/ca_server.pem
TLS_REQCERT allow

... I can use ldapsearch from my xubuntu cmdline. That also allowed me to resolve the ldap server and thence get the error 13.

I've tried also adding SSL start_tls and STARTTLS to no net effect.

Changing the hostname to start with ldaps and the port to 636 results in the LDAPTests simply timing out. Might that be because the port needs to be made accessible? Oddly, and just possibly of note, the timeout takes ~6 seconds and not the 45000mS specified in the Socket waitForConn.... method. Maybe that says it isn't actually a timeout error?


> On 2023-03-08, at 1:07 PM, Tobias Pape <Das.Linux at gmx.de> wrote:
> 
> Hi
> 
> 
>> On 8. Mar 2023, at 20:36, Bruce O'Neel <bruce.oneel at pckswarms.ch> wrote:
>> 
>> 
>> Hi
>> 
>> I guess you’re using normal ldap to port 389?  For this server you probably need to use port 636 and ldaps which is a fancy way of saying ldap over SSL.
>> 
>> Good luck with the certificates….
> 
> And then there's STARTTLS for ldap over port 389.
> 
> If your target server is a Microsoft AD, tho, since recently 636 is _required_.
> 
> Best regards
> 	-Tobias
> 
>> 
>> Cheers 
>> 
>> Bruce 
>> On 2023-03-08T02:00:10.000+01:00, tim Rowledge <tim at rowledge.org> wrote:
>> I was just trying out RHE's LDAP code and I get a signal raised worth the error code 13 and message 'TLS confidentiality required'. This is evidently related to using TLS for the socket.
>> 
>> Has anyone used this successfully recently? Any experience of this error?
>> 
>> tim
> 
> 
> 
> 
> 


tim
--
tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
Useful random insult:- Calls people to ask them their phone number.