I&#39;m trying to do set up authentication between fedora 14 client and server using ldap passwords. I seem to be having a problem getting the server to accept startTLS. It has all been set up with 389-console and system-config-authentication.<br>
<br>In more detail, I set up the client using system-config-authentication, to use LDAP for the user account authentication, TLS to encrypt connections, and LDAP passwords. I set the LDAP server to ldap://&lt;server name&gt;. All this seems to be working OK, on the server (wireshark) I can see the initial ldap handshake on port 389, as expected. The problem seems to start at the next stage. I see a tcp packet to port 389 from the client, protocol LDAP, Info extendedReq(1) LDAP_START_TLS_OID, which I assume is the request packet from the client to start the TLS handshake. I see a TCP ack from the server, but this is immediately followed by a protocol LDAP message from the server to the client, extendedResp(1) (unsupported extended operation). I assume this is a failure message. However the client replies with an SSLv2 Client Hello. There is never an SSL response, <br>
<br>On the client, I see in the logs <br>ssd[be[LDAP]]: Could not start TLS encryption. unsupported extended operation<br>which I assume confirms that the attempt to start up TLS failed. <br><br>In the server  dirsrv access log, I see:<br>
<br>[08/Apr/2011:16:40:46 +0900] conn=12 fd=64 slot=64 connection from 192.168.1.7 to 192.168.1.192<br>[08/Apr/2011:16:40:46 +0900] conn=12 op=0 EXT oid=&quot;1.3.6.1.4.1.1466.20037&quot;<br>[08/Apr/2011:16:40:46 +0900] conn=12 op=0 RESULT err=2 tag=120 nentries=0 etime=0<br>
[08/Apr/2011:16:40:46 +0900] conn=12 op=-1 fd=64 closed error 71 (Protocol error) - B1<br><br>and in the error log (logging verbosity turned up a bit) I see<br><br>[08/Apr/2011:17:13:22 +0900] - new connection on 64<br>[08/Apr/2011:17:13:22 +0900] - activity on 64r<br>
[08/Apr/2011:17:13:22 +0900] - read activity on 64<br>[08/Apr/2011:17:13:22 +0900] - conn 16 activity level = 0<br>[08/Apr/2011:17:13:22 +0900] - listener got signaled<br>[08/Apr/2011:17:13:22 +0900] - flush_ber() wrote 44 bytes to socket 64<br>
[08/Apr/2011:17:13:22 +0900] - activity on 64r<br>[08/Apr/2011:17:13:22 +0900] - read activity on 64<br>[08/Apr/2011:17:13:22 +0900] - conn=16 received a non-LDAP message (tag 0x80, expected 0x30)<br>[08/Apr/2011:17:13:22 +0900] - conn 16 leaving turbo mode due to 3<br>
[08/Apr/2011:17:13:22 +0900] - listener got signaled<br><br><br>All this seems to suggest that either I don&#39;t have startTLS built into my installation of 389, or I&#39;m somehow failing to enable it. However I can&#39;t see any plugin in yum that would help, and the only place I can see (at least in 389-console) that looks like it could affect this is the Domain name &quot;Secure connection&quot; checkbox. However I&#39;ve tried toggling this and I see exactly the same behaviour either way (I&#39;m guessing that the checkbox actually enables SSL support on port 636, but the documentation isn&#39;t too clear on this). <br>
<br>One possibility, that I&#39;m not too sure how to check, is that the (self-signed) CA certificate or the server certificate might be bad. However they look fine on dumping, and both appear to be installed in the server. And hopefully, I would have got rather more informative log messages in this case. I&#39;m not too sure how to test this locally on the server, any pointers on how to do this would be great.<br>
<br>Any help anyone can give on this would be _hugely_ appreciated - I am now three days in on what looked like it was supposed to be a straightforward install, with no real progress, and getting further behind on other urgent stuff. Urrgggg.<br>
<br>System:<br>Client and server:<br>F14, 2.6.35.11-83.fc14.x86_64 kernel<br><br>Server:<br>slapd 2.4.23<br><br>Client:<br>sssd 64-bit 1.5.4-1.fc14<br><br><br>      Best Wishes<br>      Bob<br>