Show Table of Contents
7.5. Command-Line Functions for Start TLS
LDAP client tools such as
ldapmodify, ldapsearch, and ldapdelete can use TLS/SSL when communicating with an SSL-enabled server or to use certificate authentication. Command-line options also specify or enforce Start TLS, which which allows a secure connection to be enabled on a clear text port after a session has been initiated.
Important
For Start TLS to work, the environment variables for the SSL/TLS databases must be configured. This is described in Section A.2, “Using SSL/TLS and Start TLS with LDAP Client Tools”.
In the following example, a network administrator enforces Start TLS for a search for Mike Connor's identification number:
ldapsearch -ZZ -D "cn=directory manager" -w secret -p 389 -h server.example.com -x -b "uid=mconnors,ou=people,dc=example,dc=com" "(attribute=govIdNumber)"
-ZZ enforces Start TLS.
Note
The
-ZZ option enforces the use of Start TLS, and the server must respond that a Start TLS command was successful. If the -ZZ command is used and the server does not support Start TLS, the operation is aborted immediately.
With the
-Z option, the following errors could occur:
- If there is no certificate database, the operation fails. See Section 7.3.1, “Obtaining and Installing Server Certificates” for information on using certificates.
- If the server does not support Start TLS, the connection proceeds in clear text. To enforce the use of Start TLS, use the
-ZZcommand option. - If the certificate database does not have the certificate authority (CA) certificate, the connection proceeds in clear text. See Section 7.3.1, “Obtaining and Installing Server Certificates” for information on using certificates.
With the
-ZZ option, the following errors could occur, causing the Start TLS operation to fail:
- If there is no certificate database. See Section 7.3.1, “Obtaining and Installing Server Certificates” for information on using certificates.
- If the certificate database does not have the certificate authority (CA) certificate. See Section 7.3.1, “Obtaining and Installing Server Certificates” for information on using certificates.
- The server does not support Start TLS as an extended operation.
For SDK libraries used in client programs, if a session is already in TLS mode and Start TLS is requested, then the connection continues to be in secure mode but prints the error
"DSA is unwilling to perform".
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.