-   Linux - Server (
-   -   PostgreSQL auth over LDAPS: "could not start LDAP TLS session: error code -1" (

lefty.crupps 10-04-2011 09:56 AM

PostgreSQL auth over LDAPS: "could not start LDAP TLS session: error code -1"
I am trying to get PostgreSQL to authenticate over LDAPS on another server; the PostgreSQL server is Debian 6.0.2 (Squeeze), x64, fully updated as of today:

Package: postgresql
Version: 8.4.8-0squeeze2

Package: gnutls-bin
Version: 2.8.6-1

Followed much of the info from here for my PostgreSQL setup:

I can get LDAP authentication working, but not LDAPS (/etc/postgresql/8.4/main/pg_hba.conf)

## This works but isn't encrypted:
local  all        all                              ldap ldapport=389 ldaptls=0 ldapprefix="uid=" ldapsuffix=",ou=People,dc=mydomain,dc=net"

## Hoping to get this working:
# local  all        all                              ldap ldapport=636 ldaptls=1 ldapprefix="uid=" ldapsuffix=",ou=People,dc=mydomain,dc=net"

The error when I try with LDAPS is:

2011-09-30 14:05:33 CDT LOG:  could not start LDAP TLS session: error code -1
2011-09-30 14:05:33 CDT FATAL:  LDAP authentication failed for user "username"

I can connect to that Auth server on port 636:

root@pgsql:~# telnet 636
Connected to
Escape character is '^]'.
telnet> quit
Connection closed.

That server is authenticating over LDAPS port 636 for normal uses, but I cannot get PostgreSQL itself to do so. Can anyone assist please?

acid_kewpie 10-05-2011 03:13 AM

are you dealing with ldaps or ldap w/ tls?? using a tls session, with startls, this will use port 389 and convert to an encrypted session, unlike an ssl session on 636 where it's ssl from the very very start.

lefty.crupps 10-06-2011 01:44 PM

I'd like to deal with LDAPS on port 636 using SSLs.

acid_kewpie 10-07-2011 03:22 AM

right, so don't try to use tls then. From a minute on google it looks like you would want to use an ldaps:// style url instead:

All times are GMT -5. The time now is 06:55 PM.