How to test 389 Directory Server and openldap using TLS 1.1+

Mark Reynolds mareynol at
Thu Nov 20 17:12:00 UTC 2014

How to test the new openldap with TLS1.1+ and 389 Directory Server

Get the new 389 Directory Server scratch builds:

F22 -
F21 -

[1] Install DS using  Then setup SSL on the Directory Server.

I use this script to setup SSL:

./ /etc/dirsrv/slapd-INSTANCE 389 636

slapd-INSTANCE is an example, it is usually slapd-<hostname>. This can 
also depend on what you specify during the server install. The script 
also expects the Directory Manager DN to be "cn=directory manager".

[2] Next configure DS to set the minimum SSL version it will accept:

ldapmodify -h host -p port -D "cn=directory manager" -w password
cn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: off
replace: nsTLS
nsTLS: on
replace: sslVersionMin
sslVersionMin: TLS1.1

[3] Restart the Directory Server:   restart-dirsrv

[4] Perform an ldapsearch using SSL

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-INSTANCE ldapsearch -xLLL -H 
"<host>:<secure port>" -b "" -s base objectclass=*


LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-localhost ldapsearch -xLLL -H 
"localhost.localdomain:636" -b "" -s base objectclass=*

Let me know if there are any questions.


More information about the server mailing list