# Port www/squid33: LDAP authentication helpers cannot connect via TLS



## pvoigt (Nov 9, 2013)

I've installed port www/squid33 with LDAP support under FreeBSD 9.2-RELEASE. When trying to connect to my OpenLDAP server which is hosted on the same FreeBSD server I have found that the authentication helper basic_ldap_auth cannot connect to the LDAP server using TLS. The helper retruns:

```
Could not Activate TLS connect
```
Simple binds, e.g. those without the -Z switch are working as expected.

To exclude any misconfiguration of my OpenLDAP server I've checked the basic_ldap_auth from my Linux box. The TLS connection immediately worked as expected. That's why I conclude the basic_ldap_auth helper of FreeBSD may contain an error.

Unfortunately basic_ldap_auth does give just the above error message even with the debugging switch -d. At the same time my OpenLDAP server shows following logging output:

```
Nov  9 15:03:09 freebsd slapd[966]: conn=1947 fd=79 ACCEPT from IP=192.168.1.105:11555 (IP=0.0.0.0:389)
Nov  9 15:03:09 freebsd slapd[966]: conn=1947 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Nov  9 15:03:09 freebsd slapd[966]: conn=1947 op=0 STARTTLS
Nov  9 15:03:09 freebsd slapd[966]: conn=1947 op=0 RESULT oid= err=0 text=
Nov  9 15:03:09 freebsd slapd[966]: conn=1947 fd=79 TLS established tls_ssf=256 ssf=256
Nov  9 15:03:09 freebsd slapd[966]: conn=1947 fd=79 closed (connection lost)
```

This looks strange to me as TLS connection seems to work but indeed fails to return data and produces above TLS error message.

The same error occurs with digest_ldap_auth which unfortunately does not install with configure option 
	
	



```
AUTH_LDAP=on
```
 I've had to manually compile and install before a `make clean`. And also this helper works as expected without TLS.


----------

