Date: Tue, 6 Sep 2016 09:07:36 -0600 From: markham breitbach <markham@ssimicro.com> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD, OpenLDAP and 2048 bits certificates Message-ID: <5b908d6a-9d36-1848-0e93-81684e667acc@ssimicro.com> In-Reply-To: <e86e0d3b-5d7e-554f-f521-2c22f8573345@FreeBSD.org> References: <wu7inu9v06p.fsf@banyan.cs.ait.ac.th> <e86e0d3b-5d7e-554f-f521-2c22f8573345@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This likely just needs the CA certificate installed. I think TLSCACERT=/path/to/my/ca.cert in /usr/local/etc/openldap/ldap.conf should do it. -Markham On 2016-09-06 4:03 AM, Matthew Seaman wrote: > On 06/09/2016 10:37, Olivier wrote: >> I want to update the certificate I am currently using for OpenLDAP, from >> a 1024 bit self signed to a 2048 bits properly signed certificate. > You mean a paid-for certificate signed by a well known CA? Given that > with LDAP you generally have administrative control over all of the > clients that may connect to your server, that's pretty pointless. The > whole idea of certificate signing is that it's done by an entity that > you can trust to identify strangers on your behalf. Which makes no > sense if there are no 'strangers' involved. > >> When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X >> clients, perls clients, php clients are happy. They recognize the new >> certificate and the change is transparent. >> >> But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like >> the server part of OpenLDAP is working fine, but not the client part. >> >> Have you any idea what the problem could be? > No. The FreeBSD vs. other operating systems part is not a useful > datapoint. It's much more likely to be down to differences in the > client-side software packages you're using. You haven't explained how > you are using these certificates -- just to ensure connections are > encrypted, or are you using client certificates to autenticate logins to > the server? What configuration settings are you using? Can you try > putting the correct settings in /usr/local/etc/openldap/ldap.conf and > then using some of the commandline ldap clients to log in? > > Verb. sap. The net/nss-pam-ldapd port provides much the same > functionality as nss_ldap and pam_ldap combined, plus it has various > technical advantages like a local cache and it's actively maintained and > developed. Recommended. > > Cheers, > > Matthew > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5b908d6a-9d36-1848-0e93-81684e667acc>