From owner-freebsd-questions@freebsd.org  Tue Sep  6 09:45:18 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 207FEBC683F
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Tue,  6 Sep 2016 09:45:18 +0000 (UTC)
 (envelope-from Olivier.Nicole@cs.ait.ac.th)
Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C07FFCB8
 for <freebsd-questions@freebsd.org>; Tue,  6 Sep 2016 09:45:17 +0000 (UTC)
 (envelope-from Olivier.Nicole@cs.ait.ac.th)
Received: from mail.cs.ait.ac.th (localhost [127.0.0.1])
 by mail.cs.ait.ac.th (Postfix) with ESMTP id 2C535D7885
 for <freebsd-questions@freebsd.org>; Tue,  6 Sep 2016 16:37:20 +0700 (ICT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h=
 content-type:content-type:mime-version:message-id:date:date
 :subject:subject:from:from:received:received:received; s=
 selector1; t=1473154639; x=1474969040; bh=kno5x6HQ4fk5nEU8EdJwbC
 KlrpvaZ1/lChtjwA3VAGc=; b=ar5MHgLtBpvApcctP+eNT+hyqSt2ahz5M4EuIS
 BWmx2o2K9fDz67UZdJh83e2k6uohlGdi16x7PA4XA1/SjZu2z6xSvp2pAyPBHoDV
 qeA9iADMBZ4195c/AZlsWmWVdWexro9UHLeSrjLPJ5hcLreX8vp5NAV1g/lcaOXz
 4Z1js=
X-Virus-Scanned: amavisd-new at cs.ait.ac.th
Received: from mail.cs.ait.ac.th ([127.0.0.1])
 by mail.cs.ait.ac.th (mail.cs.ait.ac.th [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id x47mpwiGuVGw for <freebsd-questions@freebsd.org>;
 Tue,  6 Sep 2016 16:37:19 +0700 (ICT)
Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.cs.ait.ac.th (Postfix) with ESMTPS id 4C3C4D7884
 for <freebsd-questions@freebsd.org>; Tue,  6 Sep 2016 16:37:19 +0700 (ICT)
Received: (from on@localhost)
 by banyan.cs.ait.ac.th (8.15.2/8.15.2/Submit) id u869bIph005314;
 Tue, 6 Sep 2016 16:37:18 +0700 (ICT)
 (envelope-from on@banyan.cs.ait.ac.th)
From: Olivier <Olivier.Nicole@cs.ait.ac.th>
To: freebsd-questions@freebsd.org
Subject: FreeBSD, OpenLDAP and 2048 bits certificates
Date: Tue, 06 Sep 2016 16:37:18 +0700
Message-ID: <wu7inu9v06p.fsf@banyan.cs.ait.ac.th>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2016 09:45:18 -0000

Hi,

I have several FreeBSD server, authenticating to LDAP, this has been
working fine for years.

I want to update the certificate I am currently using for OpenLDAP, from
a 1024 bit self signed to a 2048 bits properly signed certificate.

When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X
clients, perls clients, php clients are happy. They recognize the new
certificate and the change is transparent.

But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like
the server part of OpenLDAP is working fine, but not the client part.

Have you any idea what the problem could be?

best regards,

Olivier
--