Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Sep 2016 11:03:35 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD, OpenLDAP and 2048 bits certificates
Message-ID:  <e86e0d3b-5d7e-554f-f521-2c22f8573345@FreeBSD.org>
In-Reply-To: <wu7inu9v06p.fsf@banyan.cs.ait.ac.th>
References:  <wu7inu9v06p.fsf@banyan.cs.ait.ac.th>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--ViKa8dKGvPwf9DwIC1wHffpvHLnxi49o0
Content-Type: multipart/mixed; boundary="aL51trcruKnPigPwVQAxOloFPAJKwBsHh";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <e86e0d3b-5d7e-554f-f521-2c22f8573345@FreeBSD.org>
Subject: Re: FreeBSD, OpenLDAP and 2048 bits certificates
References: <wu7inu9v06p.fsf@banyan.cs.ait.ac.th>
In-Reply-To: <wu7inu9v06p.fsf@banyan.cs.ait.ac.th>

--aL51trcruKnPigPwVQAxOloFPAJKwBsHh
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 06/09/2016 10:37, Olivier wrote:
> I want to update the certificate I am currently using for OpenLDAP, fro=
m
> a 1024 bit self signed to a 2048 bits properly signed certificate.

You mean a paid-for certificate signed by a well known CA?  Given that
with LDAP you generally have administrative control over all of the
clients that may connect to your server, that's pretty pointless.  The
whole idea of certificate signing is that it's done by an entity that
you can trust to identify strangers on your behalf.  Which makes no
sense if there are no 'strangers' involved.

> When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X
> clients, perls clients, php clients are happy. They recognize the new
> certificate and the change is transparent.
>=20
> But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like=

> the server part of OpenLDAP is working fine, but not the client part.
>=20
> Have you any idea what the problem could be?

No.  The FreeBSD vs. other operating systems part is not a useful
datapoint.  It's much more likely to be down to differences in the
client-side software packages you're using.  You haven't explained how
you are using these certificates -- just to ensure connections are
encrypted, or are you using client certificates to autenticate logins to
the server?  What configuration settings are you using?  Can you try
putting the correct settings in /usr/local/etc/openldap/ldap.conf and
then using some of the commandline ldap clients to log in?

Verb. sap.  The net/nss-pam-ldapd port provides much the same
functionality as nss_ldap and pam_ldap combined, plus it has various
technical advantages like a local cache and it's actively maintained and
developed.  Recommended.

	Cheers,

	Matthew



--aL51trcruKnPigPwVQAxOloFPAJKwBsHh--

--ViKa8dKGvPwf9DwIC1wHffpvHLnxi49o0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJXzpR/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATtccQAKQIOn4JR+jkHjUFUfs8e45A
pR8eofafeM1UcfxCK9to4JPf0bRwSTLkBw1W29RZ/UlR9D5VO/XyA3eXtIx/e1Ly
T4tcDle20CnytAI/8IFHxOlP/ArUz342tZr3uSIoxizTmIIlFlQEzs72ueL9B8ku
rdo+BRlkoBupFju+VR+QCbE7PMoIx1tjUaOaf0d+6YwuLiXdbITaaDH4a29f0lpW
L8qbUZKgCR62Y6JThlRBrzU4Cbiym9uU9rgoWclPoPzEGonq69QPqZdZhyYKPrcz
mGqqvG27F3x7XuL1APGbfG/aBOQhf5VQl+W09wTW0T4V6ixeWLFfWDJnTkJP64gm
EpP150QT7qT5Bv8Ylnql6ET3g61DbIhZB4is12AMea8WfNIf14rNXxUOr7fl0NTT
P9i7sMLWeC/38mxFGpHDLiPE2rA8OlY4iwLVgbpD7jaw4WmdsSDUa7fyrpJ0KkNn
ZEYSJnQiXJi0bC+f6DQvf+2Q6LUQ2xa+BH8suwBF5Yjize4cz/OfEO2s8v34i6H7
gyvFkP3Plm+ubE1DqsdJdMLl5Rxgh27ZAG/KmXi9qnqadY1idxjjurmR3qd5Q+c/
B9ID6HR2Oj40tX5FR1SPahfPGPnCdIEQREYzCc5PpbYcSgy3MPsS3MleQdfyEqTI
3b1V8Y6nRd8a42DQ519T
=3rbO
-----END PGP SIGNATURE-----

--ViKa8dKGvPwf9DwIC1wHffpvHLnxi49o0--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?e86e0d3b-5d7e-554f-f521-2c22f8573345>