From owner-freebsd-questions@freebsd.org Tue Sep 6 10:03:51 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E731ABC6C30 for ; Tue, 6 Sep 2016 10:03:51 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 721D05FB for ; Tue, 6 Sep 2016 10:03:51 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id D7F0A1DB3 for ; Tue, 6 Sep 2016 10:03:43 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/D7F0A1DB3; dkim=none; dkim-atps=neutral Subject: Re: FreeBSD, OpenLDAP and 2048 bits certificates To: freebsd-questions@freebsd.org References: From: Matthew Seaman Message-ID: Date: Tue, 6 Sep 2016 11:03:35 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ViKa8dKGvPwf9DwIC1wHffpvHLnxi49o0" X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2016 10:03:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ViKa8dKGvPwf9DwIC1wHffpvHLnxi49o0 Content-Type: multipart/mixed; boundary="aL51trcruKnPigPwVQAxOloFPAJKwBsHh"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: FreeBSD, OpenLDAP and 2048 bits certificates References: In-Reply-To: --aL51trcruKnPigPwVQAxOloFPAJKwBsHh Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 06/09/2016 10:37, Olivier wrote: > I want to update the certificate I am currently using for OpenLDAP, fro= m > a 1024 bit self signed to a 2048 bits properly signed certificate. You mean a paid-for certificate signed by a well known CA? Given that with LDAP you generally have administrative control over all of the clients that may connect to your server, that's pretty pointless. The whole idea of certificate signing is that it's done by an entity that you can trust to identify strangers on your behalf. Which makes no sense if there are no 'strangers' involved. > When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X > clients, perls clients, php clients are happy. They recognize the new > certificate and the change is transparent. >=20 > But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like= > the server part of OpenLDAP is working fine, but not the client part. >=20 > Have you any idea what the problem could be? No. The FreeBSD vs. other operating systems part is not a useful datapoint. It's much more likely to be down to differences in the client-side software packages you're using. You haven't explained how you are using these certificates -- just to ensure connections are encrypted, or are you using client certificates to autenticate logins to the server? What configuration settings are you using? Can you try putting the correct settings in /usr/local/etc/openldap/ldap.conf and then using some of the commandline ldap clients to log in? Verb. sap. The net/nss-pam-ldapd port provides much the same functionality as nss_ldap and pam_ldap combined, plus it has various technical advantages like a local cache and it's actively maintained and developed. Recommended. Cheers, Matthew --aL51trcruKnPigPwVQAxOloFPAJKwBsHh-- --ViKa8dKGvPwf9DwIC1wHffpvHLnxi49o0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJXzpR/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATtccQAKQIOn4JR+jkHjUFUfs8e45A pR8eofafeM1UcfxCK9to4JPf0bRwSTLkBw1W29RZ/UlR9D5VO/XyA3eXtIx/e1Ly T4tcDle20CnytAI/8IFHxOlP/ArUz342tZr3uSIoxizTmIIlFlQEzs72ueL9B8ku rdo+BRlkoBupFju+VR+QCbE7PMoIx1tjUaOaf0d+6YwuLiXdbITaaDH4a29f0lpW L8qbUZKgCR62Y6JThlRBrzU4Cbiym9uU9rgoWclPoPzEGonq69QPqZdZhyYKPrcz mGqqvG27F3x7XuL1APGbfG/aBOQhf5VQl+W09wTW0T4V6ixeWLFfWDJnTkJP64gm EpP150QT7qT5Bv8Ylnql6ET3g61DbIhZB4is12AMea8WfNIf14rNXxUOr7fl0NTT P9i7sMLWeC/38mxFGpHDLiPE2rA8OlY4iwLVgbpD7jaw4WmdsSDUa7fyrpJ0KkNn ZEYSJnQiXJi0bC+f6DQvf+2Q6LUQ2xa+BH8suwBF5Yjize4cz/OfEO2s8v34i6H7 gyvFkP3Plm+ubE1DqsdJdMLl5Rxgh27ZAG/KmXi9qnqadY1idxjjurmR3qd5Q+c/ B9ID6HR2Oj40tX5FR1SPahfPGPnCdIEQREYzCc5PpbYcSgy3MPsS3MleQdfyEqTI 3b1V8Y6nRd8a42DQ519T =3rbO -----END PGP SIGNATURE----- --ViKa8dKGvPwf9DwIC1wHffpvHLnxi49o0--