Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Sep 2016 09:07:36 -0600
From:      markham breitbach <>
Subject:   Re: FreeBSD, OpenLDAP and 2048 bits certificates
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This likely just needs the CA certificate installed.  I think
TLSCACERT=/path/to/my/ca.cert in /usr/local/etc/openldap/ldap.conf
should do it. 


On 2016-09-06 4:03 AM, Matthew Seaman wrote:
> On 06/09/2016 10:37, Olivier wrote:
>> I want to update the certificate I am currently using for OpenLDAP, from
>> a 1024 bit self signed to a 2048 bits properly signed certificate.
> You mean a paid-for certificate signed by a well known CA?  Given that
> with LDAP you generally have administrative control over all of the
> clients that may connect to your server, that's pretty pointless.  The
> whole idea of certificate signing is that it's done by an entity that
> you can trust to identify strangers on your behalf.  Which makes no
> sense if there are no 'strangers' involved.
>> When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X
>> clients, perls clients, php clients are happy. They recognize the new
>> certificate and the change is transparent.
>> But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like
>> the server part of OpenLDAP is working fine, but not the client part.
>> Have you any idea what the problem could be?
> No.  The FreeBSD vs. other operating systems part is not a useful
> datapoint.  It's much more likely to be down to differences in the
> client-side software packages you're using.  You haven't explained how
> you are using these certificates -- just to ensure connections are
> encrypted, or are you using client certificates to autenticate logins to
> the server?  What configuration settings are you using?  Can you try
> putting the correct settings in /usr/local/etc/openldap/ldap.conf and
> then using some of the commandline ldap clients to log in?
> Verb. sap.  The net/nss-pam-ldapd port provides much the same
> functionality as nss_ldap and pam_ldap combined, plus it has various
> technical advantages like a local cache and it's actively maintained and
> developed.  Recommended.
> 	Cheers,
> 	Matthew

Want to link to this message? Use this URL: <>