Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 07 Sep 2016 11:24:48 +0700
From:      Olivier <>
To:        Matthew Seaman <>
Subject:   Re: FreeBSD, OpenLDAP and 2048 bits certificates
Message-ID:  <>
In-Reply-To: <> (message from Matthew Seaman on Tue, 6 Sep 2016 11:03:35 +0100)

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Matthew Seaman <> writes:

> You mean a paid-for certificate signed by a well known CA?

Nowdays, not all known CA signed certificates are paid for :)

> Given that
> with LDAP you generally have administrative control over all of the
> clients that may connect to your server, that's pretty pointless.  The
> whole idea of certificate signing is that it's done by an entity that
> you can trust to identify strangers on your behalf.  Which makes no
> sense if there are no 'strangers' involved.

With a selfsigned certificate, you have to attend each client manually
(and in my small set-up I already have about 40 clients, hard to do them
all at once, hard not to forget the barely used one) whenever you need
to update something with your certificate, advantage of the known CA is
that it should be transparent.

>> When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X
>> clients, perls clients, php clients are happy. They recognize the new
>> certificate and the change is transparent.
>> But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like
>> the server part of OpenLDAP is working fine, but not the client part.
>> Have you any idea what the problem could be?
> No.  The FreeBSD vs. other operating systems part is not a useful
> datapoint.  It's much more likely to be down to differences in the
> client-side software packages you're using.  You haven't explained how
> you are using these certificates -- just to ensure connections are
> encrypted, or are you using client certificates to autenticate logins to
> the server?  What configuration settings are you using?  Can you try
> putting the correct settings in /usr/local/etc/openldap/ldap.conf and
> then using some of the commandline ldap clients to log in?

I am not using client certificate, only username/password, over LDAPS
(most of the clients) and LDAP+TLS (replication).

The server is OpenLDAP on FreeBSD and on FreeBSD, the clients are
nss_ldap and pam_ldap over OpenLDAP. All stock and classic, built from

I am seeing the same problem when it comes to replication between two
OpenLDAP servers: I can replicate with the self signed CA, but not with
the known CA.

> Verb. sap.  The net/nss-pam-ldapd port provides much the same
> functionality as nss_ldap and pam_ldap combined, plus it has various
> technical advantages like a local cache and it's actively maintained and
> developed.  Recommended.

Thanks, I'll give it a look. My installation of LDAP dates back few
years already, no nss-pam-ldapd at that time.

Best regards,


> 	Cheers,
> 	Matthew
> [2:application/pgp-signature Show Save:signature.asc (931B)]


Want to link to this message? Use this URL: <>