From owner-freebsd-questions@freebsd.org Wed Sep 7 04:24:56 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ACBAFBC640B for ; Wed, 7 Sep 2016 04:24:56 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3C57DE3D; Wed, 7 Sep 2016 04:24:55 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (localhost [127.0.0.1]) by mail.cs.ait.ac.th (Postfix) with ESMTP id 4D9ACD7886; Wed, 7 Sep 2016 11:24:51 +0700 (ICT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h= content-type:content-type:mime-version:message-id:date:date :in-reply-to:subject:subject:from:from:received:received :received; s=selector1; t=1473222290; x=1475036691; bh=VR6IANphi JOAgFE3e5K3UxxC7tjZLgDbKVtd4dHPT9I=; b=DJIXNDzNmpvF0M5thP7wQaxxu MMiNb90heLkCEO5/rcYZvEK+DNH34p0ktirMnFjJbxcWK2Z+ZIHfddewIT2tZJK/ Y9JOSmeqMRBR9X4vLrjECjqayQhUeI5H173BLAc0Ca/aYL9SO5+b7klnTH9VwsHl vN8JM0UnLiziy2ebak= X-Virus-Scanned: amavisd-new at cs.ait.ac.th Received: from mail.cs.ait.ac.th ([127.0.0.1]) by mail.cs.ait.ac.th (mail.cs.ait.ac.th [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id irJsf27qGEUh; Wed, 7 Sep 2016 11:24:50 +0700 (ICT) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.cs.ait.ac.th (Postfix) with ESMTPS id 23D96D7885; Wed, 7 Sep 2016 11:24:50 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.15.2/8.15.2/Submit) id u874OmqZ014229; Wed, 7 Sep 2016 11:24:48 +0700 (ICT) (envelope-from on@banyan.cs.ait.ac.th) From: Olivier To: Matthew Seaman Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD, OpenLDAP and 2048 bits certificates In-Reply-To: (message from Matthew Seaman on Tue, 6 Sep 2016 11:03:35 +0100) Date: Wed, 07 Sep 2016 11:24:48 +0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2016 04:24:56 -0000 Matthew Seaman writes: > You mean a paid-for certificate signed by a well known CA? Nowdays, not all known CA signed certificates are paid for :) > Given that > with LDAP you generally have administrative control over all of the > clients that may connect to your server, that's pretty pointless. The > whole idea of certificate signing is that it's done by an entity that > you can trust to identify strangers on your behalf. Which makes no > sense if there are no 'strangers' involved. With a selfsigned certificate, you have to attend each client manually (and in my small set-up I already have about 40 clients, hard to do them all at once, hard not to forget the barely used one) whenever you need to update something with your certificate, advantage of the known CA is that it should be transparent. >> When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X >> clients, perls clients, php clients are happy. They recognize the new >> certificate and the change is transparent. >> >> But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like >> the server part of OpenLDAP is working fine, but not the client part. >> >> Have you any idea what the problem could be? > > No. The FreeBSD vs. other operating systems part is not a useful > datapoint. It's much more likely to be down to differences in the > client-side software packages you're using. You haven't explained how > you are using these certificates -- just to ensure connections are > encrypted, or are you using client certificates to autenticate logins to > the server? What configuration settings are you using? Can you try > putting the correct settings in /usr/local/etc/openldap/ldap.conf and > then using some of the commandline ldap clients to log in? I am not using client certificate, only username/password, over LDAPS (most of the clients) and LDAP+TLS (replication). The server is OpenLDAP on FreeBSD and on FreeBSD, the clients are nss_ldap and pam_ldap over OpenLDAP. All stock and classic, built from ports. I am seeing the same problem when it comes to replication between two OpenLDAP servers: I can replicate with the self signed CA, but not with the known CA. > Verb. sap. The net/nss-pam-ldapd port provides much the same > functionality as nss_ldap and pam_ldap combined, plus it has various > technical advantages like a local cache and it's actively maintained and > developed. Recommended. Thanks, I'll give it a look. My installation of LDAP dates back few years already, no nss-pam-ldapd at that time. Best regards, Olivier > > Cheers, > > Matthew > > > > [2:application/pgp-signature Show Save:signature.asc (931B)] > --