From owner-freebsd-questions@freebsd.org Mon Nov 4 13:51:11 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0A0C41A3025 for ; Mon, 4 Nov 2019 13:51:11 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 476DjB6Yghz3FWb for ; Mon, 4 Nov 2019 13:51:10 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: matthew/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id A90B71D500 for ; Mon, 4 Nov 2019 13:51:10 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from leaf.local (unknown [IPv6:2001:8b0:151:1:d073:65c:a2a6:c984]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 4390314A57 for ; Mon, 4 Nov 2019 13:51:08 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none (p=none dis=none) header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/4390314A57; dkim=none; dkim-atps=neutral Subject: Re: openldap and letsencrypt To: freebsd-questions@freebsd.org References: <20191104071911.00005546@seibercom.net> From: Matthew Seaman Message-ID: <14a9c556-dbe6-c5f9-a02f-26fba1bce6f5@FreeBSD.org> Date: Mon, 4 Nov 2019 13:51:05 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.2.0 MIME-Version: 1.0 In-Reply-To: <20191104071911.00005546@seibercom.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Nov 2019 13:51:11 -0000 On 04/11/2019 12:19, Jerry wrote: > I am using 'openldap' with a FreeBSD 12 system. I would like to add TLS > security to it using letsencrypt certificates which I am already using > on my system. Can anyone point me to a good tutorial on how to > accomplish this? I have found a lot of counter productive examples and > none so far that pertain to FreeBSD. Hmmm.. most tutorials should be applicable to FreeBSD pretty directly. About the only difference between FreeBSD and other systems is the FreeBSD puts files into /usr/local/etc/openldap and other systems probably use /etc/openldap. Apart from that, the software is basically identical on all systems. IIRC with openldap, there's just two or three settings in the config file saying how to enable TLS and where the key and certificate are. You then just have to copy the certificate files into the expected places and restart slapd. (It is a tad more complicated if you're using LDAP replication though.) With openldap you have two choices: you can either run a 'LDAPS' encrypted server on port 636 or you can enable STARTTLS on the regular LDAP port 389. The latter is recommended on general principles -- unassigned network ports are becoming a scarce resource and using two for encrypted and unencrypted vesions of the same service is pretty wasteful. Or you can do both. Once you've got the basic TLS functionality working and tested, you can then enforce the use of TLS, via STARTTLS or otherwise, through the permissions settings in the LDAP configuration. When I went through all this -- a while ago now -- ISTR that reading the man pages and the documentation on the OpenLDAP site was almost sufficient. Working out that the best way to debug the configuration was to turn on the appropriate debug flags in the configuration file and then sit watching the log file while making test queries was a minor triumph. The OpenLDAP mailing lists were a key resource -- particularly the archives. Cheers, Matthew