Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Nov 2019 12:59:34 -0500
From:      Jerry <jerry@seibercom.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: openldap and letsencrypt
Message-ID:  <20191104125934.00007f9a@seibercom.net>
In-Reply-To: <14a9c556-dbe6-c5f9-a02f-26fba1bce6f5@FreeBSD.org>
References:  <20191104071911.00005546@seibercom.net> <14a9c556-dbe6-c5f9-a02f-26fba1bce6f5@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 4 Nov 2019 13:51:05 +0000, Matthew Seaman commented:
>On 04/11/2019 12:19, Jerry wrote:
>> I am using 'openldap' with a FreeBSD 12 system. I would like to add
>> TLS security to it using letsencrypt certificates which I am already
>> using on my system. Can anyone point me to a good tutorial on how to
>> accomplish this? I have found a lot of counter productive examples
>> and none so far that pertain to FreeBSD.  
>
>Hmmm.. most tutorials should be applicable to FreeBSD pretty directly. 
>About the only difference between FreeBSD and other systems is the 
>FreeBSD puts files into /usr/local/etc/openldap and other systems 
>probably use /etc/openldap.  Apart from that, the software is
>basically identical on all systems.
>
>IIRC with openldap, there's just two or three settings in the config 
>file saying how to enable TLS and where the key and certificate are.
>You then just have to copy the certificate files into the expected
>places and restart slapd.  (It is a tad more complicated if you're
>using LDAP replication though.)
>
>With openldap you have two choices: you can either run a 'LDAPS' 
>encrypted server on port 636 or you can enable STARTTLS on the regular 
>LDAP port 389.  The latter is recommended on general principles -- 
>unassigned network ports are becoming a scarce resource and using two 
>for encrypted and unencrypted vesions of the same service is pretty 
>wasteful.  Or you can do both.  Once you've got the basic TLS 
>functionality working and tested, you can then enforce the use of TLS, 
>via STARTTLS or otherwise, through the permissions settings in the
>LDAP configuration.
>
>When I went through all this -- a while ago now -- ISTR that reading
>the man pages and the documentation on the OpenLDAP site was almost 
>sufficient.  Working out that the best way to debug the configuration 
>was to turn on the appropriate debug flags in the configuration file
>and then sit watching the log file while making test queries was a
>minor triumph.  The OpenLDAP mailing lists were a key resource --
>particularly the archives.

I can get it up and running, but no one can connect to it. Did you
make any changes to the rc.conf entries? Mine are as shown in the rc.d
'slapd' script:

# Slapd
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"

I have to figure out how to turn on logging. I am working on that now.

-- 
Jerry



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191104125934.00007f9a>