From owner-freebsd-questions@freebsd.org Mon Nov 4 17:59:40 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 453301AA71A for ; Mon, 4 Nov 2019 17:59:40 +0000 (UTC) (envelope-from jerry@seibercom.net) Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 476LCv1dwDz47QD for ; Mon, 4 Nov 2019 17:59:38 +0000 (UTC) (envelope-from jerry@seibercom.net) Received: by mail-qt1-x82f.google.com with SMTP id o49so25221502qta.7 for ; Mon, 04 Nov 2019 09:59:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seibercom.net; s=google; h=date:from:to:subject:message-id:in-reply-to:references:reply-to :organization:mime-version:content-transfer-encoding; bh=QJ0hsIFjZ/E13Ojan2GTF+zXLFqcLt3MNdT9V6dwqho=; b=UKqIUbGELAvI7/ngNUkDEdJrqNozNCQU/V/VKwC+j4EuuYT00ZTVyH3emaF4DAhZ6r vvTkyMoZNLCK6lJfVLB2DH6KZ8By7zO3MRQhOZRwe6F4pNX9d6PCiGJGD+74Rq9XnJIY ORQ3NiOVYd8g782Ttl0D2/p7DMa1mSZEl+01M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:reply-to:organization:mime-version :content-transfer-encoding; bh=QJ0hsIFjZ/E13Ojan2GTF+zXLFqcLt3MNdT9V6dwqho=; b=J0opQGBvA0G+3oFo/Qwph/nCknFS6K5zF1Z/id5yVnkNMQnEaYpfu4MQ/Pl0Y+Q2qJ 2FIFTxiaAAFzVlmWeQh59/w4wrjuCOeOSuEzHPY0aYEni/O9Kb6hHoIgZpGiw7+nP4fO NIneKB8Olk2Jh7ESiIeblIC9usabr/Bgnl8aD/PwXJpKYIsH16nAQr0h19Z33r9jMf7h xpatlqxWyg5tzXXCcTltQqyKfKMhKDbwk3peH6sz4B/I/upUO5nLWTfBhAV93ZCOIAEQ 6zu1s9EGaPkpnqm8R/4Uuu0oshxIM7kLNXltWcIYPXwhRVkjKk6MyXb1OHw5Ps0C6bOM WQ8w== X-Gm-Message-State: APjAAAXBSJD0CsHsSPtUyuVPkg7b51NuLl0funzei2HOHNzkYs0I0sUp dZQJeqA791QK8scFgfvWC3rmOpI19bU= X-Google-Smtp-Source: APXvYqyvSK3+5yUG/EVALPi09yLhzr15kr29dW6PeJb10wPbYii+GR0OYQZZ0XErC66l97Ee0BTppQ== X-Received: by 2002:a0c:e6e5:: with SMTP id m5mr23124123qvn.170.1572890377832; Mon, 04 Nov 2019 09:59:37 -0800 (PST) Received: from scorpio.seibercom.net (cpe-174-109-225-250.nc.res.rr.com. [174.109.225.250]) by smtp.gmail.com with ESMTPSA id c23sm10210006qte.66.2019.11.04.09.59.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Nov 2019 09:59:36 -0800 (PST) Received: from localhost (HP-ENVY [192.168.0.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: jerry@seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id 476LCq5Sy2z5Rdv for ; Mon, 4 Nov 2019 12:59:35 -0500 (EST) Date: Mon, 4 Nov 2019 12:59:34 -0500 From: Jerry To: freebsd-questions@freebsd.org Subject: Re: openldap and letsencrypt Message-ID: <20191104125934.00007f9a@seibercom.net> In-Reply-To: <14a9c556-dbe6-c5f9-a02f-26fba1bce6f5@FreeBSD.org> References: <20191104071911.00005546@seibercom.net> <14a9c556-dbe6-c5f9-a02f-26fba1bce6f5@FreeBSD.org> Reply-To: freebsd-questions@freebsd.org Organization: seibercom.net X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; i686-w64-mingw32) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 476LCv1dwDz47QD X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=seibercom.net header.s=google header.b=UKqIUbGE; dmarc=none; spf=pass (mx1.freebsd.org: domain of jerry@seibercom.net designates 2607:f8b0:4864:20::82f as permitted sender) smtp.mailfrom=jerry@seibercom.net X-Spamd-Result: default: False [-0.26 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[freebsd-questions@freebsd.org]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_DN_NONE(0.00)[]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[seibercom.net:+]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-2.76)[ip: (-9.34), ipnet: 2607:f8b0::/32(-2.37), asn: 15169(-2.03), country: US(-0.05)]; MIME_TRACE(0.00)[0:+]; RECEIVED_SPAMHAUS_PBL(0.00)[250.225.109.174.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; REPLYTO_EQ_TO_ADDR(5.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[seibercom.net:s=google]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[seibercom.net]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[f.2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Nov 2019 17:59:40 -0000 On Mon, 4 Nov 2019 13:51:05 +0000, Matthew Seaman commented: >On 04/11/2019 12:19, Jerry wrote: >> I am using 'openldap' with a FreeBSD 12 system. I would like to add >> TLS security to it using letsencrypt certificates which I am already >> using on my system. Can anyone point me to a good tutorial on how to >> accomplish this? I have found a lot of counter productive examples >> and none so far that pertain to FreeBSD. > >Hmmm.. most tutorials should be applicable to FreeBSD pretty directly. >About the only difference between FreeBSD and other systems is the >FreeBSD puts files into /usr/local/etc/openldap and other systems >probably use /etc/openldap. Apart from that, the software is >basically identical on all systems. > >IIRC with openldap, there's just two or three settings in the config >file saying how to enable TLS and where the key and certificate are. >You then just have to copy the certificate files into the expected >places and restart slapd. (It is a tad more complicated if you're >using LDAP replication though.) > >With openldap you have two choices: you can either run a 'LDAPS' >encrypted server on port 636 or you can enable STARTTLS on the regular >LDAP port 389. The latter is recommended on general principles -- >unassigned network ports are becoming a scarce resource and using two >for encrypted and unencrypted vesions of the same service is pretty >wasteful. Or you can do both. Once you've got the basic TLS >functionality working and tested, you can then enforce the use of TLS, >via STARTTLS or otherwise, through the permissions settings in the >LDAP configuration. > >When I went through all this -- a while ago now -- ISTR that reading >the man pages and the documentation on the OpenLDAP site was almost >sufficient. Working out that the best way to debug the configuration >was to turn on the appropriate debug flags in the configuration file >and then sit watching the log file while making test queries was a >minor triumph. The OpenLDAP mailing lists were a key resource -- >particularly the archives. I can get it up and running, but no one can connect to it. Did you make any changes to the rc.conf entries? Mine are as shown in the rc.d 'slapd' script: # Slapd slapd_enable="YES" slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"' slapd_sockets="/var/run/openldap/ldapi" I have to figure out how to turn on logging. I am working on that now. -- Jerry