Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 06 May 2010 16:26:16 +0200
From:      Erik Norgaard <norgaard@locolomo.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: LDAP and LDAPS on the same server ?
Message-ID:  <4BE2D188.7070404@locolomo.org>
In-Reply-To: <4BE2B2FA.1010900@esiee.fr>
References:  <4BE2B2FA.1010900@esiee.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 06/05/10 14.15, Frank Bonnet wrote:

> It runs nicely but I want to add LDAPS service on the SAME server.
> Is it possible ?

Yes in fact with OpenLDAP you can have ldap, ldaps and ldap TLS with 
STARTTLS, the latter runs on the standard ldap port.

> I have generated
>
> cert.crt
> cert.csr
> cert.key
>
> as instructed in the FreeBSD howto but when I add the following
> lines in slapd.conf file it fails to restart
>
> TLSCACertificateFile  /usr/local/etc/openldap/ssl/cert.crt

You do not need to specify TLSCACertificateFile unless you plan to 
require connecting clients to use a certificate.

> TLSCertificateFile    /usr/local/etc/openldap/ssl/cert.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key

You only need to edit your rc.conf adding

slapd_flags='-h "ldap:/// ldaps:///"'

if you want to have old style ldaps (ldap with ssl) on port 636. Without 
any options OpenLDAP supports TLS on port 389. Unfortunately, common 
programs such as thunderbird does not support TLS for ldap (although it 
/is/ supported for smtp?!)

> in ldap.conf file I have the following
>
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> BASE	dc=esiee,dc=fr
> URI	ldap://ldap.esiee.fr ldaps://ldap.esiee.fr

You do not need to edit ldap.conf for the server to start up correctly, 
this is for the client. In order to use ldapmodify (and family) with TLS 
you need to add

TLS_CACERT /path/to/your/CA/certificate.cer

Then you can do

$ ldapmodify -ZZ ...

to connect with TLS.

BR, Erik

-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BE2D188.7070404>