Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 06 May 2010 16:47:16 +0200
From:      Frank Bonnet <f.bonnet@esiee.fr>
To:        freebsd-questions@freebsd.org
Subject:   Re: LDAP and LDAPS on the same server ?
Message-ID:  <4BE2D674.7030804@esiee.fr>
In-Reply-To: <4BE2D188.7070404@locolomo.org>
References:  <4BE2B2FA.1010900@esiee.fr> <4BE2D188.7070404@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 05/06/10 16:26, Erik Norgaard wrote:
> On 06/05/10 14.15, Frank Bonnet wrote:
>
>> It runs nicely but I want to add LDAPS service on the SAME server.
>> Is it possible ?
>
> Yes in fact with OpenLDAP you can have ldap, ldaps and ldap TLS with
> STARTTLS, the latter runs on the standard ldap port.
>
>> I have generated
>>
>> cert.crt
>> cert.csr
>> cert.key
>>
>> as instructed in the FreeBSD howto but when I add the following
>> lines in slapd.conf file it fails to restart
>>
>> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
>
> You do not need to specify TLSCACertificateFile unless you plan to
> require connecting clients to use a certificate.
>
>> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
>> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
>
> You only need to edit your rc.conf adding
>
> slapd_flags='-h "ldap:/// ldaps:///"'
>
> if you want to have old style ldaps (ldap with ssl) on port 636. Without
> any options OpenLDAP supports TLS on port 389. Unfortunately, common
> programs such as thunderbird does not support TLS for ldap (although it
> /is/ supported for smtp?!)
>
>> in ldap.conf file I have the following
>>
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> BASE dc=esiee,dc=fr
>> URI ldap://ldap.esiee.fr ldaps://ldap.esiee.fr
>
> You do not need to edit ldap.conf for the server to start up correctly,
> this is for the client. In order to use ldapmodify (and family) with TLS
> you need to add
>
> TLS_CACERT /path/to/your/CA/certificate.cer
>
> Then you can do
>
> $ ldapmodify -ZZ ...
>
> to connect with TLS.
>
> BR, Erik
>

Thanks for your full detailed answer Erik !

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BE2D674.7030804>