Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Nov 2019 13:51:05 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: openldap and letsencrypt
Message-ID:  <14a9c556-dbe6-c5f9-a02f-26fba1bce6f5@FreeBSD.org>
In-Reply-To: <20191104071911.00005546@seibercom.net>
References:  <20191104071911.00005546@seibercom.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 04/11/2019 12:19, Jerry wrote:
> I am using 'openldap' with a FreeBSD 12 system. I would like to add TLS
> security to it using letsencrypt certificates which I am already using
> on my system. Can anyone point me to a good tutorial on how to
> accomplish this? I have found a lot of counter productive examples and
> none so far that pertain to FreeBSD.

Hmmm.. most tutorials should be applicable to FreeBSD pretty directly. 
About the only difference between FreeBSD and other systems is the 
FreeBSD puts files into /usr/local/etc/openldap and other systems 
probably use /etc/openldap.  Apart from that, the software is basically 
identical on all systems.

IIRC with openldap, there's just two or three settings in the config 
file saying how to enable TLS and where the key and certificate are. You 
then just have to copy the certificate files into the expected places 
and restart slapd.  (It is a tad more complicated if you're using LDAP 
replication though.)

With openldap you have two choices: you can either run a 'LDAPS' 
encrypted server on port 636 or you can enable STARTTLS on the regular 
LDAP port 389.  The latter is recommended on general principles -- 
unassigned network ports are becoming a scarce resource and using two 
for encrypted and unencrypted vesions of the same service is pretty 
wasteful.  Or you can do both.  Once you've got the basic TLS 
functionality working and tested, you can then enforce the use of TLS, 
via STARTTLS or otherwise, through the permissions settings in the LDAP 
configuration.

When I went through all this -- a while ago now -- ISTR that reading the 
man pages and the documentation on the OpenLDAP site was almost 
sufficient.  Working out that the best way to debug the configuration 
was to turn on the appropriate debug flags in the configuration file and 
then sit watching the log file while making test queries was a minor 
triumph.  The OpenLDAP mailing lists were a key resource -- particularly 
the archives.

	Cheers,

	Matthew



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14a9c556-dbe6-c5f9-a02f-26fba1bce6f5>