Re: LDAP and LDAPS on the same server ?

On 06/05/10 14.15, Frank Bonnet wrote:

It runs nicely but I want to add LDAPS service on the SAME server.
Is it possible ?

Yes in fact with OpenLDAP you can have ldap, ldaps and ldap TLS with STARTTLS, the latter runs on the standard ldap port.

I have generated

cert.crt
cert.csr
cert.key

as instructed in the FreeBSD howto but when I add the following
lines in slapd.conf file it fails to restart

TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt

You do not need to specify TLSCACertificateFile unless you plan to require connecting clients to use a certificate.

TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key

You only need to edit your rc.conf adding

slapd_flags='-h "ldap:/// ldaps:///"'

if you want to have old style ldaps (ldap with ssl) on port 636. Without any options OpenLDAP supports TLS on port 389. Unfortunately, common programs such as thunderbird does not support TLS for ldap (although it /is/ supported for smtp?!)

in ldap.conf file I have the following

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=esiee,dc=fr
URI ldap://ldap.esiee.fr ldaps://ldap.esiee.fr

You do not need to edit ldap.conf for the server to start up correctly, this is for the client. In order to use ldapmodify (and family) with TLS you need to add

TLS_CACERT /path/to/your/CA/certificate.cer

Then you can do

$ ldapmodify -ZZ ...

to connect with TLS.

BR, Erik

--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Using LDAP backend with start_tls
    ... TLS uses the standard LDAP port, by default 389, if it is started. ... I was wondering how can I use the LDAP backend over a TLS connection. ...
    (comp.protocols.kerberos)
  • Re: LDAP+TLS problems
    ... Without TLS everything connects just fine, ... Make sure your private key is readable by the "ldap" user. ... then the server expects the client to present a client certificate. ... the initially unencrypted connection. ...
    (Ubuntu)
  • kmail/kaddressbook + openldap, again, sorry
    ... but when I try to enable TLS security it fails. ... when I go to Settings=>Configure KAddressBook ... I get the message "LDAP server returned the error: ... As will probably be clear, I am not quite a newbie on openssl and openldap, ...
    (Fedora)
  • Re: LDAP and LDAPS on the same server ?
    ... the latter runs on the standard ldap port. ... any options OpenLDAP supports TLS on port 389. ... In order to use ldapmodify with TLS ...
    (freebsd-questions)
  • Re: ldap with simple:tls auth against AD (W2K8R2) Options
    ... Users authentication via ldap works smoothly with simple ... authentication but something goes wrong as soon as I enable TLS. ... With this configuration any attempt to run id / getent results in the ... Server public key is 1024 bit ...
    (comp.unix.solaris)