LDAP and LDAPS on the same server ?
Erik Norgaard
norgaard at locolomo.org
Thu May 6 14:26:39 UTC 2010
On 06/05/10 14.15, Frank Bonnet wrote:
> It runs nicely but I want to add LDAPS service on the SAME server.
> Is it possible ?
Yes in fact with OpenLDAP you can have ldap, ldaps and ldap TLS with
STARTTLS, the latter runs on the standard ldap port.
> I have generated
>
> cert.crt
> cert.csr
> cert.key
>
> as instructed in the FreeBSD howto but when I add the following
> lines in slapd.conf file it fails to restart
>
> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
You do not need to specify TLSCACertificateFile unless you plan to
require connecting clients to use a certificate.
> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
You only need to edit your rc.conf adding
slapd_flags='-h "ldap:/// ldaps:///"'
if you want to have old style ldaps (ldap with ssl) on port 636. Without
any options OpenLDAP supports TLS on port 389. Unfortunately, common
programs such as thunderbird does not support TLS for ldap (although it
/is/ supported for smtp?!)
> in ldap.conf file I have the following
>
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> BASE dc=esiee,dc=fr
> URI ldap://ldap.esiee.fr ldaps://ldap.esiee.fr
You do not need to edit ldap.conf for the server to start up correctly,
this is for the client. In order to use ldapmodify (and family) with TLS
you need to add
TLS_CACERT /path/to/your/CA/certificate.cer
Then you can do
$ ldapmodify -ZZ ...
to connect with TLS.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions
mailing list