FreeBSD, OpenLDAP and 2048 bits certificates

Matthew Seaman matthew at
Tue Sep 6 10:03:52 UTC 2016

On 06/09/2016 10:37, Olivier wrote:
> I want to update the certificate I am currently using for OpenLDAP, from
> a 1024 bit self signed to a 2048 bits properly signed certificate.

You mean a paid-for certificate signed by a well known CA?  Given that
with LDAP you generally have administrative control over all of the
clients that may connect to your server, that's pretty pointless.  The
whole idea of certificate signing is that it's done by an entity that
you can trust to identify strangers on your behalf.  Which makes no
sense if there are no 'strangers' involved.

> When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X
> clients, perls clients, php clients are happy. They recognize the new
> certificate and the change is transparent.
> But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like
> the server part of OpenLDAP is working fine, but not the client part.
> Have you any idea what the problem could be?

No.  The FreeBSD vs. other operating systems part is not a useful
datapoint.  It's much more likely to be down to differences in the
client-side software packages you're using.  You haven't explained how
you are using these certificates -- just to ensure connections are
encrypted, or are you using client certificates to autenticate logins to
the server?  What configuration settings are you using?  Can you try
putting the correct settings in /usr/local/etc/openldap/ldap.conf and
then using some of the commandline ldap clients to log in?

Verb. sap.  The net/nss-pam-ldapd port provides much the same
functionality as nss_ldap and pam_ldap combined, plus it has various
technical advantages like a local cache and it's actively maintained and
developed.  Recommended.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list