FreeBSD, OpenLDAP and 2048 bits certificates
markham breitbach
markham at ssimicro.com
Tue Sep 6 15:25:27 UTC 2016
This likely just needs the CA certificate installed. I think
TLSCACERT=/path/to/my/ca.cert in /usr/local/etc/openldap/ldap.conf
should do it.
-Markham
On 2016-09-06 4:03 AM, Matthew Seaman wrote:
> On 06/09/2016 10:37, Olivier wrote:
>> I want to update the certificate I am currently using for OpenLDAP, from
>> a 1024 bit self signed to a 2048 bits properly signed certificate.
> You mean a paid-for certificate signed by a well known CA? Given that
> with LDAP you generally have administrative control over all of the
> clients that may connect to your server, that's pretty pointless. The
> whole idea of certificate signing is that it's done by an entity that
> you can trust to identify strangers on your behalf. Which makes no
> sense if there are no 'strangers' involved.
>
>> When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X
>> clients, perls clients, php clients are happy. They recognize the new
>> certificate and the change is transparent.
>>
>> But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like
>> the server part of OpenLDAP is working fine, but not the client part.
>>
>> Have you any idea what the problem could be?
> No. The FreeBSD vs. other operating systems part is not a useful
> datapoint. It's much more likely to be down to differences in the
> client-side software packages you're using. You haven't explained how
> you are using these certificates -- just to ensure connections are
> encrypted, or are you using client certificates to autenticate logins to
> the server? What configuration settings are you using? Can you try
> putting the correct settings in /usr/local/etc/openldap/ldap.conf and
> then using some of the commandline ldap clients to log in?
>
> Verb. sap. The net/nss-pam-ldapd port provides much the same
> functionality as nss_ldap and pam_ldap combined, plus it has various
> technical advantages like a local cache and it's actively maintained and
> developed. Recommended.
>
> Cheers,
>
> Matthew
>
>
More information about the freebsd-questions
mailing list