openldap and letsencrypt
jerry at seibercom.net
Mon Nov 4 17:59:40 UTC 2019
On Mon, 4 Nov 2019 13:51:05 +0000, Matthew Seaman commented:
>On 04/11/2019 12:19, Jerry wrote:
>> I am using 'openldap' with a FreeBSD 12 system. I would like to add
>> TLS security to it using letsencrypt certificates which I am already
>> using on my system. Can anyone point me to a good tutorial on how to
>> accomplish this? I have found a lot of counter productive examples
>> and none so far that pertain to FreeBSD.
>Hmmm.. most tutorials should be applicable to FreeBSD pretty directly.
>About the only difference between FreeBSD and other systems is the
>FreeBSD puts files into /usr/local/etc/openldap and other systems
>probably use /etc/openldap. Apart from that, the software is
>basically identical on all systems.
>IIRC with openldap, there's just two or three settings in the config
>file saying how to enable TLS and where the key and certificate are.
>You then just have to copy the certificate files into the expected
>places and restart slapd. (It is a tad more complicated if you're
>using LDAP replication though.)
>With openldap you have two choices: you can either run a 'LDAPS'
>encrypted server on port 636 or you can enable STARTTLS on the regular
>LDAP port 389. The latter is recommended on general principles --
>unassigned network ports are becoming a scarce resource and using two
>for encrypted and unencrypted vesions of the same service is pretty
>wasteful. Or you can do both. Once you've got the basic TLS
>functionality working and tested, you can then enforce the use of TLS,
>via STARTTLS or otherwise, through the permissions settings in the
>When I went through all this -- a while ago now -- ISTR that reading
>the man pages and the documentation on the OpenLDAP site was almost
>sufficient. Working out that the best way to debug the configuration
>was to turn on the appropriate debug flags in the configuration file
>and then sit watching the log file while making test queries was a
>minor triumph. The OpenLDAP mailing lists were a key resource --
>particularly the archives.
I can get it up and running, but no one can connect to it. Did you
make any changes to the rc.conf entries? Mine are as shown in the rc.d
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
I have to figure out how to turn on logging. I am working on that now.
More information about the freebsd-questions