openldap and letsencrypt

Norman Gray Norman.Gray at
Mon Nov 4 19:25:11 UTC 2019

Jerry, hello.

On 4 Nov 2019, at 17:59, Jerry wrote:

> I can get it up and running, but no one can connect to it. Did you
> make any changes to the rc.conf entries? Mine are as shown in the rc.d
> 'slapd' script:
> # Slapd
> slapd_enable="YES"
> slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/
> ldap://"'
> slapd_sockets="/var/run/openldap/ldapi"
> I have to figure out how to turn on logging. I am working on that now.

Things to try:

   * check olcSecurity and olcLocalSSF in your cn=config configuration
(see snippet from my config below).
   * set olcLogLevel in the same stanza (see Sect. of; set this in
slapd.ldif or dynamically using ldapmodify; setting this to -1 produces
_lots_ of logging data to /var/log/debug.log
   * Even if you plan to support only StartTLS, configure the server to
support LDAPS during testing, because then...
   * can try connecting to the server with `openssl s_client
-connect -showcerts </dev/null` to see chatter
about certificates

Certificate problems are rather hard to track down, in my experience,
because errors here tend to appear in the logs (even with olcLogLevel =
-1) as not much more than 'no!'.

Have fun...


olcSecurity: ssf=128
# Set the nominal security factor of local connections.
# This has to be higher than olcSecurity.
olcLocalSSF: 256
# TLS setup.
# See OpenLDAP manual Chapter 16 for documentation of the following.
olcTLSCertificateFile: @etcdir@/certs/@HOSTCERTFILE@
olcTLSCertificateKeyFile: @etcdir@/certs/@HOSTKEYFILE@
olcTLSCACertificateFile: @etcdir@/certs/identity-server-ca.crt

Norman Gray  :
SUPA School of Physics and Astronomy, University of Glasgow, UK

More information about the freebsd-questions mailing list