I'm sorry, my /etc/rc.conf.local has exactly the settings you just suggested to me :
# cat /etc/rc.conf.local pf=NO pkg_scripts=slapd slapd=YES slapd_flags="-4 -u _openldap -g _openldap ldap:///\ ldaps:///\ ldapi:///" I started the server using rcctl start slapd qnd I still get the error message : ldap_start_tls: Protocol error (2) additional info: unsupported extended operation Same error message when I start OpenLDAP with this commad : /usr/local/libexec/slapd -4 -d 256 -u _openldap -g _openldap -h ldap:///\ ldaps:///\ ldapi:/// My version of OpenBSD is 6.9 -release amd64 OpenLDAP version is : # /usr/local/libexec/slapd -VV @(#) $OpenLDAP: slapd 2.4.58 (Jun 25 2021 04:37:21) $ @openbsd.my_domain:/usr/ports/pobj/openldap-2.4.58/build-amd64/servers/slapd OpenLDAP was built from the ports yesterday, just after the ports tree has been completely updated, and after a # pkg_add -u -v. I previously installed the FLAVOR=gssapi of OpenLDAP and got exactly the same issue. Now, it's the normal flavor (no flavor) of the subpackage -server of /usr/ports/databases/openldap. My /etc/slapd.conf contains these lines at the end of it : TLSCertificateFile /etc/openldap/certs/cert.pem TLSCertificateKeyFile /etc/openldap/certs/privkey.pem TLSCACertificateFile /etc/openldap/certs/fullchain.pem Those are certificates I've obtained with certbot (built from the ports). Note : I can't use TLS 1.3 with my Apache 2.4.46 install built from the ports, I've posted another bug report and someone replied me that it's because LibreSSL 3.3.2 supports TLS 1.3, but lacks the OpenSSL TLS 1.3 API and that's why it doesn't work currently. TLS 1.2 works well with Apache 2.4.46, but not TLS 1.3. I suspect this TLS 1.3 problem that I have with OpenLDAP has the same roots with LibreSSL. This type of configuration that I did worked perfectly on these operating systems : FreeBSD 12.2, Ubuntu 20.04, CentOS 8, OmniOS Community Edition r151038, all of them in the amd64 version. The only OS that it doesn't work with aside OpenBSD is Solaris 11.4 in which I get the exact same error when I enable TLS in slapd.conf and when I use the -ZZ option in ldapsearch and ldapwhoami commands. ________________________________ De : Stuart Henderson <s...@spacehopper.org> Envoyé : vendredi 25 juin 2021 10:51 À : C. G. <idxtra...@hotmail.com> Cc : bugs@openbsd.org <bugs@openbsd.org> Objet : Re: Unable to make OpenLDAP work with TLS On 2021/06/25 02:03, C. G. wrote: > When I try to use the ldapsearch or ldapwhoami commands with the -ZZ option, > I get this error : > > ldap_start_tls: Protocol error (2) > additional info: unsupported extended operation > > The same commands work fine without the TLS -ZZ option. I've confirmed -ZZ does work with openldap from packages. This looks like the LDAP server you're contacting is not configured for TLS yet (or at least for STARTTLS; it may work with "explicit TLS" using an ldaps:// URI). The server will need to be set to listen to TLS connections - if the server is on OpenBSD then you probably want slapd_flags="-u _openldap -h ldap:///\ ldaps:///\ ldapi:///" in rc.conf.local. It also needs to be configured with certificates in slapd config. If this isn't enough of a clue I suggest trying openldap mailing lists if you need help configuring things.
