On 2021/06/25 22:48, C. G. wrote: > "You are making things hard for yourself. If you want to edit config > online via LDAP commands then use olc and use LDAP commands to edit it." > > I don't have enough experience on LDAP to modify the database online with > ldap commands. That's why I use slaptest -f slapd.conf -F slapd.d. This > method worked previously for me on FreeBSD 12.2 and on OmniOS (the current > LTS version) and is recommended by this webpage here for BSD systems (I use > it to implement sudo in OpenLDAP. successfully) ;
To me, that suggests you would be better off with slapd.conf, but each to their own.. > And I just tried your solution here for /etc/rc.conf.local with the settings > below, and still doesn't work, neither with chain.pem. On every other OS on > which I've successfully installed OpenLDAP with TLS, I use the fullchain.pem > and it just works, by the way. > > I also have this in a /etc/rc.local because I've followed a guide somewhere > on the web : > > if [ "$slapd_flags" != "NO" -a -x /usr/local/libexec/slapd ]; then > echo -n ' slapd' > install -d -o _openldap /var/run/openldap > /usr/local/libexec/slapd $slapd_flags > fi That's about 10 years out of date and has been replaced by the rc script. > My rc.conf.local now : > > # cat /etc/rc.conf.local > pf=NO > pkg_scripts=apache2 slapd > slapd=YES That only goes with your rc.local addition and isn't used by the base os. This setup results in you trying to run slapd twice. > slapd_flags="-u _openldap -h ldap:///\ ldaps:///\ ldapi:///" > > The TLS settings in my slapd.conf now : > > TLSCertificateFile /etc/openldap/certs/cert.pem > TLSCertificateKeyFile /etc/openldap/certs/privkey.pem > TLSCACertificateFile /etc/openldap/certs/chain.pem > TLSCipherSuite TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE > TLSCRLCheck none > TLSVerifyClient never btw I think the latter two are default anyway. I just listed them because I dumped the olc config (I just pasted it from ldapvi..) > # netstat -na -f inet | grep LISTEN > tcp 0 0 *.80 *.* LISTEN > tcp 0 0 *.443 *.* LISTEN > tcp 0 0 *.389 *.* LISTEN > tcp 0 0 *.22 *.* LISTEN > tcp 0 0 *.636 *.* LISTEN > tcp 0 0 127.0.0.1.25 *.* LISTEN > > Now, thans to the ldapi:/// in /etc/rc.conf.local, I can run this command > successfully : > > # ldapwhoami -H ldapi:// -Y EXTERNAL > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > > # ldapwhoami -H ldap://my_domain -D > "cn=Manager,dc=my-domain,dc=something,dc=somewhere" -W -x > Enter LDAP Password: > dn:cn=Manager,dc=my-domain,dc=something,dc=somewhere > > (I've replaced my real domain for something and somewhere), but it works > great without the -ZZ option Good so the daemon is started with the correct parameters. On 2021/06/25 22:58, C. G. wrote: > Just for info, my OpenLDAP server now listens on port 636 and I have > ldaps:/// in my /etc/rc.conf.local, so I think SSL (not TLS) should work on > it, but it doesn't. I get this error message from Apache Directory Studio > when I select SSL encryption. Port 636 is still TLS. It is just "implicit TLS" rather than enabling it by sending STARTTLS on the plaintext port. (OpenBSD hasn't supported SSL since 2015). > - ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: > Unspecified: Improper close state: Status = OK HandshakeStatus = NEED_WRAP > org.apache.directory.studio.connection.core.io.StudioLdapException: > ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified: > Improper close state: Status = OK HandshakeStatus = NEED_WRAP > > I get this error when I try to connect via TLS with Apache Directory Studio : > > Error while opening connection > - [LDAP result code 2 - protocolError] unsupported extended operation > > But it works perfectly without any encryption. So there is some issue with the TLS configuration, most likely on the server side as there isn't much to configure on the client. Suggest you run slapd from a shell run under "script" with the -d flag as well as the usual arguments, try to connect with -ZZ, exit and examine the debug log for TLS-related issues. We might be able to help here but you are probably better off asking on an openldap mailing list.
