PROBLEM SOLVED!! OUHOUH!! π€© I inspired myself from this webpage (after having removed my /etc/rc.local file which was useless thanx to Stuart Henderson, and I also admit he gave me the indice to the solution : the problem was that slaptest -f slapd.conf -F slapd.d didn't update my olcTLScertificate entries in my database!)
https://www.golinuxcloud.com/configure-openldap-with-tls-certificates/ [https://www.golinuxcloud.com/wp-content/uploads/2019/02/ldap-with-tls-certificates-e1559816565976.jpg]<https://www.golinuxcloud.com/configure-openldap-with-tls-certificates/> Simple steps to configure LDAPS with TLS certificates CentOS 7 Linux - GoLinuxCloud<https://www.golinuxcloud.com/configure-openldap-with-tls-certificates/> We will create SAN certificate to avoid creating multiple certificates for each of our ldap client. You can learn more about SAN certificates at Create san certificate.You can add all the possible IP Address and FQDN of your LDAP server under [alt_names] which will be used by the client for making secure connection. [root@server ~]# cat server_cert_ext.cnf [v3_ca] basicConstraints = CA:FALSE ... www.golinuxcloud.com ξ ξ ξ I simply created a file named tls7.ldif in which I put this content : dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem - replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/chain.pem Then I typed this command (after having placed slapd_flags="-u _openldap -h ldap:///\ ldaps:///\ ldapi:///" in my /etc/rc.conf.local) : # ldapmodify -Y EXTERNAL -H ldapi:// -f tls7.ldif Now : # ldapwhoami -H ldap://my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere" -W -x -ZZ Enter LDAP Password: dn:cn=Manager,dc=my_domain,dc=something,dc=somewhere # ldapsearch -x -h my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere" -W -ZZ Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1 SO : THAT MEANS I WILL BE ABLE TO INSTALL THE MOST SECURE OS IN THE WORLD ON MY CUSTOMERS'S SERVERS for those who want SECURITY first. And that also means I will be able to make OpenLDAP work with TLS on Solaris 11.4! Because the problem was exctly the same. Thanks a lot, Stuart Henderson. ________________________________ De : Stuart Henderson <s...@spacehopper.org> EnvoyΓ© : dimanche 27 juin 2021 14:45 Γ : C. G. <idxtra...@hotmail.com> Cc : bugs@openbsd.org <bugs@openbsd.org> Objet : Re: Unable to make OpenLDAP work with TLS Well, if you are going to ignore the port maintainer who actually has this working already, then just be careful with your MDB files if you are trying to build without the patches that are in ports. On 2021/06/26 19:39, C. G. wrote: > There must be a problem about the OpenLDAP package build against LibreSSL. I > can see on Google > that there are several cases of issues with OpenLDAP building against > LibreSSL. I will try to > build from source without using the OpenBSD ports and will come back later. > > I'm pretty sure the OpenLDAP package nor the port hes no LibreSSL support. > βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ > De : Stuart Henderson <s...@spacehopper.org> > EnvoyΓ© : samedi 26 juin 2021 18:11 > Γ : C. G. <idxtra...@hotmail.com> > Cc : bugs@openbsd.org <bugs@openbsd.org> > Objet : Re: Unable to make OpenLDAP work with TLS > > On 2021/06/26 12:51, C. G. wrote: > > I think it's a LIbreSSL-related issue, because I did the same exact > > config procedure on Ubuntu, CentOS, FreeBSD, OmniOS, and it worked, > > and on the only OS that uses LibreSSL, it doesn't work. > > What can I say; I am running OpenLDAP 2.4.58 slapd on OpenBSD 6.9 and it > works for me with TLSv1.3 connections, so there clearly is a way to do it. > > > It's untolerable that the "most secure OS on the planet" isn't able to > > use encrypted connections with TLS 1.3 in Apache and OpenLDAP during a > > full release, I mean, that's not serious. LibreSSL just breaks things, > > to my POV. > > Don't tolerate then; you are free to either debug the issue or use > another OS if OpenBSD doesn't suit you. Nobody is forcing you to use it. > > Apache httpd will not support TLSv1.3 itself with the current version of > libressl. Hopefully that will change soon but if that is a show stopper > and you don't want an alternative (e.g. offload the TLS to a reverse > proxy) then OpenBSD isn't suitable for you at this time. >
