On 06/05/10 14.15, Frank Bonnet wrote:
It runs nicely but I want to add LDAPS service on the SAME server.
Is it possible ?
Yes in fact with OpenLDAP you can have ldap, ldaps and ldap TLS with
STARTTLS, the latter runs on the standard ldap port.
I have generated
cert.crt
cert.csr
cert.key
as instructed in the FreeBSD howto but when I add the following
lines in slapd.conf file it fails to restart
TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
You do not need to specify TLSCACertificateFile unless you plan to
require connecting clients to use a certificate.
TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
You only need to edit your rc.conf adding
slapd_flags='-h "ldap:/// ldaps:///"'
if you want to have old style ldaps (ldap with ssl) on port 636. Without
any options OpenLDAP supports TLS on port 389. Unfortunately, common
programs such as thunderbird does not support TLS for ldap (although it
/is/ supported for smtp?!)
in ldap.conf file I have the following
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=esiee,dc=fr
URI ldap://ldap.esiee.fr ldaps://ldap.esiee.fr
You do not need to edit ldap.conf for the server to start up correctly,
this is for the client. In order to use ldapmodify (and family) with TLS
you need to add
TLS_CACERT /path/to/your/CA/certificate.cer
Then you can do
$ ldapmodify -ZZ ...
to connect with TLS.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
