From owner-freebsd-questions@FreeBSD.ORG Thu May 6 14:26:39 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0092A106564A for ; Thu, 6 May 2010 14:26:39 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 364CB8FC22 for ; Thu, 6 May 2010 14:26:36 +0000 (UTC) Received: from beta.1-16-172-dyn.locolomo.org (unknown [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id C20E71C0871 for ; Thu, 6 May 2010 16:26:16 +0200 (CEST) Message-ID: <4BE2D188.7070404@locolomo.org> Date: Thu, 06 May 2010 16:26:16 +0200 From: Erik Norgaard User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4BE2B2FA.1010900@esiee.fr> In-Reply-To: <4BE2B2FA.1010900@esiee.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: LDAP and LDAPS on the same server ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2010 14:26:39 -0000 On 06/05/10 14.15, Frank Bonnet wrote: > It runs nicely but I want to add LDAPS service on the SAME server. > Is it possible ? Yes in fact with OpenLDAP you can have ldap, ldaps and ldap TLS with STARTTLS, the latter runs on the standard ldap port. > I have generated > > cert.crt > cert.csr > cert.key > > as instructed in the FreeBSD howto but when I add the following > lines in slapd.conf file it fails to restart > > TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt You do not need to specify TLSCACertificateFile unless you plan to require connecting clients to use a certificate. > TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt > TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key You only need to edit your rc.conf adding slapd_flags='-h "ldap:/// ldaps:///"' if you want to have old style ldaps (ldap with ssl) on port 636. Without any options OpenLDAP supports TLS on port 389. Unfortunately, common programs such as thunderbird does not support TLS for ldap (although it /is/ supported for smtp?!) > in ldap.conf file I have the following > > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > BASE dc=esiee,dc=fr > URI ldap://ldap.esiee.fr ldaps://ldap.esiee.fr You do not need to edit ldap.conf for the server to start up correctly, this is for the client. In order to use ldapmodify (and family) with TLS you need to add TLS_CACERT /path/to/your/CA/certificate.cer Then you can do $ ldapmodify -ZZ ... to connect with TLS. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org