From owner-freebsd-questions@FreeBSD.ORG Thu May 6 14:47:17 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8A16C1065674 for ; Thu, 6 May 2010 14:47:17 +0000 (UTC) (envelope-from f.bonnet@esiee.fr) Received: from mx1.esiee.fr (mx1.esiee.fr [147.215.1.35]) by mx1.freebsd.org (Postfix) with ESMTP id 4994C8FC08 for ; Thu, 6 May 2010 14:47:17 +0000 (UTC) Received: from mail.esiee.fr (mail.esiee.fr [147.215.1.3]) by mx1.esiee.fr (Postfix) with ESMTP id 6A2EC136A91 for ; Thu, 6 May 2010 16:47:16 +0200 (CEST) Received: from mail.esiee.fr (localhost [127.0.0.1]) by VAMS.dummy (Postfix) with SMTP id 50B39105441E for ; Thu, 6 May 2010 16:47:16 +0200 (CEST) Received: from lisa.esiee.fr (lisa.esiee.fr [147.215.1.21]) by mail.esiee.fr (Postfix) with ESMTP id 397E21054419 for ; Thu, 6 May 2010 16:47:16 +0200 (CEST) Message-ID: <4BE2D674.7030804@esiee.fr> Date: Thu, 06 May 2010 16:47:16 +0200 From: Frank Bonnet User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.9) Gecko/20100415 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4BE2B2FA.1010900@esiee.fr> <4BE2D188.7070404@locolomo.org> In-Reply-To: <4BE2D188.7070404@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: LDAP and LDAPS on the same server ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2010 14:47:17 -0000 On 05/06/10 16:26, Erik Norgaard wrote: > On 06/05/10 14.15, Frank Bonnet wrote: > >> It runs nicely but I want to add LDAPS service on the SAME server. >> Is it possible ? > > Yes in fact with OpenLDAP you can have ldap, ldaps and ldap TLS with > STARTTLS, the latter runs on the standard ldap port. > >> I have generated >> >> cert.crt >> cert.csr >> cert.key >> >> as instructed in the FreeBSD howto but when I add the following >> lines in slapd.conf file it fails to restart >> >> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt > > You do not need to specify TLSCACertificateFile unless you plan to > require connecting clients to use a certificate. > >> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt >> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key > > You only need to edit your rc.conf adding > > slapd_flags='-h "ldap:/// ldaps:///"' > > if you want to have old style ldaps (ldap with ssl) on port 636. Without > any options OpenLDAP supports TLS on port 389. Unfortunately, common > programs such as thunderbird does not support TLS for ldap (although it > /is/ supported for smtp?!) > >> in ldap.conf file I have the following >> >> # >> # LDAP Defaults >> # >> >> # See ldap.conf(5) for details >> # This file should be world readable but not world writable. >> >> BASE dc=esiee,dc=fr >> URI ldap://ldap.esiee.fr ldaps://ldap.esiee.fr > > You do not need to edit ldap.conf for the server to start up correctly, > this is for the client. In order to use ldapmodify (and family) with TLS > you need to add > > TLS_CACERT /path/to/your/CA/certificate.cer > > Then you can do > > $ ldapmodify -ZZ ... > > to connect with TLS. > > BR, Erik > Thanks for your full detailed answer Erik !