From owner-freebsd-doc@FreeBSD.ORG Thu Oct 16 12:36:37 2014 Return-Path: Delivered-To: freebsd-doc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 311E4B81 for ; Thu, 16 Oct 2014 12:36:37 +0000 (UTC) Received: from ezwind.net (bobby.ezwind.net [199.188.211.146]) by mx1.freebsd.org (Postfix) with ESMTP id 03BE2DC3 for ; Thu, 16 Oct 2014 12:36:36 +0000 (UTC) Received: from jayPC by ezwind.net (MDaemon PRO v9.6.5) with ESMTP id 06-md50000166825.msg for ; Thu, 16 Oct 2014 07:36:27 -0500 X-Spam-Processed: ezwind.net, Thu, 16 Oct 2014 07:36:27 -0500 (not processed: spam filter heuristic analysis disabled) X-Authenticated-Sender: jwest@ezwind.net X-MDRemoteIP: 97.91.122.42 X-Return-Path: prvs=13660397e3=jwest@ezwind.net X-Envelope-From: jwest@ezwind.net X-MDaemon-Deliver-To: freebsd-doc@FreeBSD.org From: "Jay West" To: Subject: handbook errata? Date: Thu, 16 Oct 2014 07:43:31 -0500 Message-ID: <000201cfe93e$cb0ffae0$612ff0a0$@ezwind.net> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 14.0 thread-index: Ac/pPZfh/RQLG2PqRd6TE+85hEgEeA== Content-Language: en-us Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2014 12:36:37 -0000 Not completely sure this is a documentation "error", but it's a bit unclear and will possibly lead to headscratching (in my case it did anyways.). The docs on setting up openldap: https://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html It says to add the following to sldap.conf: security ssf=128 TLSCertificateFile /path/to/your/cert.crt TLSCertificateKeyFile /path/to/your/cert.key TLSCACertificateFile /path/to/your/cacert.crt Then later on the page it gives the openssl commands to create cert.crt, cert.csr, and cert.key. Note - the openssl commands given do NOT create a "cacert.crt". However, the document does mention that "cert.crt and cacert.crt are the same file". Following the instructions verbatim will lead to no cacert.crt file existing and with the suggested additions to slapd.conf above, slapd will fail to start with no errors given. I was able to find the error by running: /usr/local/libexec/slapd -d -1 -u ldap -g ldap And the output at the very end suggests it can't find "cacert.crt". To solve the problem I just changed the suggested additions to slapd.conf on the last line (TLSCACertificateFile to be /path/to/your/cert.crt instead of /path/to/your/cacert.crt). I'm not sure if the public would be better served by changing the suggested lines (last line, for TLSCA.) as I did, or by adding a note that you need to copy cert.crt to cacert.crt. Whichever would be "more correct". Thanks a *HUGE* amount for all the work you folks do on the handbook/documentation. It is all very much appreciated! Jay West, President EZwind.net 11 The Pines Court, Suite B Chesterfield, MO 63141 P: 314-781-1800 F: 314-558-9284 E: jwest@ezwind.net W: www.ezwind.net