From owner-freebsd-questions@freebsd.org Tue Sep 6 15:25:27 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CCC3CB96C97 for ; Tue, 6 Sep 2016 15:25:27 +0000 (UTC) (envelope-from markham@ssimicro.com) Received: from barracuda.ssimicro.com (barracuda.ssimicro.com [96.46.39.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.ssimicro.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A43A113A3 for ; Tue, 6 Sep 2016 15:25:27 +0000 (UTC) (envelope-from markham@ssimicro.com) Received: from mail.ssimicro.com (mail.ssimicro.com [64.247.129.10]) by barracuda.ssimicro.com with ESMTP id yE1vWAcoxjAtVnQF (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 06 Sep 2016 11:07:36 -0400 (EDT) Received: from markham.ssimicro.com (markham.ssimicro.com [64.247.130.99]) (authenticated bits=0) by mail.ssimicro.com (8.15.2/8.15.2) with ESMTPSA id u86F7AKf044268 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 6 Sep 2016 09:07:10 -0600 (MDT) (envelope-from markham@ssimicro.com) Subject: Re: FreeBSD, OpenLDAP and 2048 bits certificates To: freebsd-questions@freebsd.org References: From: markham breitbach Message-ID: <5b908d6a-9d36-1848-0e93-81684e667acc@ssimicro.com> Date: Tue, 6 Sep 2016 09:07:36 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by bsmtpd at ssimicro.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2016 15:25:27 -0000 This likely just needs the CA certificate installed. I think TLSCACERT=/path/to/my/ca.cert in /usr/local/etc/openldap/ldap.conf should do it. -Markham On 2016-09-06 4:03 AM, Matthew Seaman wrote: > On 06/09/2016 10:37, Olivier wrote: >> I want to update the certificate I am currently using for OpenLDAP, from >> a 1024 bit self signed to a 2048 bits properly signed certificate. > You mean a paid-for certificate signed by a well known CA? Given that > with LDAP you generally have administrative control over all of the > clients that may connect to your server, that's pretty pointless. The > whole idea of certificate signing is that it's done by an entity that > you can trust to identify strangers on your behalf. Which makes no > sense if there are no 'strangers' involved. > >> When I do the change in OpenLDAP server, Ubuntu clients, Mac OS X >> clients, perls clients, php clients are happy. They recognize the new >> certificate and the change is transparent. >> >> But it is not for FreeBSD (namely nss_ldap and pam_ldap). It looks like >> the server part of OpenLDAP is working fine, but not the client part. >> >> Have you any idea what the problem could be? > No. The FreeBSD vs. other operating systems part is not a useful > datapoint. It's much more likely to be down to differences in the > client-side software packages you're using. You haven't explained how > you are using these certificates -- just to ensure connections are > encrypted, or are you using client certificates to autenticate logins to > the server? What configuration settings are you using? Can you try > putting the correct settings in /usr/local/etc/openldap/ldap.conf and > then using some of the commandline ldap clients to log in? > > Verb. sap. The net/nss-pam-ldapd port provides much the same > functionality as nss_ldap and pam_ldap combined, plus it has various > technical advantages like a local cache and it's actively maintained and > developed. Recommended. > > Cheers, > > Matthew > >