Date: Mon, 4 Nov 2019 19:25:08 +0000 From: Norman Gray <Norman.Gray@glasgow.ac.uk> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: openldap and letsencrypt Message-ID: <AA121728-5335-4CDE-8F3D-A381951F0112@glasgow.ac.uk> In-Reply-To: <20191104125934.00007f9a@seibercom.net> References: <20191104071911.00005546@seibercom.net> <14a9c556-dbe6-c5f9-a02f-26fba1bce6f5@FreeBSD.org> <20191104125934.00007f9a@seibercom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Jerry, hello. On 4 Nov 2019, at 17:59, Jerry wrote: > I can get it up and running, but no one can connect to it. Did you > make any changes to the rc.conf entries? Mine are as shown in the rc.d > 'slapd' script: > > # Slapd > slapd_enable=3D"YES" > slapd_flags=3D'-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ > ldap://0.0.0.0/"' > slapd_sockets=3D"/var/run/openldap/ldapi" > > I have to figure out how to turn on logging. I am working on that now. Things to try: * check olcSecurity and olcLocalSSF in your cn=3Dconfig configuration (see snippet from my config below). * set olcLogLevel in the same stanza (see Sect. 6.2.1.5 of https://www.openldap.org/doc/admin24/slapdconfig.htm); set this in slapd.ldif or dynamically using ldapmodify; setting this to -1 produces _lots_ of logging data to /var/log/debug.log * Even if you plan to support only StartTLS, configure the server to support LDAPS during testing, because then... * ...you can try connecting to the server with `openssl s_client -connect ldap.example.com:636 -showcerts </dev/null` to see chatter about certificates Certificate problems are rather hard to track down, in my experience, because errors here tend to appear in the logs (even with olcLogLevel =3D -1) as not much more than 'no!'. Have fun... Norman olcSecurity: ssf=3D128 # # Set the nominal security factor of local connections. # This has to be higher than olcSecurity. olcLocalSSF: 256 # # TLS setup. # See OpenLDAP manual Chapter 16 for documentation of the following. olcTLSCertificateFile: @etcdir@/certs/@HOSTCERTFILE@ olcTLSCertificateKeyFile: @etcdir@/certs/@HOSTKEYFILE@ olcTLSCACertificateFile: @etcdir@/certs/identity-server-ca.crt --=20 Norman Gray : https://nxg.me.uk SUPA School of Physics and Astronomy, University of Glasgow, UK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AA121728-5335-4CDE-8F3D-A381951F0112>