Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Nov 2019 19:25:08 +0000
From:      Norman Gray <Norman.Gray@glasgow.ac.uk>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: openldap and letsencrypt
Message-ID:  <AA121728-5335-4CDE-8F3D-A381951F0112@glasgow.ac.uk>
In-Reply-To: <20191104125934.00007f9a@seibercom.net>
References:  <20191104071911.00005546@seibercom.net> <14a9c556-dbe6-c5f9-a02f-26fba1bce6f5@FreeBSD.org> <20191104125934.00007f9a@seibercom.net>

next in thread | previous in thread | raw e-mail | index | archive | help

Jerry, hello.

On 4 Nov 2019, at 17:59, Jerry wrote:

> I can get it up and running, but no one can connect to it. Did you
> make any changes to the rc.conf entries? Mine are as shown in the rc.d
> 'slapd' script:
>
> # Slapd
> slapd_enable=3D"YES"
> slapd_flags=3D'-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/
> ldap://0.0.0.0/"'
> slapd_sockets=3D"/var/run/openldap/ldapi"
>
> I have to figure out how to turn on logging. I am working on that now.

Things to try:

   * check olcSecurity and olcLocalSSF in your cn=3Dconfig configuration
(see snippet from my config below).
   * set olcLogLevel in the same stanza (see Sect. 6.2.1.5 of
https://www.openldap.org/doc/admin24/slapdconfig.htm); set this in
slapd.ldif or dynamically using ldapmodify; setting this to -1 produces
_lots_ of logging data to /var/log/debug.log
   * Even if you plan to support only StartTLS, configure the server to
support LDAPS during testing, because then...
   * ...you can try connecting to the server with `openssl s_client
-connect ldap.example.com:636 -showcerts </dev/null` to see chatter
about certificates

Certificate problems are rather hard to track down, in my experience,
because errors here tend to appear in the logs (even with olcLogLevel =3D
-1) as not much more than 'no!'.

Have fun...

Norman




olcSecurity: ssf=3D128
#
# Set the nominal security factor of local connections.
# This has to be higher than olcSecurity.
olcLocalSSF: 256
#
# TLS setup.
# See OpenLDAP manual Chapter 16 for documentation of the following.
olcTLSCertificateFile: @etcdir@/certs/@HOSTCERTFILE@
olcTLSCertificateKeyFile: @etcdir@/certs/@HOSTKEYFILE@
olcTLSCACertificateFile: @etcdir@/certs/identity-server-ca.crt


--=20
Norman Gray  :  https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AA121728-5335-4CDE-8F3D-A381951F0112>