mathie+uk-freebsd-users at wossname.org.uk
Thu Oct 24 10:41:10 BST 2002
On Fri, Oct 18, 2002 at 04:20:32PM +0100, Rodney Edwards wrote:
> Has any one got openldap using TLS/SSL on FreeBSD4.6 working.
OK, the following is from the LDAP server I have running on *cough*
Debian *cough* but I guess the principle should be the same. Getting an
LDAP server running on FreeBSD 4.7 is this weekend's task, funnily
> I've installed
> openldap2 and openssl from ports and my slapd.conf is as the man page says.
> I've self signed my certificates and they have tested o.k. on Apache, but
> when using them with openldap it starts up asks you for the pass but just
> doesn't use TLS/SSL.
Are you telling slapd to listen for SSL connections? It certainly
didn't do it for me by default. I have the following to start it:
slapd -h "ldap:/// ldaps:///"
Though thinking about it now, that's probably just to get it to listen
on the SSL-wrapped socket. The regular LDAP socket with starttls might
work without it. I'm not about to break my LDAP server to try it
The slapd.conf wotsits are pretty straightforward:
The major stumbling block I had was that the Common Name in the SSL
certificate *must* match the name you use in the URI. For example,
the Common Name in my certificate is ldap.wossame.org.uk. The URI I use
to connect to the LDAP server is:
ldapsearch -H ldaps://ldap.wossname.org.uk/
ldapsearch -H ldap://ldap.wossname.org.uk/ -ZZ
should also work.
Add SASL authentication with GSSAPI into the mix, BTW. It make is
*much* more fun. :-)
> Anyone got pam_ldap+nss_ldap working on FreeBSD4.x?
That's for this weekend too. Probably with a dod of Kerberos in the mix
for good measure. :-)
 It's a MUST in the RFC IIRC.
Right now, there are scr1pt k1dd13s plotting to DDoS my network, my co-lo
server is not responding to pings and the people that I IRC with may be
involved in both. I'm sysadmin Graeme Mathieson and this is the longest
day of my life. http://www.wossname.org.uk/~mathie/
More information about the Ukfreebsd