openldap and letsencrypt
Norman Gray
Norman.Gray at glasgow.ac.uk
Mon Nov 4 19:25:11 UTC 2019
Jerry, hello.
On 4 Nov 2019, at 17:59, Jerry wrote:
> I can get it up and running, but no one can connect to it. Did you
> make any changes to the rc.conf entries? Mine are as shown in the rc.d
> 'slapd' script:
>
> # Slapd
> slapd_enable="YES"
> slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/
> ldap://0.0.0.0/"'
> slapd_sockets="/var/run/openldap/ldapi"
>
> I have to figure out how to turn on logging. I am working on that now.
Things to try:
* check olcSecurity and olcLocalSSF in your cn=config configuration
(see snippet from my config below).
* set olcLogLevel in the same stanza (see Sect. 6.2.1.5 of
https://www.openldap.org/doc/admin24/slapdconfig.htm); set this in
slapd.ldif or dynamically using ldapmodify; setting this to -1 produces
_lots_ of logging data to /var/log/debug.log
* Even if you plan to support only StartTLS, configure the server to
support LDAPS during testing, because then...
* ...you can try connecting to the server with `openssl s_client
-connect ldap.example.com:636 -showcerts </dev/null` to see chatter
about certificates
Certificate problems are rather hard to track down, in my experience,
because errors here tend to appear in the logs (even with olcLogLevel =
-1) as not much more than 'no!'.
Have fun...
Norman
olcSecurity: ssf=128
#
# Set the nominal security factor of local connections.
# This has to be higher than olcSecurity.
olcLocalSSF: 256
#
# TLS setup.
# See OpenLDAP manual Chapter 16 for documentation of the following.
olcTLSCertificateFile: @etcdir@/certs/@HOSTCERTFILE@
olcTLSCertificateKeyFile: @etcdir@/certs/@HOSTKEYFILE@
olcTLSCACertificateFile: @etcdir@/certs/identity-server-ca.crt
--
Norman Gray : https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK
More information about the freebsd-questions
mailing list