Okay, sorry, I didn't pay attention to your instructions, I thought you were
citing me.
"You are making things hard for yourself. If you want to edit config
online via LDAP commands then use olc and use LDAP commands to edit it."
I don't have enough experience on LDAP to modify the database online with ldap
commands. That's why I use slaptest -f slapd.conf -F slapd.d. This method
worked previously for me on FreeBSD 12.2 and on OmniOS (the current LTS
version) and is recommended by this webpage here for BSD systems (I use it to
implement sudo in OpenLDAP. successfully) ;
zytrax.com/books/ldap/ch6/slapd-config.html
And I just tried your solution here for /etc/rc.conf.local with the settings
below, and still doesn't work, neither with chain.pem. On every other OS on
which I've successfully installed OpenLDAP with TLS, I use the fullchain.pem
and it just works, by the way.
I also have this in a /etc/rc.local because I've followed a guide somewhere on
the web :
if [ "$slapd_flags" != "NO" -a -x /usr/local/libexec/slapd ]; then
echo -n ' slapd'
install -d -o _openldap /var/run/openldap
/usr/local/libexec/slapd $slapd_flags
fi
My rc.conf.local now :
# cat /etc/rc.conf.local
pf=NO
pkg_scripts=apache2 slapd
slapd=YES
slapd_flags="-u _openldap -h ldap:///\ ldaps:///\ ldapi:///"
The TLS settings in my slapd.conf now :
TLSCertificateFile /etc/openldap/certs/cert.pem
TLSCertificateKeyFile /etc/openldap/certs/privkey.pem
TLSCACertificateFile /etc/openldap/certs/chain.pem
TLSCipherSuite TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE
TLSCRLCheck none
TLSVerifyClient never
# netstat -na -f inet | grep LISTEN
tcp 0 0 *.80 *.* LISTEN
tcp 0 0 *.443 *.* LISTEN
tcp 0 0 *.389 *.* LISTEN
tcp 0 0 *.22 *.* LISTEN
tcp 0 0 *.636 *.* LISTEN
tcp 0 0 127.0.0.1.25 *.* LISTEN
Now, thans to the ldapi:/// in /etc/rc.conf.local, I can run this command
successfully :
# ldapwhoami -H ldapi:// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
# ldapwhoami -H ldap://my_domain -D
"cn=Manager,dc=my-domain,dc=something,dc=somewhere" -W -x
Enter LDAP Password:
dn:cn=Manager,dc=my-domain,dc=something,dc=somewhere
(I've replaced my real domain for something and somewhere), but it works great
without the -ZZ option
# ldapwhoami -H ldap://my_domain -D
"cn=Manager,dc=my-domain,dc=something,dc=somewhere" -W -x -ZZ
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
😩
________________________________
De : Stuart Henderson <s...@spacehopper.org>
Envoyé : samedi 26 juin 2021 01:37
À : C. G. <idxtra...@hotmail.com>
Cc : bugs@openbsd.org <bugs@openbsd.org>
Objet : Re: Unable to make OpenLDAP work with TLS
On 2021/06/25 21:26, C. G. wrote:
> Sorry, I tried the solutions you posted,
No you didn't; I said:
"Try with chain.pem not fullchain.pem for TLSCACertificateFile.
OpenLDAP's TLS config is a bit nonstandard compared to other software."
but you show another file with fullchain.pem, and
"The server will need to be set to listen to TLS connections - if the
server is on OpenBSD then you probably want
slapd_flags="-u _openldap -h ldap:///\ ldaps:///\ ldapi:///"
and you show an rc.conf.local file with no backslashes.
> Here is my whole slapd.conf (on which I did slaptes -f slapd.conf -F slapd.d
> after having removed /etc/openldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
> and put the owner of /etc/openldap/slapd.d to openldap:​openldap and
> permissions to 0750 on the folder) :
You are making things hard for yourself. If you want to edit config
online via LDAP commands then use olc and use LDAP commands to edit it.
If you want a standard text config file, then get rid of olc and use
slapd.conf instead. Using both on an ongoing basis just causes confusion.
