Discussion:
Help with openldap and starttls
john espiro
2010-04-15 19:06:48 UTC
Permalink
I have read through all of the docs and am having trouble setting up openldap to use starttls.

How do I configure OpenLDAP (command line tool) to use Start TLS?

Thanks,
John
Quanah Gibson-Mount
2010-04-15 22:22:52 UTC
Permalink
--On Thursday, April 15, 2010 12:06 PM -0700 john espiro
Post by john espiro
I have read through all of the docs and am having trouble setting up
openldap to use starttls.
How do I configure OpenLDAP (command line tool) to use Start TLS?
man ldapsearch

Look at the -Z[Z] option description.

--Quanah



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount
2010-04-15 22:45:03 UTC
Permalink
--On Thursday, April 15, 2010 3:34 PM -0700 john espiro
Is /etc/ldap.conf an openldap file?
It depends on your system. On most, it is not. Ususally, it is
/etc/openldap/ldap.conf or /etc/ldap/ldap.conf. /etc/ldap.conf is most
often for nss_ldap/pam_ldap, which uses entirely different options. This
has been covered on the list many times.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount
2010-04-15 22:58:12 UTC
Permalink
--On Thursday, April 15, 2010 3:55 PM -0700 john espiro
Ok - this is actually very helpful...
URI ldapi://127.0.0.1/
This says the clients should default to using the ldapi:/// socket.
Compare that to the options you are providing to slapd, to see if you think
this will work.
2) what command line parameters do I want to run openldap with?
/usr/sbin/slapd -u ldap -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636
It seems I should at least be removing the *:636 part since it will be
using STARTTLS, correct?
It's up to you. Some old pieces of software don't support startTLS. Some
poorly written modern pieces of software don't support it either.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
john espiro
2010-04-15 22:55:37 UTC
Permalink
Ok - this is actually very helpful...

So I think I have just one set of remaining questions:

1) In /etc/openldap/ldap.conf, I currently have:
URI ldapi://127.0.0.1/

What value should I have there? Do I need the server name such as:
URI ldapi://mydomain.com/

2) what command line parameters do I want to run openldap with?
Currently mine is running with:
/usr/sbin/slapd -u ldap -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636

It seems I should at least be removing the *:636 part since it will be using STARTTLS, correct?







________________________________

It depends on your system. On most, it is not. Ususally, it is /etc/openldap/ldap.conf or /etc/ldap/ldap.conf. /etc/ldap.conf is most often for nss_ldap/pam_ldap, which uses entirely different options. This has been covered on the list many times.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Aaron Richton
2010-04-16 11:38:26 UTC
Permalink
URI     ldapi://127.0.0.1/
URI ldapi://mydomain.com/
Basically, whatever you run slapd's listeners on is what your clients
should be directed to.

Note that ldapi is for IPC. Technically there's nothing stopping you from
using a dotted quad or a DNS label as the name for your domain socket, but
I'd consider it pretty confusing to a casual observer and therefore poor
practice.

This also raises the question of why you would incur the overhead of TLS
over a mechanism with inherently secure transport, but who am I to
question such things...
2) what command line parameters do I want to run openldap with?
 /usr/sbin/slapd -u ldap -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636
Well, your listeners need to be wherever your client is going. If you're
going to set your client to ldapi://blah/, you need slapd listening on
ldapi://blah/. If you want to use Start TLS on port 389, then a ldap:
listener would be appropriate.
It seems I should at least be removing the *:636 part since it will be using STARTTLS, correct?
A standard configuration for Start TLS usage would be a ldap: listener
running on port 389. If you are never going to use implicit SSL, then
dropping all listeners with the ldaps: scheme is appropriate. Whether you
bind to loopback or a network-facing address (with ldap:/ldaps: schemes)
or IPC (with ldapi: scheme) is a local decision. Just make sure that slapd
and your clients match.

john espiro
2010-04-15 22:34:27 UTC
Permalink
Is /etc/ldap.conf an openldap file?

John




________________________________
From: Quanah Gibson-Mount <***@zimbra.com>
To: john espiro <***@yahoo.com>; openldap-***@openldap.org
Sent: Fri, April 16, 2010 12:22:52 AM
Subject: Re: Help with openldap and starttls

--On Thursday, April 15, 2010 12:06 PM -0700 john espiro
Post by john espiro
I have read through all of the docs and am having trouble setting up
openldap to use starttls.
How do I configure OpenLDAP (command line tool) to use Start TLS?
man ldapsearch

Look at the -Z[Z] option description.

--Quanah



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Loading...