[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with openldap and starttls



On Thu, 15 Apr 2010, john espiro wrote:

1) In /etc/openldap/ldap.conf, I currently have:
URI     ldapi://127.0.0.1/

What value should I have there?  Do I need the server name such as:
URI ldapi://mydomain.com/

Basically, whatever you run slapd's listeners on is what your clients should be directed to.

Note that ldapi is for IPC. Technically there's nothing stopping you from using a dotted quad or a DNS label as the name for your domain socket, but I'd consider it pretty confusing to a casual observer and therefore poor practice.

This also raises the question of why you would incur the overhead of TLS over a mechanism with inherently secure transport, but who am I to question such things...

2) what command line parameters do I want to run openldap with?
Currently mine is running with:
 /usr/sbin/slapd -u ldap -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636

Well, your listeners need to be wherever your client is going. If you're going to set your client to ldapi://blah/, you need slapd listening on ldapi://blah/. If you want to use Start TLS on port 389, then a ldap: listener would be appropriate.

It seems I should at least be removing the *:636 part since it will be using STARTTLS, correct?

A standard configuration for Start TLS usage would be a ldap: listener running on port 389. If you are never going to use implicit SSL, then dropping all listeners with the ldaps: scheme is appropriate. Whether you bind to loopback or a network-facing address (with ldap:/ldaps: schemes) or IPC (with ldapi: scheme) is a local decision. Just make sure that slapd and your clients match.