[Date Prev][Date Next]
Re: Help with openldap and starttls
On Thu, 15 Apr 2010, john espiro wrote:
1) In /etc/openldap/ldap.conf, I currently have:
What value should I have there? Do I need the server name such as:
Basically, whatever you run slapd's listeners on is what your clients
should be directed to.
Note that ldapi is for IPC. Technically there's nothing stopping you from
using a dotted quad or a DNS label as the name for your domain socket, but
I'd consider it pretty confusing to a casual observer and therefore poor
This also raises the question of why you would incur the overhead of TLS
over a mechanism with inherently secure transport, but who am I to
question such things...
2) what command line parameters do I want to run openldap with?
Currently mine is running with:
/usr/sbin/slapd -u ldap -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636
Well, your listeners need to be wherever your client is going. If you're
going to set your client to ldapi://blah/, you need slapd listening on
ldapi://blah/. If you want to use Start TLS on port 389, then a ldap:
listener would be appropriate.
It seems I should at least be removing the *:636 part since it will be using STARTTLS, correct?
A standard configuration for Start TLS usage would be a ldap: listener
running on port 389. If you are never going to use implicit SSL, then
dropping all listeners with the ldaps: scheme is appropriate. Whether you
bind to loopback or a network-facing address (with ldap:/ldaps: schemes)
or IPC (with ldapi: scheme) is a local decision. Just make sure that slapd
and your clients match.