On Thu, 15 Apr 2010, john espiro wrote:
- In /etc/openldap/ldap.conf, I currently have:
URI ldapi://127.0.0.1/
What value should I have there? Do I need the server name such as: URI ldapi://mydomain.com/
Basically, whatever you run slapd's listeners on is what your clients should be directed to.
Note that ldapi is for IPC. Technically there's nothing stopping you from using a dotted quad or a DNS label as the name for your domain socket, but I'd consider it pretty confusing to a casual observer and therefore poor practice.
This also raises the question of why you would incur the overhead of TLS over a mechanism with inherently secure transport, but who am I to question such things...
- what command line parameters do I want to run openldap with?
Currently mine is running with: /usr/sbin/slapd -u ldap -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636
Well, your listeners need to be wherever your client is going. If you're going to set your client to ldapi://blah/, you need slapd listening on ldapi://blah/. If you want to use Start TLS on port 389, then a ldap: listener would be appropriate.
It seems I should at least be removing the *:636 part since it will be using STARTTLS, correct?
A standard configuration for Start TLS usage would be a ldap: listener running on port 389. If you are never going to use implicit SSL, then dropping all listeners with the ldaps: scheme is appropriate. Whether you bind to loopback or a network-facing address (with ldap:/ldaps: schemes) or IPC (with ldapi: scheme) is a local decision. Just make sure that slapd and your clients match.