Is /etc/ldap.conf an openldap file?

John

________________________________ From: Quanah Gibson-Mount quanah@zimbra.com To: john espiro john_espiro@yahoo.com; openldap-software@openldap.org Sent: Fri, April 16, 2010 12:22:52 AM Subject: Re: Help with openldap and starttls

--On Thursday, April 15, 2010 12:06 PM -0700 john espiro john_espiro@yahoo.com wrote:

I have read through all of the docs and am having trouble setting up openldap to use starttls.

How do I configure OpenLDAP (command line tool) to use Start TLS?

man ldapsearch

Look at the -Z[Z] option description.

--Quanah

--

Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

Ok - this is actually very helpful...

So I think I have just one set of remaining questions:

1) In /etc/openldap/ldap.conf, I currently have: URI ldapi://127.0.0.1/

What value should I have there? Do I need the server name such as: URI ldapi://mydomain.com/

2) what command line parameters do I want to run openldap with? Currently mine is running with: /usr/sbin/slapd -u ldap -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636

It seems I should at least be removing the *:636 part since it will be using STARTTLS, correct?

________________________________

It depends on your system. On most, it is not. Ususally, it is /etc/openldap/ldap.conf or /etc/ldap/ldap.conf. /etc/ldap.conf is most often for nss_ldap/pam_ldap, which uses entirely different options. This has been covered on the list many times.

--Quanah

--

Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

On Thu, 15 Apr 2010, john espiro wrote:

1. In /etc/openldap/ldap.conf, I currently have:

URI     ldapi://127.0.0.1/

What value should I have there?  Do I need the server name such as: URI ldapi://mydomain.com/

Basically, whatever you run slapd's listeners on is what your clients should be directed to.

Note that ldapi is for IPC. Technically there's nothing stopping you from using a dotted quad or a DNS label as the name for your domain socket, but I'd consider it pretty confusing to a casual observer and therefore poor practice.

This also raises the question of why you would incur the overhead of TLS over a mechanism with inherently secure transport, but who am I to question such things...

2. what command line parameters do I want to run openldap with?

Currently mine is running with:  /usr/sbin/slapd -u ldap -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636

Well, your listeners need to be wherever your client is going. If you're going to set your client to ldapi://blah/, you need slapd listening on ldapi://blah/. If you want to use Start TLS on port 389, then a ldap: listener would be appropriate.

It seems I should at least be removing the *:636 part since it will be using STARTTLS, correct?

A standard configuration for Start TLS usage would be a ldap: listener running on port 389. If you are never going to use implicit SSL, then dropping all listeners with the ldaps: scheme is appropriate. Whether you bind to loopback or a network-facing address (with ldap:/ldaps: schemes) or IPC (with ldapi: scheme) is a local decision. Just make sure that slapd and your clients match.