First, thanks to all who contributed to this discussion. I much appreciate this help. I now have a working environment, and wanted to share how I got there (for others who will follow).
The documentation in https://www.openldap.org/doc/admin26/quickstart.html is great, and can be followed completely, except that between step 8 and 9, you'll need to manually create two needed directories: mkdir /usr/local/etc/slapd.d mkdir /usr/local/var/openldap-data
The TLS instructions at https://www.openldap.org/doc/admin26/tls.html are misleading, as they describe use of slapd.conf, while we should be using the slapd.d directory and the 'olcTLS...' form of the parameters. While 'man slapd' states that both the slapd config file and the slapd config directory can be specified at the same time, this did not work in my testing. All of the hours that I spent trying to figure out how to enable use of TLS could have been saved by use of the instructions below:
1. Create, if needed, a server certificate / private key pair for the openldap server.
(I was able to use the certificate generated by the following command; nothing special regarding CA:False was needed)
/etc/ssl/private # openssl req -nodes -new -x509 -keyout server.key -out server.cert . . .
2. Add the lines below the "# TLS parameters" comment at the end of the 'dn: cn=config' section of /usr/local/etc/openldap/slapd.ldif (I specified use of some currently-strong TLS ciphers, as (by default) many weak ciphers will also be used):
ldpdd042:/usr/local/etc/openldap # cat slapd.ldif # # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config # # # Define global ACLs to disable default read access. # olcArgsFile: /usr/local/var/run/slapd.args olcPidFile: /usr/local/var/run/slapd.pid # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind #olcSecurity: ssf=1 update_ssf=112 simple_bind=64 # TLS parameters olcTLSCertificateFile: /etc/ssl/private/server.cert olcTLSCertificateKeyFile: /etc/ssl/private/server.key olcTLSCipherSuite: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
3. Remove the existing slapd configuration: rm /usr/local/etc/slapd.d/*
4. Stop the existing slapd daemon ps -ef | grep slapd kill nnnn
5. Re-create the openldap environment, using the updated slapd.ldif
/usr/local/sbin/slapadd -n 0 -F /usr/local/etc/slapd.d -l /usr/local/etc/openldap/slapd.ldif
6. Start the slapd daemon for both ldap (TCP port 389 by default) and ldaps (port 636 by default)
/usr/local/libexec/slapd -F /usr/local/etc/slapd.d -h "ldap:/// ldaps:///"
7. Verify that the slapd process is running
ps -ef | grep slapd
tail /var/log/messages
I found use of ldapmodify to be problematic regarding authentication, so opted to just delete the current configuration and replace it.
Please let me know of any additional suggestions. I'm happy to create a doc RFE, if some/all of what I've written would be useful.
Thanks! tl
Internal Use - Confidential