I don't cover common LDAP operations, like adding users, as that's covered well elsewhere
Server (ldapserver / 10.0.2.35)
1. Create a self-signed TLS certificate
# cd /etc/ldap/certs # openssl genrsa -out ldapserver.key 2048 # openssl req -x509 -new -key ldapserver.key -out ldapserver.crt -days 365 # `# enter ldapserver as the canonical name`
Configure ldapd:
# touch /etc/ldapd.conf # chmod o-r /etc/ldapd.conf # cat /etc/ldapd.conf schema "/etc/ldap/core.schema" schema "/etc/ldap/inetorgperson.schema" schema "/etc/ldap/nis.schema" listen on lo0 tls certificate ldapserver listen on em0 tls certificate ldapserver listen on "/var/run/ldapi"
Check your configuration:
# /usr/sbin/ldapd -n configuration ok
Enable and start ldapd:
# rcctl enable ldapd # rcctl start ldapd ldapd(ok)
Copy the cert to /tmp so we can scp it as not root from the client:
cp /etc/ldap/certs/ldapserver.crt /tmp
Need to debug ldapd?
# /usr/sbin/ldapd -d -vv # ldapctl log verbose
Client
Trust the server's certificate:# echo '10.0.2.35 ldapserver' >> /etc/hosts # scp notRoot@ldapserver:/tmp/ldapserver.crt >> /etc/ssl/trusted.crt
Install openldap-client (this installs cyrus-sasl as well):
# pkg_add openldap-client
Configure it:
# cat /etc/openldap/ldap.conf TLS_CACERT /etc/ssl/trusted.crt
Start saslauthd
# rcctl enable saslauthd # rcctl start saslauthd saslauthd(ok)
Connect to ldapd (-ZZ means force TLS, use -H to specify URI):
# ldapsearch -H ldap://ldapserver -ZZ SASL/PLAIN authentication started Please enter your password:
Need to debug saslauthd?
# /usr/local/sbin/saslauthd -a getpwent -d
Need to debug OpenLDAP client?
# ldapsearch -d1 -v -ZZ # ldapadd -d1 -v -ZZ