# Openldap server and TLS



## manilaboy1vic (Feb 13, 2021)

I am having trouble getting TLS to work with openldap-server.


```
root@ldap:~ # pkg info | grep ldap
openldap-client-2.4.57         Open source LDAP client implementation
openldap-server-2.4.57         Open source LDAP server implementation

root@ldap:~ # uname -a
FreeBSD ldap.example.org 12.2-RELEASE-p3 FreeBSD 12.2-RELEASE-p3 GENERIC  amd64
```

I followed the guide in the FreeBSD handbook:

Handbook guide

It seems that everything is working properly except for the TLS part.

Here is a working example from a remote host on the LAN:


```
vic@bleague:~
▶ ldapwhoami -H ldap://192.168.1.3 -x
anonymous
```

Here is a non-working example from the same LAN host:


```
vic@bleague:~
▶ ldapwhoami -H ldap://192.168.1.3 -x -ZZ -D "uid=vic,ou=users,dc=example,dc=org" -W
ldap_start_tls: Connect error (-11)
        additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)
```

I have defined the path to the certificates:


```
# Define global ACLs to disable default read access.
#
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCertificateFile: /usr/local/etc/openldap/server.crt
olcTLSCertificateKeyFile: /usr/local/etc/openldap/private/server.key
olcTLSCACertificateFile: /usr/local/etc/openldap/ca.crt
#olcTLSCipherSuite: HIGH
olcTLSProtocolMin: 3.1
olcTLSVerifyClient: never
```

Any help would be greatly appreciated.


----------



## manilaboy1vic (Feb 13, 2021)

I think I got it sorted out.  No more error after adding `TLS_CACERT  /usr/local/etc/openldap/ca.crt` to ldap.conf


```
root@ldap:/usr/local/etc/openldap # cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_CACERT  /usr/local/etc/openldap/ca.crt
```


```
root@ldap:/usr/local/etc/openldap # ldapsearch -ZZ
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 3
result: 32 No such object

# numResponses: 1
```


----------



## SirDice (Feb 13, 2021)

Yes. If you use self-signed certificates you need to tell the client where the CA certificate is. Or else the client is not able to verify the server's certificate.


----------

