Re: Help with openldap and starttls

[Aaron Richton <richton@nbcs.rutgers.edu>]

On Thu, 15 Apr 2010, john espiro wrote:

> 1) In /etc/openldap/ldap.conf, I currently have:
> URI     ldapi://127.0.0.1/
>
> What value should I have there?  Do I need the server name such as:
> URI ldapi://mydomain.com/

Basically, whatever you run slapd's listeners on is what your clients 
should be directed to.

Note that ldapi is for IPC. Technically there's nothing stopping you from 
using a dotted quad or a DNS label as the name for your domain socket, but 
I'd consider it pretty confusing to a casual observer and therefore poor 
practice.

This also raises the question of why you would incur the overhead of TLS 
over a mechanism with inherently secure transport, but who am I to 
question such things...

> 2) what command line parameters do I want to run openldap with?
> Currently mine is running with:
>  /usr/sbin/slapd -u ldap -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636

Well, your listeners need to be wherever your client is going. If you're 
going to set your client to ldapi://blah/, you need slapd listening on 
ldapi://blah/. If you want to use Start TLS on port 389, then a ldap: 
listener would be appropriate.

> It seems I should at least be removing the *:636 part since it will be using STARTTLS, correct?

A standard configuration for Start TLS usage would be a ldap: listener 
running on port 389. If you are never going to use implicit SSL, then 
dropping all listeners with the ldaps: scheme is appropriate. Whether you 
bind to loopback or a network-facing address (with ldap:/ldaps: schemes) 
or IPC (with ldapi: scheme) is a local decision. Just make sure that slapd 
and your clients match.