elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update en_US/howto/use.a.bought.ssl.certificate.md, mention how to setup ssl cert/key for OpenBSD ldapd(8).

This commit is contained in:
Zhang Huangbin 2016-12-31 09:41:59 +08:00
parent a0dfbeb4da
commit 2f24cb4cf5
3 changed files with 105 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
en_US/howto/use.a.bought.ssl.certificate.md
View File

@ -161,6 +161,25 @@ Then update `ssl_certificate` parameter in `/etc/nginx/conf.d/default.conf`:
Restarting Nginx service is required.
### MySQL, MariaDB
> If MySQL/MariaDB is listening on localhost and not accessible from external
> network, this is OPTIONAL.
* On Red Hat and CentOS, it's defined in `/etc/my.cnf`
* On Debian and Ubuntu, it's defined in `/etc/mysql/my.cnf`.
* Since Ubuntu 15.04, it's defined in `/etc/mysql/mariadb.conf.d/mysqld.cnf`.
* On FreeBSD, it's defined in `/usr/local/etc/my.cnf`.
* On OpenBSD, it's defined in `/etc/my.cnf`.
```
[mysqld]
ssl-ca = /etc/pki/tls/certs/server.ca-bundle
ssl-cert = /etc/pki/tls/certs/server.crt
ssl-key = /etc/pki/tls/private/server.key
```
### OpenLDAP
> If OpenLDAP is listening on localhost and not accessible from external
@ -213,23 +232,47 @@ ldapsearch -x -W \
-b 'o=domains,dc=example,dc=com' mail
```
### MySQL, MariaDB
### OpenBSD ldapd(8)
> If MySQL/MariaDB is listening on localhost and not accessible from external
> If ldapd(8) is listening on localhost and not accessible from external
> network, this is OPTIONAL.
>
> For more details about ldapd config file, please check its manual page: ldapd.conf(5).
* On Red Hat and CentOS, it's defined in `/etc/my.cnf`
* On Debian and Ubuntu, it's defined in `/etc/mysql/my.cnf`.
* Since Ubuntu 15.04, it's defined in `/etc/mysql/mariadb.conf.d/mysqld.cnf`.
* On FreeBSD, it's defined in `/usr/local/etc/my.cnf`.
* On OpenBSD, it's defined in `/etc/my.cnf`.
To make ldapd(8) listening on network interface for external network, please
make sure you have setting in `/etc/ldapd.conf` to listen on the interface. We
use `em0` as external network interface here for example.
```
[mysqld]
# Listen on network interface 'em0', port 389, use STARTTLS for secure connection.
listen on em0 port 389 tls
```
ssl-ca = /etc/pki/tls/certs/server.ca-bundle
ssl-cert = /etc/pki/tls/certs/server.crt
ssl-key = /etc/pki/tls/private/server.key
If you want to use port 636 with SSL, try this:
```
# Listen on network interface 'em0', port 636, use SSL for secure connection.
listen on em0 port 636 ldaps
```
ldapd(8) will look for SSL cert and key from directory `/etc/ldap/certs/` by
default, the cert file name is `<interface_name>.crt` and `<interface_name>.key`.
In our case, it will look for `/etc/ldap/certs/em0.crt` and `/etc/ldap/certs/em0.key`.
Since iRedMail already generates a cert and key, we can use it directly. If you
have bought SSL cert/key, or requested one from LetsEncrypt, you can use them
too.
```
cd /etc/ldap/certs/
ln -s /etc/ssl/iRedMail.crt em0.crt
ln -s /etc/ssl/iRedMail.key em0.key
```
Now restart ldapd(8) service:
```
rcctl restart ldapd
```
## Reference

2
html/active.directory.html
View File

@ -372,7 +372,7 @@ $config['ldap_public'][&quot;global_ldap_abook&quot;] = array(
),
'sort' =&gt; 'cn',
'scope' =&gt; 'sub',
'filter' =&gt; &quot;(&amp;(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))&quot;,
'filter' =&gt; &quot;(&amp;(|(objectclass=person)(objectclass=group))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))&quot;,
'fuzzy_search' =&gt; true,
'vlv' =&gt; false, // Enable Virtual List View to more
// efficiently fetch paginated data

66
html/use.a.bought.ssl.certificate.html
View File

@ -29,8 +29,9 @@
<li><a href="#dovecot-pop3imap-server">Dovecot (POP3/IMAP server)</a></li>
<li><a href="#apache-web-server">Apache (web server)</a></li>
<li><a href="#nginx-web-server">Nginx (web server)</a></li>
<li><a href="#openldap">OpenLDAP</a></li>
<li><a href="#mysql-mariadb">MySQL, MariaDB</a></li>
<li><a href="#openldap">OpenLDAP</a></li>
<li><a href="#openbsd-ldapd8">OpenBSD ldapd(8)</a></li>
</ul>
</li>
<li><a href="#reference">Reference</a></li>
@ -175,6 +176,27 @@ certificates in the combined file:</p>
</code></pre>
<p>Restarting Nginx service is required.</p>
<h3 id="mysql-mariadb">MySQL, MariaDB</h3>
<blockquote>
<p>If MySQL/MariaDB is listening on localhost and not accessible from external
network, this is OPTIONAL.</p>
</blockquote>
<ul>
<li>On Red Hat and CentOS, it's defined in <code>/etc/my.cnf</code></li>
<li>On Debian and Ubuntu, it's defined in <code>/etc/mysql/my.cnf</code>.<ul>
<li>Since Ubuntu 15.04, it's defined in <code>/etc/mysql/mariadb.conf.d/mysqld.cnf</code>.</li>
</ul>
</li>
<li>On FreeBSD, it's defined in <code>/usr/local/etc/my.cnf</code>.</li>
<li>On OpenBSD, it's defined in <code>/etc/my.cnf</code>.</li>
</ul>
<pre><code>[mysqld]
ssl-ca = /etc/pki/tls/certs/server.ca-bundle
ssl-cert = /etc/pki/tls/certs/server.crt
ssl-key = /etc/pki/tls/private/server.key
</code></pre>
<h3 id="openldap">OpenLDAP</h3>
<blockquote>
<p>If OpenLDAP is listening on localhost and not accessible from external
@ -223,25 +245,37 @@ error message like <code>Peer's Certificate issuer is not recognized</code>.</p>
-b 'o=domains,dc=example,dc=com' mail
</code></pre>
<h3 id="mysql-mariadb">MySQL, MariaDB</h3>
<h3 id="openbsd-ldapd8">OpenBSD ldapd(8)</h3>
<blockquote>
<p>If MySQL/MariaDB is listening on localhost and not accessible from external
<p>If ldapd(8) is listening on localhost and not accessible from external
network, this is OPTIONAL.</p>
<p>For more details about ldapd config file, please check its manual page: ldapd.conf(5).</p>
</blockquote>
<ul>
<li>On Red Hat and CentOS, it's defined in <code>/etc/my.cnf</code></li>
<li>On Debian and Ubuntu, it's defined in <code>/etc/mysql/my.cnf</code>.<ul>
<li>Since Ubuntu 15.04, it's defined in <code>/etc/mysql/mariadb.conf.d/mysqld.cnf</code>.</li>
</ul>
</li>
<li>On FreeBSD, it's defined in <code>/usr/local/etc/my.cnf</code>.</li>
<li>On OpenBSD, it's defined in <code>/etc/my.cnf</code>.</li>
</ul>
<pre><code>[mysqld]
<p>To make ldapd(8) listening on network interface for external network, please
make sure you have setting in <code>/etc/ldapd.conf</code> to listen on the interface. We
use <code>em0</code> as external network interface here for example.</p>
<pre><code># Listen on network interface 'em0', port 389, use STARTTLS for secure connection.
listen on em0 port 389 tls
</code></pre>
ssl-ca = /etc/pki/tls/certs/server.ca-bundle
ssl-cert = /etc/pki/tls/certs/server.crt
ssl-key = /etc/pki/tls/private/server.key
<p>If you want to use port 636 with SSL, try this:</p>
<pre><code># Listen on network interface 'em0', port 636, use SSL for secure connection.
listen on em0 port 636 ldaps
</code></pre>
<p>ldapd(8) will look for SSL cert and key from directory <code>/etc/ldap/certs/</code> by
default, the cert file name is <code>&lt;interface_name&gt;.crt</code> and <code>&lt;interface_name&gt;.key</code>.
In our case, it will look for <code>/etc/ldap/certs/em0.crt</code> and <code>/etc/ldap/certs/em0.key</code>.</p>
<p>Since iRedMail already generates a cert and key, we can use it directly. If you
have bought SSL cert/key, or requested one from LetsEncrypt, you can use them
too.</p>
<pre><code>cd /etc/ldap/certs/
ln -s /etc/ssl/iRedMail.crt em0.crt
ln -s /etc/ssl/iRedMail.key em0.key
</code></pre>
<p>Now restart ldapd(8) service:</p>
<pre><code>rcctl restart ldapd
</code></pre>
<h2 id="reference">Reference</h2>