Fixed: not update TLS_CACERT in OpenLDAP client config file 'ldap.conf' while setting up with a bought/valid SSL cert.

2016-10-11 22:48:07 +08:00 · 2016-10-11 22:48:07 +08:00 · fb3b574d24
parent 098e994ae0
commit fb3b574d24
4 changed files with 67 additions and 2 deletions
--- a/en_US/howto/0-performance.tuning.md
+++ b/en_US/howto/0-performance.tuning.md
@ -10,7 +10,7 @@ you can follow below suggestions for better performance.
 Mail services __heavily__ rely on DNS service and perform many many DNS queries,
 a cache DNS server in LAN or localhost helps __A LOT__:

-* It speeds up DNS queries. This helps a lot.
+* It speeds up DNS queries. This helps a lot to speed up mail flow.
 * It reduces DNS queries to DNSBL servers, so that you can continue using their
  excellent service without exceeding the max query limit.

--- a/en_US/howto/use.a.bought.ssl.certificate.md
+++ b/en_US/howto/use.a.bought.ssl.certificate.md
@ -179,6 +179,40 @@ TLSCertificateKeyFile /etc/pki/tls/private/server.key

 Restarting OpenLDAP service is required.

+If you want to connect with TLS (port 389) or SSL (port 636) for secure
+connection from command line tools like `ldapsearch`, please update parameter
+`TLS_CACERT` in OpenLDAP client config file also, otherwise you will get
+error message like `Peer's Certificate issuer is not recognized`.
+
+* On Red Hat and CentOS, it's defined in `/etc/openldap/ldap.conf`.
+* On Debian and Ubuntu, it's defined in `/etc/ldap/ldap.conf`.
+* On FreeBSD, it's defined in `/usr/local/etc/openldap/ldap.conf`.
+* On OpenBSD, it's defined in `/etc/openldap/ldap.conf`.
+
+```
+TLS_CACERT /etc/pki/tls/certs/server.ca-bundle
+```
+
+To connect with TLS, please run `ldapsearch` with argument `-Z` and use
+`ldap://<your_server_name>:389` as ldap host. For example:
+
+```
+ldapsearch -x -W -Z \
+    -H 'ldap://mail.example.com:389' \
+    -D 'cn=vmail,dc=example,dc=com' \
+    -b 'o=domains,dc=example,dc=com' mail
+```
+
+* To connection with SSL, use `ldaps://<your_server_name>:636` as ldap host.
+  for example:
+
+```
+ldapsearch -x -W \
+    -H 'ldaps://mail.example.com:636' \
+    -D 'cn=vmail,dc=example,dc=com' \
+    -b 'o=domains,dc=example,dc=com' mail
+```
+
 ### MySQL, MariaDB

 > If MySQL/MariaDB is listening on localhost and not accessible from external
--- a/html/performance.tuning.html
+++ b/html/performance.tuning.html
@ -36,7 +36,7 @@ you can follow below suggestions for better performance.</p>
 <p>Mail services <strong>heavily</strong> rely on DNS service and perform many many DNS queries,
 a cache DNS server in LAN or localhost helps <strong>A LOT</strong>:</p>
 <ul>
-<li>It speeds up DNS queries. This helps a lot.</li>
+<li>It speeds up DNS queries. This helps a lot to speed up mail flow.</li>
 <li>It reduces DNS queries to DNSBL servers, so that you can continue using their
  excellent service without exceeding the max query limit.</li>
 </ul>
--- a/html/use.a.bought.ssl.certificate.html
+++ b/html/use.a.bought.ssl.certificate.html
@ -192,6 +192,37 @@ TLSCertificateKeyFile /etc/pki/tls/private/server.key
 </code></pre>

 <p>Restarting OpenLDAP service is required.</p>
+<p>If you want to connect with TLS (port 389) or SSL (port 636) for secure
+connection from command line tools like <code>ldapsearch</code>, please update parameter
+<code>TLS_CACERT</code> in OpenLDAP client config file also, otherwise you will get
+error message like <code>Peer's Certificate issuer is not recognized</code>.</p>
+<ul>
+<li>On Red Hat and CentOS, it's defined in <code>/etc/openldap/ldap.conf</code>.</li>
+<li>On Debian and Ubuntu, it's defined in <code>/etc/ldap/ldap.conf</code>.</li>
+<li>On FreeBSD, it's defined in <code>/usr/local/etc/openldap/ldap.conf</code>.</li>
+<li>On OpenBSD, it's defined in <code>/etc/openldap/ldap.conf</code>.</li>
+</ul>
+<pre><code>TLS_CACERT /etc/pki/tls/certs/server.ca-bundle
+</code></pre>
+
+<p>To connect with TLS, please run <code>ldapsearch</code> with argument <code>-Z</code> and use
+<code>ldap://&lt;your_server_name&gt;:389</code> as ldap host. For example:</p>
+<pre><code>ldapsearch -x -W -Z \
+    -H 'ldap://mail.example.com:389' \
+    -D 'cn=vmail,dc=example,dc=com' \
+    -b 'o=domains,dc=example,dc=com' mail
+</code></pre>
+
+<ul>
+<li>To connection with SSL, use <code>ldaps://&lt;your_server_name&gt;:636</code> as ldap host.
+  for example:</li>
+</ul>
+<pre><code>ldapsearch -x -W \
+    -H 'ldaps://mail.example.com:636' \
+    -D 'cn=vmail,dc=example,dc=com' \
+    -b 'o=domains,dc=example,dc=com' mail
+</code></pre>
+
 <h3 id="mysql-mariadb">MySQL, MariaDB</h3>
 <blockquote>
 <p>If MySQL/MariaDB is listening on localhost and not accessible from external