Fixed: not update TLS_CACERT in OpenLDAP client config file 'ldap.conf' while setting up with a bought/valid SSL cert.
This commit is contained in:
parent
098e994ae0
commit
fb3b574d24
|
@ -10,7 +10,7 @@ you can follow below suggestions for better performance.
|
|||
Mail services __heavily__ rely on DNS service and perform many many DNS queries,
|
||||
a cache DNS server in LAN or localhost helps __A LOT__:
|
||||
|
||||
* It speeds up DNS queries. This helps a lot.
|
||||
* It speeds up DNS queries. This helps a lot to speed up mail flow.
|
||||
* It reduces DNS queries to DNSBL servers, so that you can continue using their
|
||||
excellent service without exceeding the max query limit.
|
||||
|
||||
|
|
|
@ -179,6 +179,40 @@ TLSCertificateKeyFile /etc/pki/tls/private/server.key
|
|||
|
||||
Restarting OpenLDAP service is required.
|
||||
|
||||
If you want to connect with TLS (port 389) or SSL (port 636) for secure
|
||||
connection from command line tools like `ldapsearch`, please update parameter
|
||||
`TLS_CACERT` in OpenLDAP client config file also, otherwise you will get
|
||||
error message like `Peer's Certificate issuer is not recognized`.
|
||||
|
||||
* On Red Hat and CentOS, it's defined in `/etc/openldap/ldap.conf`.
|
||||
* On Debian and Ubuntu, it's defined in `/etc/ldap/ldap.conf`.
|
||||
* On FreeBSD, it's defined in `/usr/local/etc/openldap/ldap.conf`.
|
||||
* On OpenBSD, it's defined in `/etc/openldap/ldap.conf`.
|
||||
|
||||
```
|
||||
TLS_CACERT /etc/pki/tls/certs/server.ca-bundle
|
||||
```
|
||||
|
||||
To connect with TLS, please run `ldapsearch` with argument `-Z` and use
|
||||
`ldap://<your_server_name>:389` as ldap host. For example:
|
||||
|
||||
```
|
||||
ldapsearch -x -W -Z \
|
||||
-H 'ldap://mail.example.com:389' \
|
||||
-D 'cn=vmail,dc=example,dc=com' \
|
||||
-b 'o=domains,dc=example,dc=com' mail
|
||||
```
|
||||
|
||||
* To connection with SSL, use `ldaps://<your_server_name>:636` as ldap host.
|
||||
for example:
|
||||
|
||||
```
|
||||
ldapsearch -x -W \
|
||||
-H 'ldaps://mail.example.com:636' \
|
||||
-D 'cn=vmail,dc=example,dc=com' \
|
||||
-b 'o=domains,dc=example,dc=com' mail
|
||||
```
|
||||
|
||||
### MySQL, MariaDB
|
||||
|
||||
> If MySQL/MariaDB is listening on localhost and not accessible from external
|
||||
|
|
|
@ -36,7 +36,7 @@ you can follow below suggestions for better performance.</p>
|
|||
<p>Mail services <strong>heavily</strong> rely on DNS service and perform many many DNS queries,
|
||||
a cache DNS server in LAN or localhost helps <strong>A LOT</strong>:</p>
|
||||
<ul>
|
||||
<li>It speeds up DNS queries. This helps a lot.</li>
|
||||
<li>It speeds up DNS queries. This helps a lot to speed up mail flow.</li>
|
||||
<li>It reduces DNS queries to DNSBL servers, so that you can continue using their
|
||||
excellent service without exceeding the max query limit.</li>
|
||||
</ul>
|
||||
|
|
|
@ -192,6 +192,37 @@ TLSCertificateKeyFile /etc/pki/tls/private/server.key
|
|||
</code></pre>
|
||||
|
||||
<p>Restarting OpenLDAP service is required.</p>
|
||||
<p>If you want to connect with TLS (port 389) or SSL (port 636) for secure
|
||||
connection from command line tools like <code>ldapsearch</code>, please update parameter
|
||||
<code>TLS_CACERT</code> in OpenLDAP client config file also, otherwise you will get
|
||||
error message like <code>Peer's Certificate issuer is not recognized</code>.</p>
|
||||
<ul>
|
||||
<li>On Red Hat and CentOS, it's defined in <code>/etc/openldap/ldap.conf</code>.</li>
|
||||
<li>On Debian and Ubuntu, it's defined in <code>/etc/ldap/ldap.conf</code>.</li>
|
||||
<li>On FreeBSD, it's defined in <code>/usr/local/etc/openldap/ldap.conf</code>.</li>
|
||||
<li>On OpenBSD, it's defined in <code>/etc/openldap/ldap.conf</code>.</li>
|
||||
</ul>
|
||||
<pre><code>TLS_CACERT /etc/pki/tls/certs/server.ca-bundle
|
||||
</code></pre>
|
||||
|
||||
<p>To connect with TLS, please run <code>ldapsearch</code> with argument <code>-Z</code> and use
|
||||
<code>ldap://<your_server_name>:389</code> as ldap host. For example:</p>
|
||||
<pre><code>ldapsearch -x -W -Z \
|
||||
-H 'ldap://mail.example.com:389' \
|
||||
-D 'cn=vmail,dc=example,dc=com' \
|
||||
-b 'o=domains,dc=example,dc=com' mail
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>To connection with SSL, use <code>ldaps://<your_server_name>:636</code> as ldap host.
|
||||
for example:</li>
|
||||
</ul>
|
||||
<pre><code>ldapsearch -x -W \
|
||||
-H 'ldaps://mail.example.com:636' \
|
||||
-D 'cn=vmail,dc=example,dc=com' \
|
||||
-b 'o=domains,dc=example,dc=com' mail
|
||||
</code></pre>
|
||||
|
||||
<h3 id="mysql-mariadb">MySQL, MariaDB</h3>
|
||||
<blockquote>
|
||||
<p>If MySQL/MariaDB is listening on localhost and not accessible from external
|
||||
|
|
Loading…
Reference in New Issue