I finally got openldap working decently between a client and server. One big thing to note, is if you change (or comment out) any index… line in slapd.conf, you must run slapindex after saving the file to have the changes take effect. Restarting slapd is not enough.
SERVER slapd.conf file:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
loglevel 296
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
database bdb
suffix “dc=servername,dc=uchicago,dc=edu”
rootdn “cn=Manager,dc=servername,dc=uchicago,dc=edu”
rootpw {SSHA}XoDk2L5PaZfEJ8s3wQsMTyftCfhsQ4gY
directory /var/lib/ldap
index objectClass eq,pres
index cn,mail,sn,givenName eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
Client ldap.conf file:
BASE dc=servername,dc=uchicago,dc=edu
URI ldap://servername.uchicago.edu ldaps://servername.uchicago.edu:636
HOST servername.uchicago.edu
LogLevel 296
ssl start_tls
TLS_REQCERT never
TLS_CACERTDIR /etc/openldap/cacerts
Note that in the client file, the TLS_REQCERT line should be set to never. It could be set to allow, but then every time the client requests info from the server, it will send the server’s certificate to the client. The result is that openldap stuff is SLOW. So, set it to never and put a copy of the slapd.pem file from the server into /etc/openldap/cacerts on the client.