4.4. LDAP Client Access Over SSL

You configure LDAPS (LDAP/SSL) client access by using the command-line tool dsconfig. You can opt to configure LDAPS access when you install.

The standard port number for LDAPS client access is 636. If you install OpenDJ directory server as a user who can use port 636 and the port is not yet in use, then 636 is the default port number presented at installation time. If you install as a user who cannot use a port < 1024, then the default port number presented at installation time is 1636.

Procedure 4.5. To Set Up LDAPS Access

  1. Make sure you have a server certificate installed.

    $ keytool
 -list
 -alias server-cert
 -keystore /path/to/opendj/config/keystore
 -storepass `cat /path/to/opendj/config/keystore.pin`
server-cert, Jun 17, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F

  2. Configure the server to activate LDAPS access.

    $ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --set listen-port:1636
 --set enabled:true
 --set use-ssl:true
 --trustAll
 --no-prompt

    This example changes the port number to 1636 in the configuration.

Procedure 4.6. To Change the LDAPS Port Number

  1. Change the port number using the dsconfig command. 

    $ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --set listen-port:11636
 --trustAll
 --no-prompt

    This example changes the port number to 11636 in the configuration.

  2. Restart the connection handler so the change takes effect.

    To restart the connection handler, you disable it, then enable it again. 

    $ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --set enabled:false
 --trustAll
 --no-prompt
$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --set enabled:true
 --trustAll
 --no-prompt