It is recommended that communication between clients and ldap server be encrypted. Before we enable encryption for ldap server we need SSL private key and certificate signed by certificate authority. Have a look at
OpenSSL Certificates. Suppose here are your files: ldap.dev.local-key.pem and ldap.dev.local-cert.pem.
Server
- Install CA certificate:
cp ~/ca/demoCA/cacert.pem /etc/ssl/certs/
chmod go+r /etc/ssl/certs/cacert.pem
- Copy ldap key and certificate files to /etc/ldap/ssl
mkdir /etc/ldap/ssl/
cp ~/ca/ldap.dev.local-*.pem /etc/ldap/ssl/
- Secure certificates:
ldap1:~# chown -R root:openldap /etc/ldap/ssl
ldap1:~# chmod -R o-rwx /etc/ldap/ssl
- Enable ldaps protocol (file /etc/default/slapd)
LAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
- Create tls configuration file (tls-config.ldif):
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldap.dev.local-cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.dev.local-key.pem
- Apply it:
ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif
- Restart slapd:
/etc/init.d/slapd restart
- Ensure started:
netstat -tunlp | grep slapd
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2462/slapd
tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 2462/slapd
Client
- Install ldap-utils package:
apt-get install ldap-utils
- Configure (file /etc/ldap/ldap.conf)
BASE dc=dev,dc=local
URI ldaps://ldap.dev.local
TLS_CACERT /etc/ssl/certs/cacert.pem
TLS_REQCERT demand
- Ensure working:
ldapsearch -x
- Have a look at server log file, the communication must go through port 636 now
ldap1 slapd[2462]: conn=1005 fd=15 ACCEPT from IP=192.168.10.8:38344 (IP=0.0.0.0:636)
ldap1 slapd[2462]: conn=1005 fd=15 TLS established tls_ssf=128 ssf=128
ldap1 slapd[2462]: conn=1005 op=0 BIND dn="" method=128
ldap1 slapd[2462]: conn=1005 op=0 RESULT tag=97 err=0 text=
ldap1 slapd[2462]: conn=1005 op=1 SRCH base="dc=dev,dc=local" scope=2 deref=0 filter="(objectClass=*)"
ldap1 slapd[2462]: conn=1005 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
ldap1 slapd[2462]: conn=1005 op=2 UNBIND
ldap1 slapd[2462]: conn=1005 fd=15 closed
Hello Andriy,
ReplyDeleteI have followed you previous post about "How to create Certificate Authority using OpenSSL" and "How to create Certificates using OpenSSL". Those posts are rather clear. Thanks to share the good job!
But I have a problem. In step 2 of this post, it says to copy the key and certicate files. The problem is I do not have this key file. I have only newcert.pem and newreq.pem. I understand form the man page slapd-config olcTLSCertificateKeyFile is about a private key. As far as I know the certicate has a public key but no private key to extract.
Would you know why I don't have the key file? And probably more important, how to get this key file?
Thanks,
Bernard
Ok I found why.... In your post "How to create Certificates using OpenSSL" in "Certificate Request" -keyout and -out point to the same file. -keyout should be something like newreq.key.
ReplyDeleteThanks
Bernard
Thanks for sharing your knowledge and your time.
ReplyDeleteYour article was very useful
Really nice articles, but the commande ldapmodify always give me err=50 insufficient access...
ReplyDeleteAnd I don't really understand why
Mathias, the command that fails for you (ldapmodify) configures ldap to use TLS. That being said the point of verification should be around:
Delete1. Ensure you are executing command with ldap administrative account.
2. Are you able to execute any command with ldap, e.g. try enable logging and see what is printed out there (see logging in this post http://mindref.blogspot.com/2010/12/debian-openldap.html).
3. Double check permissions (is user running slapd process is able to access all three files). Try split that single (tls-config.ldif) into three smaller, that should point out to the source of issue.
I'm using it as root, so there should be no problem I guess. Tried to change the rights on that file but it didn't work. I managed to modify the config database by creating an admin account on it and use that command:
Deleteldapmodify -D"cn=admin,cn=config" -W -b "cn=config" -f File
Everything go sideways everytime I try to use the -Y option...
Found something, apparently using openssl on debian can cause some issues with TLS, people should use certtool on this kind of distribution :(
Deleteand don't forget to remove password from ssl key
ReplyDeleteReally useful howto.
ReplyDeleteThank you!,
@sanacl
You forget "S":
ReplyDeleteLAPD_SERVICES="ldap://127.0.0.1:389/