Friday, December 24, 2010

Configuring OpenLDAP with SSL/TLS on Debian

It is recommended that communication between clients and ldap server be encrypted. Before we enable encryption for ldap server we need SSL private key and certificate signed by certificate authority. Have a look at OpenSSL Certificates. Suppose here are your files: ldap.dev.local-key.pem and ldap.dev.local-cert.pem.

Server

  1. Install CA certificate:
    cp ~/ca/demoCA/cacert.pem /etc/ssl/certs/
    chmod go+r /etc/ssl/certs/cacert.pem
    
  2. Copy ldap key and certificate files to /etc/ldap/ssl
    mkdir /etc/ldap/ssl/
    cp ~/ca/ldap.dev.local-*.pem /etc/ldap/ssl/
    
  3. Secure certificates:
    ldap1:~# chown -R root:openldap /etc/ldap/ssl
    ldap1:~# chmod -R o-rwx /etc/ldap/ssl
    
  4. Enable ldaps protocol (file /etc/default/slapd)
    LAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
    
  5. Create tls configuration file (tls-config.ldif):
    dn: cn=config
    add: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
    -
    add: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/ldap/ssl/ldap.dev.local-cert.pem
    -
    add: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.dev.local-key.pem
    
  6. Apply it:
    ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif
    
  7. Restart slapd:
    /etc/init.d/slapd restart
    
  8. Ensure started:
    netstat -tunlp | grep slapd
    tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      2462/slapd      
    tcp        0      0 127.0.0.1:389           0.0.0.0:*               LISTEN      2462/slapd  
    

Client

  1. Install ldap-utils package:
    apt-get install ldap-utils
    
  2. Configure (file /etc/ldap/ldap.conf)
    BASE    dc=dev,dc=local
    URI     ldaps://ldap.dev.local
    
    TLS_CACERT /etc/ssl/certs/cacert.pem
    TLS_REQCERT demand
    
  3. Ensure working:
    ldapsearch -x
    
  4. Have a look at server log file, the communication must go through port 636 now
    ldap1 slapd[2462]: conn=1005 fd=15 ACCEPT from IP=192.168.10.8:38344 (IP=0.0.0.0:636)
    ldap1 slapd[2462]: conn=1005 fd=15 TLS established tls_ssf=128 ssf=128
    ldap1 slapd[2462]: conn=1005 op=0 BIND dn="" method=128
    ldap1 slapd[2462]: conn=1005 op=0 RESULT tag=97 err=0 text=
    ldap1 slapd[2462]: conn=1005 op=1 SRCH base="dc=dev,dc=local" scope=2 deref=0 filter="(objectClass=*)"
    ldap1 slapd[2462]: conn=1005 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
    ldap1 slapd[2462]: conn=1005 op=2 UNBIND
    ldap1 slapd[2462]: conn=1005 fd=15 closed
    

10 comments :

  1. Hello Andriy,

    I have followed you previous post about "How to create Certificate Authority using OpenSSL" and "How to create Certificates using OpenSSL". Those posts are rather clear. Thanks to share the good job!

    But I have a problem. In step 2 of this post, it says to copy the key and certicate files. The problem is I do not have this key file. I have only newcert.pem and newreq.pem. I understand form the man page slapd-config olcTLSCertificateKeyFile is about a private key. As far as I know the certicate has a public key but no private key to extract.

    Would you know why I don't have the key file? And probably more important, how to get this key file?

    Thanks,
    Bernard

    ReplyDelete
  2. Ok I found why.... In your post "How to create Certificates using OpenSSL" in "Certificate Request" -keyout and -out point to the same file. -keyout should be something like newreq.key.

    Thanks
    Bernard

    ReplyDelete
  3. Thanks for sharing your knowledge and your time.
    Your article was very useful

    ReplyDelete
  4. Really nice articles, but the commande ldapmodify always give me err=50 insufficient access...

    And I don't really understand why

    ReplyDelete
    Replies
    1. Mathias, the command that fails for you (ldapmodify) configures ldap to use TLS. That being said the point of verification should be around:
      1. Ensure you are executing command with ldap administrative account.
      2. Are you able to execute any command with ldap, e.g. try enable logging and see what is printed out there (see logging in this post http://mindref.blogspot.com/2010/12/debian-openldap.html).
      3. Double check permissions (is user running slapd process is able to access all three files). Try split that single (tls-config.ldif) into three smaller, that should point out to the source of issue.

      Delete
    2. I'm using it as root, so there should be no problem I guess. Tried to change the rights on that file but it didn't work. I managed to modify the config database by creating an admin account on it and use that command:
      ldapmodify -D"cn=admin,cn=config" -W -b "cn=config" -f File
      Everything go sideways everytime I try to use the -Y option...

      Delete
    3. Found something, apparently using openssl on debian can cause some issues with TLS, people should use certtool on this kind of distribution :(

      Delete
  5. and don't forget to remove password from ssl key

    ReplyDelete
  6. Really useful howto.

    Thank you!,
    @sanacl

    ReplyDelete
  7. You forget "S":

    LAPD_SERVICES="ldap://127.0.0.1:389/

    ReplyDelete