< Previous | Contents | Next >
1.8. TLS
When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS).
Here, we will be our own Certificate Authority and then create and sign our LDAP server certificate as that CA. Since slapd is compiled using the gnutls library, we will use the certtool utility to complete these tasks.
1. Install the gnutls-bin and ssl-cert packages:
sudo apt install gnutls-bin ssl-cert
2. Create a private key for the Certificate Authority:
sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
3. Create the template/file /etc/ssl/ca.info to define the CA:
cn = Example Company ca
cert_signing_key
4. Create the self-signed CA certificate:
sudo certtool --generate-self-signed
--load-privkey /etc/ssl/private/cakey.pem
--template /etc/ssl/ca.info
--outfile /etc/ssl/certs/cacert.pem
5. Make a private key for the server:
4 http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html
sudo certtool --generate-privkey
--bits 1024
--outfile /etc/ssl/private/ldap01_slapd_key.pem
Replace ldap01 in the filename with your server's hostname. Naming the certificate and key for the host and service that will be using them will help keep things clear.
6. Create the /etc/ssl/ldap01.info info file containing:
organization = Example Company cn = ldap01.example.com tls_www_server
encryption_key signing_key expiration_days = 3650
The above certificate is good for 10 years. Adjust accordingly.
7. Create the server's certificate:
sudo certtool --generate-certificate
--load-privkey /etc/ssl/private/ldap01_slapd_key.pem
--load-ca-certificate /etc/ssl/certs/cacert.pem
--load-ca-privkey /etc/ssl/private/cakey.pem
--template /etc/ssl/ldap01.info
--outfile /etc/ssl/certs/ldap01_slapd_cert.pem
8. Adjust permissions and ownership:
sudo chgrp openldap /etc/ssl/private/ldap01_slapd_key.pem sudo chmod 0640 /etc/ssl/private/ldap01_slapd_key.pem sudo gpasswd -a openldap ssl-cert
9. Now restart slapd, since we added the 'openldap' user to the 'ssl-cert' group:
sudo systemctl restart slapd.service
Your server is now ready to accept the new TLS configuration.
Create the file certinfo.ldif with the following contents (adjust accordingly, our example assumes we created certs using https://www.cacert.org):
dn: cn=config
add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem
Use the ldapmodify command to tell slapd about our TLS work via the slapd-config database:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
Contratry to popular belief, you do not need ldaps:// in /etc/default/slapd in order to use encryption. You should have just:
SLAPD_SERVICES="ldap:/// ldapi:///"
LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636.