Free Hosting Online for WorkStations

< Previous | Contents | Next >

1.9. Replication and TLS


If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that TLS-authentication work.


The assumption here is that you have set up replication between Provider and Consumer according to Section 1.6, “Replication” [p. 123] and have configured TLS for authentication on the Provider by following Section 1.8, “TLS” [p. 129].


As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary material over to the Consumer.

1. On the Provider,


Create a holding directory (which will be used for the eventual transfer) and then the Consumer's private key:


mkdir ldap02-ssl cd ldap02-ssl

sudo certtool --generate-privkey

--bits 1024

--outfile ldap02_slapd_key.pem


Create an info file, ldap02.info, for the Consumer server, adjusting its values accordingly:


organization = Example Company cn = ldap02.example.com



tls_www_server encryption_key signing_key expiration_days = 3650


Create the Consumer's certificate:


sudo certtool --generate-certificate

--load-privkey ldap02_slapd_key.pem

--load-ca-certificate /etc/ssl/certs/cacert.pem

--load-ca-privkey /etc/ssl/private/cakey.pem

--template ldap02.info

--outfile ldap02_slapd_cert.pem


Get a copy of the CA certificate:


cp /etc/ssl/certs/cacert.pem .


We're done. Now transfer the ldap02-ssl directory to the Consumer. Here we use scp (adjust accordingly):


cd ..

scp -r ldap02-ssl user@consumer:


2. On the Consumer,


Configure TLS authentication:


sudo apt install ssl-cert

sudo gpasswd -a openldap ssl-cert

sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs sudo cp ldap02_slapd_key.pem /etc/ssl/private

sudo chgrp openldap /etc/ssl/private/ldap02_slapd_key.pem sudo chmod 0640 /etc/ssl/private/ldap02_slapd_key.pem sudo systemctl restart slapd.service


Create the file /etc/ssl/certinfo.ldif with the following contents (adjust accordingly):


dn: cn=config

add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

-

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem

-

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem


Configure the slapd-config database:



sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


Configure /etc/default/slapd as on the Provider (SLAPD_SERVICES).

3. On the Consumer,


Configure TLS for Consumer-side replication. Modify the existing olcSyncrepl attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute's value(s).


Create the file consumer_sync_tls.ldif with the following contents:


dn: olcDatabase={1}mdb,cn=config replace: olcSyncRepl

olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog starttls=critical tls_reqcert=demand


The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider's identity. Also note the LDIF syntax for changing the values of an attribute ('replace').


Implement these changes:


sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif


And restart slapd:


sudo systemctl restart slapd.service


4. On the Provider,


Check to see that a TLS session has been established. In /var/log/syslog, providing you have 'conns'- level logging set up, you should see messages similar to:


slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389) slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037

slapd[3620]: conn=1047 op=0 STARTTLS

slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=

slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128 slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128

slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text


Top OS Cloud Computing at OnWorks: