openldap + TLS/SSL

Lack of an official signed certificate + the chaotic information on the internet  made me to give up several times in my attempt to use  openldap with TLS/SSl enabled.

After quite along trial and error  I can to those conclusions:

1.  openldap is quite restrictive when is about self signed certificate;

2.  openldap is even more  restrictive when is about CN (canonical name ) of a certificate

But after some more tests I was able to  use openldap with self signed certificate

 

SETUP

ldapserver1:  (10.100.100.1)  ldap1

ldapserver2:  (10.100.100.2) ldap2

ldapconf: /etc/openldap/slapd.conf

no DNS

— creation of certificates

In order to keep things as simple as possible  I’m using openvpn easy rsa.

1. generate of CA (Crtification Authority)

— uncompress easy-rsa

source ./vars

export KEY_COUNTRY=”CZ”
export KEY_PROVINCE=”S Moravia”
export KEY_CITY=”Brno”
export KEY_ORG=”_hidden_”
export KEY_EMAIL=”administrator@example.com”
export KEY_CN=server
export KEY_NAME=server
export KEY_OU=server
export KEY_SIZE=2048

./build-ca

Country Name (2 letter code) [US]:CZ
State or Province Name (full name) [CA]:S Moravia
Locality Name (eg, city) [SanFrancisco]:Brno
Organization Name (eg, company) [Fort-Funston]:changeme
Organizational Unit Name (eg, section) [changeme]:UNIX
Common Name (eg, your name or your server’s hostname) [changeme]:server
Name [changeme]:server
Email Address [mail@host.domain]:.

2.  generating and signing  the certificate for  both ldap servers

!!PAY ATTENTION: name of the certificate MUST MATCH name of the server !!

./build-key-server  ldap1

Country Name (2 letter code) [US]:CZ
State or Province Name (full name) [CA]:S Moravia
Locality Name (eg, city) [SanFrancisco]:Brno
Organization Name (eg, company) [Fort-Funston]:changeme
Organizational Unit Name (eg, section) [changeme]:it
Common Name (eg, your name or your server’s hostname) [ldap]:ldap1
Name [changeme]:ldap1
Email Address [mail@host.domain]:.

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/easy-rsa-2.2.0_master/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CZ’
stateOrProvinceName :PRINTABLE:’S Moravia’
localityName :PRINTABLE:’Brno’
organizationName :PRINTABLE:’changeme’
organizationalUnitName:PRINTABLE:’it’
commonName :PRINTABLE:’ldap1′
name :PRINTABLE:’ldap1′
Certificate is to be certified until Apr 1 10:46:49 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

So, in the end will have those files:  ca.crt, ca.key, ldap1.crt/ldap1.key, ldap2.crt/ldap2.key

3. create /etc/openldap/newcerts

— for ldap1

/etc/openldap/newcerts \
                       |_ca.crt
                       |_ldap1.pem ( ldap1.crt renamed in ldap1.pem)
                       |_ldap1.key

3.1. changing of slapd.conf

…………….

TLSCACertificateFile  /etc/openldap/newcerts/ca.crt
TLSCertificateFile        /etc/openldap/newcerts/ldap1.pem
TLSCertificateKeyFile /etc/openldap/newcerts/ldap1.key

…………….

– for ldap2

/etc/openldap/newcerts \
                       |_ca.crt
                       |_ldap2.pem ( ldap2.crt renamed in ldap2.pem)
                       |_ldap2.key

3.2. changing of slapd.conf

…………….

TLSCACertificateFile  /etc/openldap/newcerts/ca.crt
TLSCertificateFile        /etc/openldap/newcerts/ldap2.pem
TLSCertificateKeyFile /etc/openldap/newcerts/ldap2.key

…………….

3.3. — this step is only for testing ( on server side )

-- exec  cacertdir_rehash  /etc/openldap/newcerts
/etc/openldap/newcerts \
                       |_ca.crt
                       |_ldap1.pem
                       |_ldap1.key
                       |_53312323.0-> ca.crt
                       |_78952232.0-> ldap1.pem

-- edit /etc/openldap/ldap.conf ( add URI && BASE && TLS_CACERTDIR )
-- restart slapd daemon
-- exec ldapsearch -Z -x  ( should get the result w/o any errors)

4. changes on client side

edit those 3 files:

/etc/pam_ldap.conf; /etc/nslcd.conf; /etc/openldap/ldap.conf

— nslcd.conf

ssl on
tls_cacertfile   /etc/openldap/certs/ca.crt
tls_reqcert      hard

— pam_ldap.conf

ssl on
tls_cacert       /etc/openldap/certs/ca.crt

— ldap.conf

tls_cacert       /etc/openldap/certs/ca.crt
tls_reqcert      hard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s