Home

Installing Secure LDAP (OpenLDAP with SSL) on Ubuntu using a Self-signed Certificate

Fri, 04/27/2007 - 20:03 — Dallas Vogels

The following steps outline how to create a self-signed SSL certificate and use it to secure an OpenLDAP LDAP installation. The OpenLDAP server is configured to allow only SSL connections for increased security.

See Also:

Index:

System(s) Used:

  • Ubuntu 6.10 (server and desktop install)
  • OpenLDAP 2.2.26
  • OpenSSL 0.9.8b

Install the slapd package:

Run the following from the command line:

sudo apt-get install slapd db4.2-util
Note that the db4.2-util package is optional but recommended.

Enter your password for the admin entry in the LDAP directory when prompted.

Secure the OpenLDAP server:

Generate a self-signed certificate

You will be asked a number of questions to create your self-signed certificate. When asked for the Common Name be sure to set it to the fully qualified domain name you will be using for your OpenLDAP SSL secured server.

sudo mkdir /etc/ldap/ssl
cd /etc/ldap/ssl
sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
This self-signed certificate is set for 10 years. Adjust accordingly by setting the -days parameter.

Enter the appropriate information when prompted. The Common Name (eg, YOUR name) []: entry must be set your your LDAP server name (e.g. bux.somedomain.com).
The other lines can be left at their default settings (just press Enter when prompted). Here is an example of the output:

Generating a 1024 bit RSA private key
...................................................++++++
.....................................................................++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank

For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:YOUR_LDAP_SERVER
Email Address []:

Use the value you entered for YOUR_LDAP_SERVER for the following steps.

Edit the slapd.conf file

The configuration file is located at /etc/ldap/slapd.conf. Edit the file to look like:

#######################################################################
# SSL:
# Uncomment the following lines to enable SSL and use the default
# snakeoil certificates.
#TLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

#TLSCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /etc/ldap/ssl/server.pem
TLSCertificateFile /etc/ldap/ssl/server.pem
TLSCertificateKeyFile /etc/ldap/ssl/server.pem

The TLSCipherSuite directive allows all ciphers using greater than 128-bit encryption
(HIGH), all ciphers with 128-bit encryption (MEDIUM),
and disable all SSL version 2.0 ciphers (-SSLv2). Using SSLv2

is not recommended for use however if you really need it (i.e. incompatibilites) change -SSLv2 to
+SSLv2.

Set the OpenLDAP server to start as SSL only

The start parameters are located at /etc/default/slapd configuration file.
Edit the file to look like:

# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"

SLAPD_SERVICES="ldaps://YOUR_LDAP_SERVER/"

Set YOUR_LDAP_SERVER to be a fully qualified domain name that matches the Common Name that was set while creating the self-signed certificate.

Watch for the YOUR_LDAP_SERVER resolving to 127.0.0.1; this could cause problems down the road.

Restart the OpenLDAP server

sudo /etc/init.d/slapd restart

Your command line should output:

Stopping OpenLDAP: slapd.
Starting OpenLDAP: running BDB recovery, slapd.

Test the SSL connection to the OpenLDAP server

openssl s_client -connect YOUR_LDAP_SERVER:636 -showcerts
Set YOUR_LDAP_SERVER to be a fully qualified domain name that matches the Common Name that was set while creating the self-signed certificate.

Look for the following to indicate a successful connection:

Verify return code: 18 (self signed certificate)

Test your local LDAP lookups:

Set your local machine to to allow your self-signed certificate by editing
/etc/ldap/ldap.conf to look like:

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=YOURDOMAIN, dc=COM
URI ldaps://YOUR_LDAP_SERVER/
TLS_REQCERT allow

Setting TLS_REQCERT to allow does the following:

If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be
ignored and the session proceeds normally.

Test your local LDAP lookups:

ldapsearch -x

You should see:

# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

That is it. You now have a secure OpenLDAP server using SSL and a self-signed certificate.

TODO

  • Configure LDAP for specific dc=YOUDOMAIN,dc=COM settings
  • Determine other methods for more secure authentication (new guide)

Resources

Version History

  • 1.0 - April 27th, 2007:
    - Installed and tested instructions on an existing Ubuntu 6.10 installation (desktop install)
    - Added more verbose instructions
    - Added local LDAP lookup configuration
    - Added TODO and Resources sections
  • 0.2 - April 21st, 2007:
    - Added Index
  • 0.1 - April 17th, 2007:
    - Initial Release

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Sun, 04/03/2011 - 19:08 — Paul.Yang (not verified)

Use cn=config

To use cn=config instead of slapd.conf, the slapd.conf is not used. These attributes need to be added into cn=config instead reading from slapd.conf.
(1)Create a ldif file, such as ssl.ldif with content below:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/server.pem

(2)Run ldapmodify to add the attributes:
ldapmodify -x -D cn=admin,cn=config -W -f ssl.ldif

Enter your password o continue. If ldapmodify executed successfully, then restart the ldap server. The SSL should be configured.

Tue, 02/09/2010 - 16:13 — chrisb (not verified)

Thanks

awesome... worked a treat!

Sun, 09/20/2009 - 19:08 — Dave (not verified)

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

For some reason, I can't seem to connect via ldaps. I get the above error message when I run "ldapsearch -x"

I can connect via regular ldap. I have my local firewall temporarily disabled. Any ideas?

Mon, 12/14/2009 - 21:54 — PhoEniX (not verified)

Hi! A had the same

Hi! A had the same error.
Finnaly I did find where it was: I missed `s` in ldapS in "URI ldaps://YOUR_LDAP_SERVER/".
May be this will could be your solution ;)

Fri, 05/15/2009 - 09:57 — David (not verified)

ldap_start_tls: Protocol error (2)

I followed this instructions to configure my LDAP server with TLS/SSL security and when I go to search one entry I recibed this:
root@equipo:/home/alumno# ldapsearch -b "dc=equipo" -D "cn=admin,dc=equipo" -x -w alumno "o=*" -h localhost -Z
ldap_start_tls: Protocol error (2)
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: o=*
# requesting: ALL
#

# equipo
dn: dc=equipo
objectClass: top
objectClass: dcObject
objectClass: organization
o: equipo
dc: equipo

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Why I recibed ldap_start_tls: Protocol error (2) ????
The LDAP server doesnt work in secure mode, but I followed all the steps.

Please help!

Mon, 03/09/2009 - 08:30 — Anonymous (not verified)

TLS: could not set cipher list HIGH:MEDIUM:+SSLv2

LDAP didn't startup after I added the SSL options. This is the error message: TLS: could not set cipher list HIGH:MEDIUM:+SSLv2.
I tried commenting out the line: HIGH:MEDIUM:+SSLv2, but that caused this error: main: TLS init def ctx failed: -34.

Your help is much appreciated.

Best Regards,
Arun

Fri, 10/02/2009 - 17:05 — Anonymous (not verified)

Please read

Please read http://wiki.debian.org/LDAP/OpenLDAPSetup. I had the same problem and solved it following the "Configuring LDAPS" steps described here.

Fri, 06/25/2010 - 08:23 — thctlo (not verified)

thank you, i should have know

thank you, i should have know that.
worked perfect ( solution is below on the wiki ) thanks

Mon, 04/13/2009 - 15:32 — Dallas Vogels

re: TLS: could not set cipher list HIGH:MEDIUM:+SSLv2

Try this Arun: check that the following files and ensure that slapd has access to them

1) CA certificate
2) slapd's private key
3) slapd's certificate

Source: http://www.mail-archive.com/openldap-software@openldap.org/msg14571.html

Post new comment

The content of this field is kept private and will not be shown publicly.
By submitting this form, you accept the Mollom privacy policy.