The following steps outline how to create a self-signed SSL certificate and use it to secure an OpenLDAP LDAP installation. The OpenLDAP server is configured to allow only SSL connections for increased security.
See Also:
Index:
System(s) Used:
Run the following from the command line:
sudo apt-get install slapd db4.2-utilEnter your password for the admin entry in the LDAP directory when prompted.
You will be asked a number of questions to create your self-signed certificate. When asked for the Common Name be sure to set it to the fully qualified domain name you will be using for your OpenLDAP SSL secured server.
sudo mkdir /etc/ldap/ssl
cd /etc/ldap/ssl
sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
Enter the appropriate information when prompted. The Common Name (eg, YOUR name) []: entry must be set your your LDAP server name (e.g. bux.somedomain.com).
The other lines can be left at their default settings (just press Enter when prompted). Here is an example of the output:
Generating a 1024 bit RSA private key
...................................................++++++
.....................................................................++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:YOUR_LDAP_SERVER
Email Address []:
The configuration file is located at /etc/ldap/slapd.conf. Edit the file to look like:
#######################################################################
# SSL:
# Uncomment the following lines to enable SSL and use the default
# snakeoil certificates.
#TLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#TLSCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /etc/ldap/ssl/server.pem
TLSCertificateFile /etc/ldap/ssl/server.pem
TLSCertificateKeyFile /etc/ldap/ssl/server.pem
is not recommended for use however if you really need it (i.e. incompatibilites) change -SSLv2 to
+SSLv2.
The start parameters are located at /etc/default/slapd configuration file.
Edit the file to look like:
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
SLAPD_SERVICES="ldaps://YOUR_LDAP_SERVER/"
Watch for the YOUR_LDAP_SERVER resolving to 127.0.0.1; this could cause problems down the road.
sudo /etc/init.d/slapd restart
Your command line should output:
Stopping OpenLDAP: slapd.
Starting OpenLDAP: running BDB recovery, slapd.
openssl s_client -connect YOUR_LDAP_SERVER:636 -showcerts Look for the following to indicate a successful connection:
Verify return code: 18 (self signed certificate)Set your local machine to to allow your self-signed certificate by editing
/etc/ldap/ldap.conf to look like:
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=YOURDOMAIN, dc=COM
URI ldaps://YOUR_LDAP_SERVER/
TLS_REQCERT allow
If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be
ignored and the session proceeds normally.
Test your local LDAP lookups:
ldapsearch -xYou should see:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
That is it. You now have a secure OpenLDAP server using SSL and a self-signed certificate.
Comments
Post new comment