LDAP and Transport Layer Security (TLS)¶
When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS).
Here, we will act as our Certificate Authority (CA) and create and sign the LDAP server certificate as that CA. This guide will use the certtool utility to complete these tasks. For simplicity, this is being done on the OpenLDAP server itself, but your real internal CA should be elsewhere.
Note
For general information on managing certificates in Ubuntu, see About certificates. For installing a custom root CA, see Install a root CA certificate in the trust store.
Install the gnutls-bin and ssl-cert packages:
$ Create a private key for the Certificate Authority:
$ Create the template/file /etc/ssl/ca.info to define the CA:
cn = Example Company
ca
cert_signing_key
expiration_days = 3650
Create the self-signed CA certificate:
$ Note
The --outfile path is correct. We are writing the CA certificate to /usr/local/share/ca-certificates. This is where update-ca-certificates picks up trusted local CAs from. To selectively enable CAs from /usr/share/ca-certificates, you can run dpkg-reconfigure ca-certificates.
Run update-ca-certificates to add the new CA certificate to the list of trusted CAs. Note the one added CA:
$ Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
This also creates a /etc/ssl/certs/mycacert.pem symlink pointing to the real file in /usr/local/share/ca-certificates.
Make a private key for the server:
$ Note
Replace ldap01 in the filename with your server’s hostname. Naming the certificate and key for the host and service that will be using them will help keep things clear.
Create the /etc/ssl/ldap01.info info file containing:
organization = Example Company
cn = ldap01.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 365
The above certificate is good for 1 year, and it’s valid only for the ldap01.example.com hostname. You can adjust this according to your needs.
Create the server’s certificate:
$ Adjust permissions and ownership:
$ $ Your server is now ready to accept the new TLS configuration.
Create the file certinfo.ldif with the following contents (adjust paths and filenames accordingly):
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ldap01_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ldap01_slapd_key.pem
Use the ldapmodify command to tell slapd about our TLS work via the slapd-config database:
$ If you need access to LDAPS (LDAP over SSL), then you need to edit /etc/default/slapd and include ldaps:/// in SLAPD_SERVICES like below:
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
And restart slapd with:
$ Note that StartTLS will be available without the change above, and does NOT need a slapd restart.
Test StartTLS:
$ anonymous
Test LDAPS:
$ anonymous
Certificate for an OpenLDAP replica
To generate a certificate pair for an OpenLDAP replica (consumer), create a holding directory (which will be used for the eventual transfer) and run the following:
$ Create an info file, ldap02.info, for the Consumer server, adjusting its values according to your requirements:
organization = Example Company
cn = ldap02.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 365
Create the Consumer’s certificate:
$ Note
We had to use sudo to get access to the CA’s private key. This means the generated certificate file is owned by root. You should change that ownership back to your regular user before copying these files over to the Consumer.
Get a copy of the CA certificate:
$ We’re done. Now transfer the ldap02-ssl directory to the Consumer. Here we use scp (adjust accordingly):
$ On the Consumer side, install the certificate files you just transferred:
$ Create the file certinfo.ldif with the following contents (adjust accordingly regarding paths and filenames, if needed):
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ldap02_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ldap02_slapd_key.pem
Configure the slapd-config database:
$ Like before, if you want to enable LDAPS, edit /etc/default/slapd and add ldaps:/// to SLAPD_SERVICES, and then restart slapd.
Test StartTLS:
$ anonymous
Test LDAPS:
$ anonymous