In our previous articles, we discussed the installation of OpenLDAP Server on Ubuntu and how to setup OpenLDAP client on Ubuntu. This short tutorial will cover securing LDAP Server with SSL/TLS certificate and key. You have two options of obtaining an SSL certificate used for securing LDAP Server.
- Using Self Signed SSL Certificate
- Purchasing SSL certificates from trusted CA
This guide will explain use of self signed certificates. So Let’s get started.
Step 1: Generate Self signed SSL cerificates
Login to your LDAP server and generate SSL certificates to be used.
$ mkdir ~/ldap_ssl && cd ~/ldap_ssl
$ openssl genrsa -aes128 -out ldap_server.key 4096
Generating RSA private key, 4096 bit long modulus
…………………………………………………………………………………..++
………………………………….++
e is 65537 (0x010001)
Enter pass phrase for ldap_server.key: <Set passphrase>
Verifying - Enter pass phrase for ldap_server.key: <Confirm passphrase>Remove passphrase from the generated private key:
$ openssl rsa -in ldap_server.key -out ldap_server.key
Enter pass phrase for ldap_server.key: <Enter passphrase>
writing RSA key
Generate csr.
$ openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:KE
State or Province Name (full name) [Some-State]:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Computingforgeeks
Organizational Unit Name (eg, section) []:Computingforgeeks
Common Name (e.g. server FQDN or YOUR name) []:ldap.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Then sign your certificate:
$ sudo openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650
Signature ok
subject=C = KE, ST = Nairobi, L = Nairobi, O = Computingforgeeks, OU = Computingforgeeks, CN = ldap.example.com, emailAddress = [email protected]
Getting Private keyStep 2: Configure SSL on LDAP Server
Copy Certificates and Key to /etc/ldap/sasl2/ directory.
sudo cp {ldap_server.key,ldap_server.crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/Set ownership of the certificates to openldap user.
sudo chown -R openldap. /etc/ldap/sasl2Configure LDAP Server to use SSL certificates. Create LDAP configuration file for SSL,
$ vim ldap_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.keyApply configuration using the following command.
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif
SASL/EXTERNAL authentication started SASL
username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
Restart LDAP server:
sudo systemctl restart slapdStep 3: Configure LDAP Client for TLS/SSL Connection
Configure LDAP client to ensure connection between client and server is encrypted. Add TLS_REQCERT allow line to /etc/ldap/ldap.conf .
echo "TLS_REQCERT allow" | sudo tee /etc/ldap/ldap.conf Now configure OpenLDAP SSL mechanism by uncommenting the lines below on file ldap.conf.
$ sudo vim /etc/ldap.conf
# Line 259 - OpenLDAP SSL mechanism
ssl start_tls
ssl on
You can now enjoy SSL connection between LDAP client and Server.
Recommended Linux Books to read:
- Best Linux Books for Beginners & Experts
- Best Linux Kernel Programming Books
- Best Linux Bash Scripting Books
- Top RHCSA / RHCE Certification Study Books
- Best Top Rated CompTIA A+ Certification Books
- Best LPIC-1 and LPIC-2 certification study books
