In our previous articles, we discussed the installation of OpenLDAP Server on Ubuntu and how to setup OpenLDAP client on Ubuntu. This short tutorial will cover securing LDAP Server with SSL/TLS certificate and key. You have two options of obtaining an SSL certificate used for securing LDAP Server.
- Using Self Signed SSL Certificate
- Purchasing SSL certificates from trusted CA
This guide will explain use of self signed certificates. So Let’s get started.
Step 1: Generate Self signed SSL cerificates
Login to your LDAP server and generate SSL certificates to be used.
# cd /etc/ssl/private
# openssl genrsa -aes128 -out ldap_server.key 4096
Generating RSA private key, 4096 bit long modulus
…………………………………………………………………………………..++
………………………………….++
e is 65537 (0x010001)
Enter pass phrase for ldap_server.key: <Set passphrase>
Verifying - Enter pass phrase for ldap_server.key: <Confirm passphrase>
Remove passphrase from the generated private key:
# openssl rsa -in ldap_server.key -out ldap_server.key
Enter pass phrase for ldap_server.key: <Enter passphrase>
writing RSA key
Generate csr.
# openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:KE
State or Province Name (full name) [Some-State]:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Computingforgeeks
Organizational Unit Name (eg, section) []:Computingforgeeks
Common Name (e.g. server FQDN or YOUR name) []:ldap.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Then sign your certificate:
# openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650
Signature ok
subject=C = KE, ST = Nairobi, L = Nairobi, O = Computingforgeeks, OU = Computingforgeeks, CN = ldap.example.com, emailAddress = [email protected]
Getting Private key
Step 2: Configure SSL on LDAP Server
Copy Certificates and Key to /etc/ldap/sasl2/ directory.
sudo cp /etc/ssl/private/{ldap_server.key,ldap_server.crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/Set ownership of the certificates to openldap user.
sudo chown -R openldap. /etc/ldap/sasl2Configure LDAP Server to use SSL certificates. Create LDAP configuration file for SSL,
# vim ldap_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key
Apply configuration using the following command.
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif
SASL/EXTERNAL authentication started SASL
username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
Step 3: Configure LDAP Client
Configure LDAP client to ensure LS_REQCERT allow line to /etc/ldap/ldap.conf .
echo "TLS_REQCERT allow" | tee /etc/ldap/ldap.conf Now configure OpenLDAP SSL mechanism by uncommenting the lines below on file /etc/ldap.conf.
$ sudo vim /etc/ldap.conf
ssl start_tls
ssl onYou can now enjoy SSL connection between LDAP client and Server.
