In our previous articles, we discussed the installation of OpenLDAP Server on Ubuntu and how to setup OpenLDAP client on Ubuntu. This short tutorial will cover securing LDAP Server with SSL/TLS certificate and key. You have two options of obtaining an SSL certificate used for securing LDAP Server.
- Using Self Signed SSL Certificate
- Purchasing SSL certificates from trusted CA
This guide will explain how to use self signed certificates. So let’s get started.
Step 1: Generate Self signed SSL cerificates
Login to your LDAP server and generate SSL certificates to be used.
$ mkdir ~/ldap_ssl && cd ~/ldap_ssl
$ openssl genrsa -aes128 -out ldap_server.key 4096
Generating RSA private key, 4096 bit long modulus
…………………………………………………………………………………..++
………………………………….++
e is 65537 (0x010001)
Enter pass phrase for ldap_server.key: <Set passphrase>
Verifying - Enter pass phrase for ldap_server.key: <Confirm passphrase>Remove passphrase from the generated private key:
$ openssl rsa -in ldap_server.key -out ldap_server.key
Enter pass phrase for ldap_server.key: <Enter passphrase>
writing RSA keyGenerate csr.
$ openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:KE
State or Province Name (full name) [Some-State]:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Computingforgeeks
Organizational Unit Name (eg, section) []:Computingforgeeks
Common Name (e.g. server FQDN or YOUR name) []:ldap.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Then sign your certificate:
$ sudo openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650
Signature ok
subject=C = KE, ST = Nairobi, L = Nairobi, O = Computingforgeeks, OU = Computingforgeeks, CN = ldap.example.com, emailAddress = [email protected]
Getting Private keyStep 2: Configure SSL on LDAP Server
Copy Certificates and Key to /etc/ldap/sasl2/ directory.
sudo cp {ldap_server.key,ldap_server.crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/Set ownership of the certificates to openldap user.
sudo chown -R openldap. /etc/ldap/sasl2Configure LDAP Server to use SSL certificates. Create LDAP configuration file for SSL,
$ vim ldap_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.keyApply configuration using the following command.
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif
SASL/EXTERNAL authentication started SASL
username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"Restart LDAP server:
sudo systemctl restart slapdStep 3: Configure LDAP Client for TLS/SSL Connection
Configure LDAP client to ensure TLS_REQCERT allow line to /etc/ldap/ldap.conf .
echo "TLS_REQCERT allow" | sudo tee /etc/ldap/ldap.conf Now configure OpenLDAP SSL mechanism by uncommenting the lines below on file ldap.conf.
$ sudo vim /etc/ldap.conf
# Line 259 - OpenLDAP SSL mechanism
ssl start_tls
ssl onYou can now enjoy SSL connection between LDAP client and Server.
Recommended Linux Books to read:
- Best Linux Books for Beginners & Experts
- Best Linux Kernel Programming Books
- Best Linux Bash Scripting Books
- Top RHCSA / RHCE Certification Study Books
- Best Top Rated CompTIA A+ Certification Books
- Best LPIC-1 and LPIC-2 certification study books
Running Ubuntu 20.04 I was having issues getting this to work.
Got error: “wrong attributetype at line 5 entry cn=config”
Modified the ldap_ssl.ldif file to separate the modify lines and it worked.
# vim ldap_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
–
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt
–
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key
Thanks for the comment we’ve updated the article.
Hi Josphat,
Here is typo in line: Add LS_REQCERT allow line to /etc/ldap/ldap.conf.
Article has been updated. Thanks for sharing the typo.
i am still having an issue with when trying to execute ” ldapmodify -Y EXTERNAL -H ldapi:/// -f fnc-ldap-ssl.ldif ”
ERROR:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapmodify: invalid format (line 5) entry: “cn=config”
From where does this file come from? – /etc/ldap/sasl2/ca-certificates.crt
In the article, it only exists from the copy section.
Hello @Anurag Ray
The certs were generated and copied to /etc/ldap/sasl2/ then used in the config.
kind of confused about the very last command.
“Now configure OpenLDAP SSL mechanism by uncommenting the lines below”
where can I find it sudo nano /etc/ldap.conf ?
You might consider re-reading this part, it is well explained. Use nano if you prefer it to vim just like me, but you got the point:
– edit the file /etc/ldap.conf
– Uncomment THESES lines… ie:
– ssl start_tls
– ssl on
Then save your file
Don’t get me wrong its a great article I defiantly learn from it but I never got it to work
when I run
$ ldapwhoami -x -H ldaps://ldap.example.com
I get ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)