In our previous articles, we discussed the installation of LDAP Server on Ubuntu 18.04/16.04 and how to setup LDAP client on Ubuntu 18.04/16.04. This short tutorial will cover securing LDAP Server with SSL/TLS certificate and key. You have two options of obtaining an SSL certificate used for securing LDAP Server.

  1. Using Self Signed SSL Certificate
  2. Purchasing SSL certificates from trusted CA

This guide will explain use of self signed certificates. So Let’s get started.

Step 1: Generate Self signed SSL cerificates

Login to your LDAP server and generate SSL certificates to be used.

# cd /etc/ssl/private 
# openssl genrsa -aes128 -out ldap_server.key 4096

Generating RSA private key, 4096 bit long modulus
…………………………………………………………………………………..++
………………………………….++
e is 65537 (0x010001)
Enter pass phrase for ldap_server.key: <Set passphrase>
Verifying - Enter pass phrase for ldap_server.key: <Confirm passphrase>

Remove passphrase from the generated private key:

# openssl rsa -in ldap_server.key -out ldap_server.key
Enter pass phrase for ldap_server.key: <Enter passphrase>
writing RSA key

Generate csr.

# openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr 

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:KE
State or Province Name (full name) [Some-State]:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Computingforgeeks
Organizational Unit Name (eg, section) []:Computingforgeeks
Common Name (e.g. server FQDN or YOUR name) []:ldap.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Then sign your certificate:

# openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650

Signature ok
subject=C = KE, ST = Nairobi, L = Nairobi, O = Computingforgeeks, OU = Computingforgeeks, CN = ldap.example.com, emailAddress = [email protected]
Getting Private key

Step 2: Configure SSL on LDAP Server

Copy Certificates and Key to /etc/ldap/sasl2/ directory.

cp /etc/ssl/private/{ldap_server.key,ldap_server.crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/

Set ownership of the certificates to openldap user.

chown -R openldap. /etc/ldap/sasl2

Configure LDAP Server to use SSL certificates. Create LDAP configuration file for SSL,

# vim ldap_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key

Apply configuration using the following command.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif 
SASL/EXTERNAL authentication started SASL
username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Step 3: Configure LDAP Client

Configure LDAP client to ensure connection between client and server is encrypted. Add LS_REQCERT allow line to /etc/ldap/ldap.conf .

echo "TLS_REQCERT allow" | tee /etc/ldap/ldap.conf 

Now configure OpenLDAP SSL mechanism by uncommenting the lines below on file /etc/ldap.conf.

# vim /etc/ldap.conf
ssl start_tls
ssl on

You can now enjoy SSL connection between LDAP client and Server.