In our previous articles, we discussed the installation of OpenLDAP Server on Ubuntu and how to setup OpenLDAP client on Ubuntu. This short tutorial will cover securing LDAP Server with SSL/TLS certificate and key. You have two options of obtaining an SSL certificate used for securing LDAP Server.

  1. Using Self Signed SSL Certificate
  2. Purchasing SSL certificates from trusted CA

This guide will explain how to use self signed certificates. So let’s get started.

Step 1: Generate Self signed SSL cerificates

Login to your LDAP server and generate SSL certificates to be used.

$ mkdir ~/ldap_ssl && cd ~/ldap_ssl
$ openssl genrsa -aes128 -out ldap_server.key 4096 

Generating RSA private key, 4096 bit long modulus
 …………………………………………………………………………………..++
 ………………………………….++
 e is 65537 (0x010001)
 Enter pass phrase for ldap_server.key: <Set passphrase>
 Verifying - Enter pass phrase for ldap_server.key: <Confirm passphrase>

Remove passphrase from the generated private key:

$ openssl rsa -in ldap_server.key -out ldap_server.key
Enter pass phrase for ldap_server.key: <Enter passphrase>
writing RSA key

Generate csr.

$ openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:KE
State or Province Name (full name) [Some-State]:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Computingforgeeks
Organizational Unit Name (eg, section) []:Computingforgeeks
Common Name (e.g. server FQDN or YOUR name) []:ldap.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:        
An optional company name []:

Then sign your certificate:

$ sudo openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650
Signature ok
subject=C = KE, ST = Nairobi, L = Nairobi, O = Computingforgeeks, OU = Computingforgeeks, CN = ldap.example.com, emailAddress = [email protected]
Getting Private key

Step 2: Configure SSL on LDAP Server

Copy Certificates and Key to /etc/ldap/sasl2/ directory.

sudo cp {ldap_server.key,ldap_server.crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/

Set ownership of the certificates to openldap user.

sudo chown -R openldap. /etc/ldap/sasl2

Configure LDAP Server to use SSL certificates. Create LDAP configuration file for SSL,

$ vim ldap_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key

Apply configuration using the following command.

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif 
SASL/EXTERNAL authentication started SASL
username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Restart LDAP server:

sudo systemctl restart slapd

Step 3: Configure LDAP Client for TLS/SSL Connection

Configure LDAP client to ensure connection between client and server is encrypted. Add TLS_REQCERT allow line to /etc/ldap/ldap.conf .

echo "TLS_REQCERT allow" | sudo tee /etc/ldap/ldap.conf 

Now configure OpenLDAP SSL mechanism by uncommenting the lines below on file ldap.conf.

$ sudo vim /etc/ldap.conf
# Line 259 - OpenLDAP SSL mechanism
ssl start_tls
ssl on

You can now enjoy SSL connection between LDAP client and Server.

Recommended Linux Books  to read:

11 COMMENTS

  1. Running Ubuntu 20.04 I was having issues getting this to work.
    Got error: “wrong attributetype at line 5 entry cn=config”
    Modified the ldap_ssl.ldif file to separate the modify lines and it worked.

    # vim ldap_ssl.ldif
    dn: cn=config
    changetype: modify
    add: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt

    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt

    replace: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key

  2. i am still having an issue with when trying to execute ” ldapmodify -Y EXTERNAL -H ldapi:/// -f fnc-ldap-ssl.ldif ”

    ERROR:
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    ldapmodify: invalid format (line 5) entry: “cn=config”

  3. From where does this file come from? – /etc/ldap/sasl2/ca-certificates.crt
    In the article, it only exists from the copy section.

  4. kind of confused about the very last command.

    “Now configure OpenLDAP SSL mechanism by uncommenting the lines below”

    where can I find it sudo nano /etc/ldap.conf ?

    • You might consider re-reading this part, it is well explained. Use nano if you prefer it to vim just like me, but you got the point:

      – edit the file /etc/ldap.conf
      – Uncomment THESES lines… ie:
      – ssl start_tls
      – ssl on

      Then save your file

  5. Don’t get me wrong its a great article I defiantly learn from it but I never got it to work

    when I run
    $ ldapwhoami -x -H ldaps://ldap.example.com

    I get ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

LEAVE A REPLY

Please enter your comment!
Please enter your name here