In our previous articles, we discussed the installation of OpenLDAP Server on Ubuntu and how to setup OpenLDAP client on Ubuntu. This short tutorial will cover securing LDAP Server with SSL/TLS certificate and key. You have two options of obtaining an SSL certificate used for securing LDAP Server.

  1. Using Self Signed SSL Certificate
  2. Purchasing SSL certificates from trusted CA

This guide will explain use of self signed certificates. So Let’s get started.

Step 1: Generate Self signed SSL cerificates

Login to your LDAP server and generate SSL certificates to be used.

# cd /etc/ssl/private 
# openssl genrsa -aes128 -out ldap_server.key 4096

Generating RSA private key, 4096 bit long modulus
e is 65537 (0x010001)
Enter pass phrase for ldap_server.key: <Set passphrase>
Verifying - Enter pass phrase for ldap_server.key: <Confirm passphrase>

Remove passphrase from the generated private key:

# openssl rsa -in ldap_server.key -out ldap_server.key
Enter pass phrase for ldap_server.key: <Enter passphrase>
writing RSA key

Generate csr.

# openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr 

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:KE
State or Province Name (full name) [Some-State]:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Computingforgeeks
Organizational Unit Name (eg, section) []:Computingforgeeks
Common Name (e.g. server FQDN or YOUR name) []
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Then sign your certificate:

# openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650

Signature ok
subject=C = KE, ST = Nairobi, L = Nairobi, O = Computingforgeeks, OU = Computingforgeeks, CN =, emailAddress = [email protected]
Getting Private key

Step 2: Configure SSL on LDAP Server

Copy Certificates and Key to /etc/ldap/sasl2/ directory.

sudo cp /etc/ssl/private/{ldap_server.key,ldap_server.crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/

Set ownership of the certificates to openldap user.

sudo chown -R openldap. /etc/ldap/sasl2

Configure LDAP Server to use SSL certificates. Create LDAP configuration file for SSL,

# vim ldap_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key

Apply configuration using the following command.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif 
SASL/EXTERNAL authentication started SASL
username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifying entry "cn=config"

Step 3: Configure LDAP Client

Configure LDAP client to ensure connection between client and server is encrypted. Add LS_REQCERT allow line to /etc/ldap/ldap.conf .

echo "TLS_REQCERT allow" | tee /etc/ldap/ldap.conf 

Now configure OpenLDAP SSL mechanism by uncommenting the lines below on file /etc/ldap.conf.

$ sudo vim /etc/ldap.conf
ssl start_tls
ssl on

You can now enjoy SSL connection between LDAP client and Server.

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here