OpenLDAP Server With Server-Side SSL/TLS using Self Signed Certificates

OpenLDAP Server With Server-Side SSL/TLS using Self Signed Certificates

    This document assumes that you already have OpenLdap installed. This was written using the OpenLdap 2.3 RPMs.

    OpenLdap should be configured and tested without TLS to make sure it works properly. Once you can authenticate and OpenLdap works predictably you can move on to using TLS.

Certificate Creation

    TLSCACertificateFile server.pem
    TLSCertificateFile server.pem
    TLSCertificateKeyFile server.pem

Creating a CA for self signed certificates

Redhat keeps ssl CA files in /usr/share/ssl

The steps:

  1. cd /usr/share/ssl
    vi /usr/share/ssl/openssl.cnf and look for the line
    dir = ./demoCA # this means that if you run “/usr/share/ssl/misc CA -newca” it will create /usr/share/ssl/demoCA

    If you modify openssl.cnf you can replace the default questions about regions and company info (ie: use US instead of GB for country)

    Note: in RedHat ES 4 it’s /usr/share/ssl/CA in other distros it’s CA.sh.

  2. From /usr/share/ssl, run the OpenSSL CA script (in /usr/share/ssl/misc/ on my box):
    % cd /usr/share/ssl
    % /usr/share/ssl/misc/CA -newca

    CA certificate filename (or enter to create)
    Making CA certificate …
    Using configuration from /etc/ssl/openssl.cnf
    Generating a 1024 bit RSA private key
    ……………………..++++++
    …………………….++++++
    writing new private key to ‘./demoCA/private/./cakey.pem’
    Enter PEM pass phrase: <ca pass>
    Verifying password – Enter PEM pass phrase: <ca pass again>
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Texas
    Locality Name (eg, city) []:Austin
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org
    Organizational Unit Name (eg, section) []:Example Unit
    Common Name (eg, YOUR name) []:example.com
    Email Address []:.
    %

    This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key).

  3. Stay in /usr/share/ssl and make your server certificate signing request (CSR):

    % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

    Using configuration from /etc/ssl/openssl.cnf
    Generating a 1024 bit RSA private key
    …………..++++++
    ……………………..++++++
    writing new private key to ‘newreq.pem’
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Texas
    Locality Name (eg, city) []:Austin
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org
    Organizational Unit Name (eg, section) []:Example Org Unit
    Common Name (eg, YOUR name) []:myserver.com
    Email Address []:ldap@myserver.com
    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []: An optional company name []:.
    %

    The result is newreq.pem.

  4. Have the CA sign the CSR:

    % /usr/share/ssl/misc/CA.sh -sign

    Using configuration from /etc/ssl/openssl.cnf
    Enter PEM pass phrase:
    Check that the request matches the signature
    Signature ok
    The Subjects Distinguished Name is as follows
    countryName :PRINTABLE:’US’
    stateOrProvinceName :PRINTABLE:’Texas’
    localityName :PRINTABLE:’Austin’
    organizationName :PRINTABLE:’Example Org’
    organizationalUnitName:PRINTABLE:’Example Org Unit’
    commonName :PRINTABLE:’myserver.com’
    emailAddress :IA5STRING:’ldap@myserver.com’
    Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
    Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 1 (0x1)
    Signature Algorithm: md5WithRSAEncryption
    Issuer: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Unit, CN=example.com
    Validity
    Not Before: Apr 11 18:58:58 2003 GMT
    Not After : Apr 10 18:58:58 2004 GMT
    Subject: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Org Unit,
    CN=myserver.com/Email=ldap@myserver.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
    Modulus (1024 bit):
    < … >
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    D0:C0:9D:46:30:65:2A:9C:63:63:6A:E6:FE:E4:AC:F7:21:F8:33:61
    X509v3 Authority Key Identifier:
    keyid:31:2E:0D:FB:A0:74:5A:0B:4B:C5:C4:E0:69:7F:32:6D:AF:46:82:F1
    DirName:/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/CN=example.com
    serial:00

    Signature Algorithm: md5WithRSAEncryption
    < … >
    —–BEGIN CERTIFICATE—–
    < … >
    —–END CERTIFICATE—–
    Signed certificate is in newcert.pem
    %

    This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem.

  5. Now the certificates can be moved to the desired certificate repository and renamed.

    We used the RPMs for openldap 2.3 that makes /etc/openldap2.3/certs/ as our certificate directory. (slapd.conf will need to be modified with the names of these certs).

    % cp demoCA/cacert.pem /etc/openldap2.3/certs/cacert.pem
    % mv newcert.pem /etc/openldap2.3/certs/servercrt.pem
    % mv newreq.pem /etc/openldap2.3/certs/serverkey.pem
    % chmod 400 /etc/openldap2.3/certs/serverkey.pem

    The last command makes the private key read-only by the user who runs slapd. A ‘chown’ command will be necessary if the owner of the server key is not the same as the user who runs slapd. The certificates should be publicly readable.

  6. Set the cert info in slapd.conf and restart openldap

    TLSRandFile /dev/randomTLSCipherSuite HIGH:MEDIUM:+SSLv2TLSCertificateFile /etc/openldap2.3/cert/servercrt.pemTLSCertificateKeyFile /etc/openldap2.3/cert/serverkey.pemTLSCACertificateFile /etc/openldap2.3/cert/cacert.pem

  7. Make the CA certificate available to your LDAP clients.

    scp /etc/openldap2.3/certs/cacert.pm user@ldapclient:/etc/openldap/cacerts

  8. On RedHat clients run authconfig and select USE TLS
  9. Test clients. If clients don’t work check /var/log/messages and /var/log/secure

    Use these commands to see output: (192.168.1.3 = ldap server, you can use localhost if running from the ldap server)

    openssl s_client -connect 192.168.1.3:636 -showcerts

    ldapsearch -x -H ldaps://192.168.1.3/ -b ‘dc=domain,dc=org’ ‘(objectclass=*)’

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: Uncategorized - @ March 15, 2011 3:14 pm

Tags: , , ,