OpenLDAP Server With Server-Side SSL/TLS using Self Signed Certificates

This document assumes that you already have OpenLDAP installed.

We used the OpenLDAP 2.3 RPMs available from: http://anorien.csc.warwick.ac.uk/mirrors/buchan/openldap/rhel4/.

There is some good documentation on installing setting up OpenLdap at http://web.singnet.com.sg/~garyttt/Installing and configuring OpenLDAP for RedHat Enterprise Linux3.htm .

OpenLDAP should be configured and tested without TLS to make sure it works properly. Once you can authenticate and OpenLdap works predictably you can move on to using TLS.

Certificate Creation

TLSCACertificateFile server.pem 
TLSCertificateFile server.pem 
TLSCertificateKeyFile server.pem

Creating a CA for self signed certificates

Redhat ES 4.0 keeps it’s ssl CA files in /usr/share/ssl

The steps:

  1. cd /usr/share/ssl
  2. vi /usr/share/ssl/openssl.cnf and look for the line:
    dir = ./demoCA # this means that if you run “/usr/share/ssl/misc CA -newca” it will create /usr/share/ssl/demoCA

    If you modify openssl.cnf you can replace the default questions about regions and company info (ie use US instead of GB for country)

    Note: in RedHat ES 4 it’s /usr/share/ssl/CA in other distros it’s CA.sh.

  3. From /usr/share/ssl, run the OpenSSL CA script (in /usr/share/ssl/misc/ on my box):

    % cd /usr/share/ssl
    % /usr/share/ssl/misc/CA -newca

    CA certificate filename (or enter to create)  Making CA certificate … Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ……………………..++++++ …………………….++++++ writing new private key to ‘./demoCA/private/./cakey.pem’ Enter PEM pass phrase:  Verifying password – Enter PEM pass phrase:  
    —–     You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Austin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org Organizational Unit Name (eg, section) []:Example Unit Common Name (eg, YOUR name) []:example.com Email Address []:. %This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key).

  4. Stay in /usr/share/ssl and make your server certificate signing request (CSR):

    % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

    Using configuration from /etc/ssl/openssl.cnf
    Generating a 1024 bit RSA private key    …………..++++++……………………..++++++writing new private key to ‘newreq.pem’—–You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:TexasLocality Name (eg, city) []:AustinOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Example OrgOrganizational Unit Name (eg, section) []:Example Org UnitCommon Name (eg, YOUR name) []:myserver.comEmail Address []:ldap@myserver.com
    Please enter the following ‘extra’ attributes    to be sent with your certificate requestA challenge password []:  An optional company name []:.%The result is newreq.pem.

  5. Have the CA sign the CSR:

    % /usr/share/ssl/misc/CA.sh -sign

    Using configuration from /etc/ssl/openssl.cnfEnter PEM pass phrase:  Check that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:’US’stateOrProvinceName :PRINTABLE:’Texas’localityName :PRINTABLE:’Austin’organizationName :PRINTABLE:’Example Org’organizationalUnitName:PRINTABLE:’Example Org Unit’commonName :PRINTABLE:’myserver.com’emailAddress :IA5STRING:’ldap@myserver.com’Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y    Write out database with 1 new entriesData Base UpdatedCertificate:Data:Version: 3 (0x2)Serial Number: 1 (0x1)Signature Algorithm: md5WithRSAEncryptionIssuer: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Unit, CN=example.comValidityNot Before: Apr 11 18:58:58 2003 GMTNot After : Apr 10 18:58:58 2004 GMTSubject: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Org Unit, CN=myserver.com/Email=ldap@myserver.com
    Subject Public Key Info:    Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)Modulus (1024 bit):

    Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:D0:C0:9D:46:30:65:2A:9C:63:63:6A:E6:FE:E4:AC:F7:21:F8:33:61X509v3 Authority Key Identifier:keyid:31:2E:0D:FB:A0:74:5A:0B:4B:C5:C4:E0:69:7F:32:6D:AF:46:82:F1DirName:/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/CN=example.comserial:00
    Signature Algorithm: md5WithRSAEncryption
    —–BEGIN CERTIFICATE—–

    —–END CERTIFICATE—–
    Signed certificate is in newcert.pem    %This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem.

  6. Now the certificates can be moved to the desired certificate repository and renamed.

    We are using the RPMs for openldap 2.3 that makes /etc/openldap2.3/certs/ as our certificate directory. (slapd.conf will need to be modified with the names of these certs).

    % cp demoCA/cacert.pem /etc/openldap2.3/certs/cacert.pem
    % mv newcert.pem /etc/openldap2.3/certs/servercrt.pem
    % mv newreq.pem /etc/openldap2.3/certs/serverkey.pem
    % chmod 400 /etc/openldap2.3/certs/serverkey.pem

    The last command makes the private key read-only by the user who runs slapd. A ‘chown’ command will be necessary if the owner of the server key is not the same as the user who runs slapd. The certificates should be publicly readable.

  7. Set the cert info in slapd.conf and restart openldap

    TLSRandFile /dev/random
    TLSCipherSuite HIGH:MEDIUM:+SSLv2
    TLSCertificateFile /etc/openldap2.3/cert/servercrt.pem
    TLSCertificateKeyFile /etc/openldap2.3/cert/serverkey.pem
    TLSCACertificateFile /etc/openldap2.3/cert/cacert.pem

  8. Make the CA certificate available to your LDAP clients.

    scp /etc/openldap2.3/certs/cacert.pm user@ldapclient:/etc/openldap/cacerts

  9. On RedHat clients run authconfig and select USE TLS
  10. Test clients. If clients don’t work check /var/log/messages and /var/log/secure

    also try these commands to see output: (192.168.1.3 = ldap server, you can use localhost if running from the ldap server)

    openssl s_client -connect 192.168.1.3:636 -showcerts

    ldapsearch -x -H ldaps://192.168.1.3/ -b ‘dc=domain,dc=org’ ‘(objectclass=*)’

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: Configs - @ February 3, 2013 9:20 pm

Tags: , , , , ,