Configuring TLS or SSL security for openLDAP server
<yambe:breadcrumb self="TLS or SSL Security">OpenLDAP</yambe:breadcrumb>
Configuring TLS or SSL security for openLDAP server
Create certificates
Create CA and server certificates for openldap server. All certificate generation related steps can be done using easy-rsa scripts which are supplied with openVPN
Configuring openldap server to use generated certificates
To configure openldap server to use generated certificates add following lines to 'slapd.conf' file before pidfile configuration:
#This forces TLS mode to be used by all clients. security tls=1 #SSF stands for security strengh factor. By having ssf=1 default ssf for any operation would be set to 1. #By making update_ssf=112 any update would require security strength factors of up to 112 and by making #simple_bind=64 simple_bind would require security of atleast 64 #No security has ssf=0; Integrity protection impies ssf=1; DES and other weak cyphers have ssf=56; #Triple DES and other strong have ssf=112; RC4, Bluefish and other strong cyphers have ssf=128. Hence #ssf is roughly equivalent to encryption key length in bits. security ssf=1 update_ssf=112 simple_bind=64 TLSVerifyClient allow TLSCACertificateFile /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem TLSCertificateFile /etc/pki/tls/ldap.virtual-labs.ac.in-cert.pem TLSCertificateKeyFile /etc/pki/tls/ldap.virtual-labs.ac.in-key.pem
The server can be run using command:
slapd -h 'ldap:/// ldaps:///' -u ldap -f /etc/openldap/slapd.conf
which indicates that server should support both ldap:// and ldaps:// and also that it should be run using user ldap. Finally configuration file to be used is /etc/openldap/slapd.conf. It would be good to do 'chown -R ldap:ldap /var/lid/ldap' before doing this so that user ldap has sufficient access rights. Also ensure that user ldap has permission to read the used certificates and keys, if they are moved elsewhere after generation. Finally, check whether slapd is running or not using 'ps aux | grep slapd' and debug by running with '-d 1' option, if required.
For the setup to work the hostname of the ldap server must be set to 'ldap.virtual-labs.ac.in' as mentioned in cn in certificate. For name to work either /etc/hosts or DNS server should convert from name to correct IP address of the ldap server. Verify using 'hostname' command that the name setup is correct. The same should also be entered in '/etc/openldap/ldap.conf' file as ldap server. Also verify that name to IP conversion is working by using ping
Testing generated certificates
To test generated certificates save following as a shell script:
#!/bin/sh OPENSSL_TEST="openssl s_client -connect 10.3.1.21:636 -showcerts -state -CAfile" function testCA { ${OPENSSL_TEST} /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem } function testCerts { ${OPENSSL_TEST} /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem \ -cert /etc/pki/tls/ldap.virtual-labs.ac.in-cert.pem \ -key /etc/pki/tls/ldap.virtual-labs.ac.in-key.pem } # Test 'Certificate of Issuing Authority' testCA # Test 'Server Certificate' and 'Server Key Certificate' testCerts
Remember to replace '10.3.1.21' in above script and even the certificate file-names and path correctly.
Then run using './<script_filename.sh>'. The ideal output should end with lines:
Verify return code: 0 (ok) ---
Debugging connection issues
Sometimes ldap server is not able to listen on port 636 as portreserve or other application is blocking it. To debug try following approaches:
- Try to connect to server using telnet such as 'telnet 10.3.1.21 636' and verify that connection works.
- If connection fails then try to stop portreserve using 'service portreserve stop'
- You can also try to force openldap to listen on 636 for ldaps using 'slapd -h 'ldap:/// ldaps://0.0.0.0:636/' -u ldap -f /etc/openldap/slapd.conf'
- If the above command fails then try to debug using '-d 1'
Configuring SSL ldap client
To configure SSL ldap client modify '/etc/openldap/ldap.conf' file so that it has:
BASE dc=sbarjatiya,dc=com URI ldaps://ldap.virtual-labs.ac.in/ #TLS_CACERTDIR /etc/openldap/certs TLS_CACERT /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem
Note that 'TLC_CACERTDIR' should be commented for setup to work.
Downloading certificate on client from server
If a server is not deployed by the same admin than the server certificate can be downloaded and put in cacert directory using following steps:
- Run
- openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
- cd /etc/openldap/cacerts
- Save area between BEGIN_CERTIFICATE and END_CERTIFICATE from openssl output (including these two lines) in cacert.pem file
- Restart appropriate service and check again. If necessary reboot system.
Learned from www.linuxquestions.org/questions/linux-enterprise-47/rhel-6-ldap-now-requires-tls-843917/
Verifying client configuration
If simple anonymous bind is enabled try using:
ldapwhoami -x
If /etc/openldap/ldap.conf specified URI as ldaps:// then this would result into TLS secured connection
If SSL is required then use:
ldapwhoami -x -ZZ
If /etc/openldap/ldap.conf specified URI as ldaps:// then this command may give TLS_already started error
For SSL with authentication use:
ldapwhoami -x -ZZ -D 'cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com' -W
OR
ldapwhoami -x -D 'cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com' -W -H 'ldaps://ldap.virtual-labs.ac.in/'
Thus, both -ZZ or -H 'ldaps://' can be used to indicate SSL based authentication.
<yambe:breadcrumb self="TLS or SSL Security">OpenLDAP</yambe:breadcrumb>