Configuring TLS or SSL security for openLDAP server
Configuring TLS or SSL security for openLDAP server
Certificate generation
All certificate generation related steps can also be done using 'easy-rsa' scripts which are supplied with openVPN
Generating CA certification
To generate CA certificate use:
cd /etc/pki/tls ./misc/CA -newca
Leave the file name to be default by pressing 'return'. Then enter CA passphrase. It is important to remember this for long run as this passphrase is required for signing certificate requests with this CA. Example values are:
- Country code
- IN
- State
- Andhra Pradesh
- City
- Hyderabad
- Organization
- Virtual labs
- Department
- VLEAD
- Hostname
- ca.virtual-labs.ac.in
- Email address
- barjatiya.saurabh@gmail.com
We can leave request passphrase and optional company name blank.
The generated CA file would be saved in '/etc/pki/CA/newcerts' folder. One can refer to '/etc/pki/CA/index.txt' file to figure out which certicate is CA certificate and optionally rename it similar to ca.virtual-labs.ac.in.cert.pem. The private key for CA would be stored in '/etc/pki/CA/private/cakey.pem' file. One can leave this file as it is as renaming it or moving it would cause problems while using the CA shell script for managing certificates.
Generating server certificate request and signing it
To generate a server certificate such that it is not protected by password use:
cd /etc/pki/tls ./misc/CA -newreq-nodes
Then enter appropriate values for various options. Example values are:
- Country code
- IN
- State
- Andhra Pradesh
- City
- Hyderabad
- Organization
- Virtual labs
- Department
- VLEAD
- Hostname
- ldap.virtual-labs.ac.in
- Email address
- barjatiya.saurabh@gmail.com
This would cause a certificate request with name newreq.pem created in current folder. To sign this request use:
./misc/CA -sign
This would cause certificate request to be signed by CA generated earlier. For this to succeed one should enter correct CA key passphrase that was entered while creating new CA. The generated certificate is stored in two locations. One certificate would be stored in current folder with name 'newcert.pem'. Other copy would be stored in '/etc/pki/CA/newcerts' folder. One can refer to '/etc/pki/CA/index.txt' to figure out filename for the currently generated certificate. It is good practise to rename the generated certificates and key files to good names such as ldap.virtual-labs.ac.in-cert.pem and ldap.virtual-labs.ac.in-key.pem.
Note that above generated private key for ldap.iiit.ac.in server is not password protected as openLDAP at least for now does not supports password protected certificate files.
Configuring openldap server to use generated certificates
To configure openldap server to use generated certificates add following lines to 'slapd.conf' file before pidfile configuration:
#This forces TLS mode to be used by all clients. security tls=1 #SSF stands for security strengh factor. By having ssf=1 default ssf for any operation would be set to 1. #By making update_ssf=112 any update would require security strength factors of up to 112 and by making #simple_bind=64 simple_bind would require security of atleast 64 #No security has ssf=0; Integrity protection impies ssf=1; DES and other weak cyphers have ssf=56; #Triple DES and other strong have ssf=112; RC4, Bluefish and other strong cyphers have ssf=128. Hence #ssf is roughly equivalent to encryption key length in bits. security ssf=1 update_ssf=112 simple_bind=64 TLSVerifyClient allow TLSCACertificateFile /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem TLSCertificateFile /etc/pki/tls/ldap.virtual-labs.ac.in-cert.pem TLSCertificateKeyFile /etc/pki/tls/ldap.virtual-labs.ac.in-key.pem
The server can be run using command:
slapd -h 'ldap:/// ldaps:///' -u ldap -f /etc/openldap/slapd.conf
which indicates that server should support both ldap:// and ldaps:// and also that it should be run using user ldap. Finally configuration file to be used is /etc/openldap/slapd.conf. It would be good to do 'chown -R ldap:ldap /var/lid/ldap' before doing this so that user ldap has sufficient access rights. Also ensure that user ldap has permission to read the used certificates and keys, if they are moved elsewhere after generation. Finally, check whether slapd is running or not using 'ps aux | grep slapd' and debug by running with '-d 1' option, if required.
For the setup to work the hostname of the ldap server must be set to 'ldap.virtual-labs.ac.in' as mentioned in cn in certificate. For name to work either /etc/hosts or DNS server should convert from name to correct IP address of the ldap server. Verify using 'hostname' command that the name setup is correct. The same should also be entered in '/etc/openldap/ldap.conf' file as ldap server. Also verify that name to IP conversion is working by using ping
Testing generated certificates
To test generated certificates save following as a shell script:
#!/bin/sh OPENSSL_TEST="openssl s_client -connect 10.3.1.21:636 -showcerts -state -CAfile" function testCA { ${OPENSSL_TEST} /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem } function testCerts { ${OPENSSL_TEST} /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem \ -cert /etc/pki/tls/ldap.virtual-labs.ac.in-cert.pem \ -key /etc/pki/tls/ldap.virtual-labs.ac.in-key.pem } # Test 'Certificate of Issuing Authority' testCA # Test 'Server Certificate' and 'Server Key Certificate' testCerts
Remember to replace '10.3.1.21' in above script and even the certificate file-names and path correctly.
Then run using './<script_filename.sh>'. The ideal output should end with lines:
Verify return code: 0 (ok) ---
Debugging connection issues
Sometimes ldap server is not able to listen on port 636 as portreserve or other application is blocking it. To debug try following approaches:
- Try to connect to server using telnet such as 'telnet 10.3.1.21 636' and verify that connection works.
- If connection fails then try to stop portreserve using 'service portreserve stop'
- You can also try to force openldap to listen on 636 for ldaps using 'slapd -h 'ldap:/// ldaps://0.0.0.0:636/' -u ldap -f /etc/openldap/slapd.conf'
- If the above command fails then try to debug using '-d 1'
Configuring SSL ldap client
To configure SSL ldap client modify '/etc/openldap/ldap.conf' file so that it has:
BASE dc=sbarjatiya,dc=com HOST ldap.virtual-labs.ac.in #TLS_CACERTDIR /etc/openldap/certs TLS_CACERT /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem
Note that 'TLC_CACERTDIR' should be commented for setup to work.
Verifying client configuration
If simple anonymous bind is enabled try using:
ldapwhoami -x
If SSL is required then use:
ldapwhoami -x -ZZ
For SSL with authentication use:
ldapwhoami -x -ZZ -D 'cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com' -W
OR
ldapwhoami -x -D 'cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com' -W -H 'ldaps://ldap.virtual-labs.ac.in/'
Thus, both -ZZ or -H 'ldaps://' can be used to indicate SSL based authentication.