Introduction

This article documents how to secure OpenLDAP connections with SSL using a self-signed certificate. Why do LDAP connections need to be made 'secure'? With a basic LDAP connection (ie. ldap://server) passwords and other LDAP information are sent across the network as clear text. This may not be a problem in a home network or a small one-office business, but beyond that is is good practice to encrypt the LDAP information going over the network. This article shows one of the simplest ways to encrypt OpenLDAP connections and is based on http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate#secure_openldap although a couple of changes were required to get a working system in Hardy.

Tested Systems

This has been tested on Hardy Xubuntu 8.04 with all related software installed from the standard repositories. The server has Samba and Smbldap-tools installed in addition to Open LDAP.

Please add other tested systems in this section.

Configure OpenLDAP Server

Installation

sudo apt-get install openssh-server

Create Certificate

Create a PKCS#10 self-signed certificate. You will be asked several questions - most are unimportant. For Common Name, enter the fully-qualified domain name of your LDAP server (eg. server.mybusiness.com), if it has one - else enter the short name (eg. server). 

sudo mkdir -v /etc/ldap/ssl
pushd /etc/ldap/ssl
sudo openssl req -newkey rsa:1024 -x509 -nodes \
                -out slapd.pem -keyout slapd.pem -days 3650
# Make this readable to openldap only ..
sudo chown -v openldap:openldap /etc/ldap/ssl/slapd.pem 
sudo chmod -v 400 /etc/ldap/ssl/slapd.pem 
popd

Modify Config Files

Put these lines in /etc/ldap/slapd.conf in the global directives section. In Ubuntu 8.04, there is a condition that prevents the slapd service from starting if the shown 'TLSCipherSuite' line is included - so I have commented this out. See http://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg887754.html for information on this condition. 

#TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile  /etc/ldap/ssl/slapd.pem
TLSCertificateFile    /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem

In /etc/default/slapd, set the OpenLDAP server to offer an secure SSL connection. Do not include the server name in this line. 

SLAPD_SERVICES="ldap:/// ldaps:///"

Restart the OpenLDAP server. 

sudo /etc/init.d/slapd restart
  Stopping OpenLDAP: slapd.
  Starting OpenLDAP: slapd.

Test SSL Connection

openssl s_client -connect localhost:636 -showcerts
  CONNECTED(00000003)
  depth=0 /C=AU/ST=NSW/O=Collins/CN=server.mybusiness.com
  verify error:num=18:self signed certificate
    :  :  :
    :  :  :
  New, TLSv1/SSLv3, Cipher is AES256-SHA
  Server public key is 1024 bit
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : AES256-SHA
      Session-ID: A0EF768030C8CDE2F1CA00A15B4A7638DA135524395731937577EEAC14329C99
  :  :  :

Configure LDAP Client

Installation

sudo apt-get install openssh-client ldap-utils

Modify Config File

In /etc/ldap.conf, set your client machine to use SSL to connect to LDAP and also allow the self-signed certificate. 

URI ldaps://server.mybusiness.com/
TLS_REQCERT allow

Test SSL Connection

Test your LDAP lookup. 

ldapsearch -xLLL

Test SSH connection using openssl command. 

openssl s_client -connect server.mybusiness.com:636 -showcerts

In one terminal, start a session using su with an account that is in the LDAP database. 

su fred
  password:

In a 2nd terminal, check that connections are ldaps - not ldap .. 

ss -a | grep "ESTAB"
ESTAB  0  0 dali.local:42946  server.mybusiness.com:ldaps
ESTAB  0  0 dali.local:42948  server.mybusiness.com:ldaps

See Also

  • OpenLDAP-SambaPDC-OrgInfo-Posix - how to set up Open LDAP for multiple purposes - the article you are reading follows on from this.

  • the man pages on the configuration files are often quite useful to understanding how things are set up. Although the information in them is sparse, it will ordinarily be up-to-date and accurate. Run man slapd.conf and man ldap.conf.

SecuringOpenLDAPConnections (last edited 2011-05-16 14:39:03 by ug-uyst-s-0003)