This article documents how to secure OpenLDAP connections with SSL using a self-signed certificate. Why do LDAP connections need to be made 'secure'? With a basic LDAP connection (ie. ldap://server) passwords and other LDAP information are sent across the network as clear text. This may not be a problem in a home network or a small one-office business, but beyond that is is good practice to encrypt the LDAP information going over the network. This article shows one of the simplest ways to encrypt OpenLDAP connections and is based on http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate#secure_openldap although a couple of changes were required to get a working system in Hardy.
This has been tested on Hardy Xubuntu 8.04 with all related software installed from the standard repositories. The server has Samba and Smbldap-tools installed in addition to Open LDAP.
Please add other tested systems in this section.
Configure OpenLDAP Server
sudo apt-get install openssh-server
Create a PKCS#10 self-signed certificate. You will be asked several questions - most are unimportant. For Common Name, enter the fully-qualified domain name of your LDAP server (eg. server.mybusiness.com), if it has one - else enter the short name (eg. server).
sudo mkdir -v /etc/ldap/ssl pushd /etc/ldap/ssl sudo openssl req -newkey rsa:1024 -x509 -nodes \ -out slapd.pem -keyout slapd.pem -days 3650 # Make this readable to openldap only .. sudo chown -v openldap:openldap /etc/ldap/ssl/slapd.pem sudo chmod -v 400 /etc/ldap/ssl/slapd.pem popd
Modify Config Files
Put these lines in /etc/ldap/slapd.conf in the global directives section. In Ubuntu 8.04, there is a condition that prevents the slapd service from starting if the shown 'TLSCipherSuite' line is included - so I have commented this out. See http://email@example.com/msg887754.html for information on this condition.
#TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /etc/ldap/ssl/slapd.pem TLSCertificateFile /etc/ldap/ssl/slapd.pem TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem
In /etc/default/slapd, set the OpenLDAP server to offer an secure SSL connection. Do not include the server name in this line.
Restart the OpenLDAP server.
sudo /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd.
Test SSL Connection
openssl s_client -connect localhost:636 -showcerts CONNECTED(00000003) depth=0 /C=AU/ST=NSW/O=Collins/CN=server.mybusiness.com verify error:num=18:self signed certificate : : : : : : New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: A0EF768030C8CDE2F1CA00A15B4A7638DA135524395731937577EEAC14329C99 : : :
Configure LDAP Client
sudo apt-get install openssh-client ldap-utils
Modify Config File
In /etc/ldap.conf, set your client machine to use SSL to connect to LDAP and also allow the self-signed certificate.
URI ldaps://server.mybusiness.com/ TLS_REQCERT allow
Test SSL Connection
Test your LDAP lookup.
Test SSH connection using openssl command.
openssl s_client -connect server.mybusiness.com:636 -showcerts
In one terminal, start a session using su with an account that is in the LDAP database.
su fred password:
In a 2nd terminal, check that connections are ldaps - not ldap ..
ss -a | grep "ESTAB" ESTAB 0 0 dali.local:42946 server.mybusiness.com:ldaps ESTAB 0 0 dali.local:42948 server.mybusiness.com:ldaps
OpenLDAP-SambaPDC-OrgInfo-Posix - how to set up Open LDAP for multiple purposes - the article you are reading follows on from this.
the man pages on the configuration files are often quite useful to understanding how things are set up. Although the information in them is sparse, it will ordinarily be up-to-date and accurate. Run man slapd.conf and man ldap.conf.
http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate#secure_openldap - the article by 'dvogels' on which this article is based
http://www.openldap.org/doc/admin24/ - OpenLDAP Software 2.4 Administrator's Guide