||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<BR>><<TableOfContents(3)>>||

== Introduction ==
This article documents how to secure OpenLDAP connections with SSL using a self-signed certificate.  Why do LDAP connections need to be made 'secure'?  With a basic LDAP connection (ie. ldap://server) passwords and other LDAP information are sent across the network as clear text.  This may not be a problem in a home network or a small one-office business, but beyond that is is good practice to encrypt the LDAP information going over the network.  This article shows one of the simplest ways to encrypt OpenLDAP connections and is based on [[http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate#secure_openldap]] although a couple of changes were required to get a working system in Hardy.

== Tested Systems ==
This has been tested on Hardy Xubuntu 8.04 with all related software installed from the standard repositories.  The server has Samba and Smbldap-tools installed in addition to Open LDAP.

Please add other tested systems in this section.

== Configure OpenLDAP Server ==

=== Installation ===
{{{
sudo apt-get install openssh-server
}}}

=== Create Certificate ===
Create a PKCS#10 self-signed certificate.  You will be asked several questions - most are unimportant.  For Common Name, enter the fully-qualified domain name of your LDAP server (eg. server.mybusiness.com), if it has one - else enter the short name (eg. server).
{{{
sudo mkdir -v /etc/ldap/ssl
pushd /etc/ldap/ssl
sudo openssl req -newkey rsa:1024 -x509 -nodes \
		-out slapd.pem -keyout slapd.pem -days 3650
# Make this readable to openldap only ..
sudo chown -v openldap:openldap /etc/ldap/ssl/slapd.pem 
sudo chmod -v 400 /etc/ldap/ssl/slapd.pem 
popd
}}}

=== Modify Config Files ===

Put these lines in '''/etc/ldap/slapd.conf''' in the global directives section.  In Ubuntu 8.04, there is a condition that prevents the slapd service from starting if the shown 'TLSCipherSuite' line is included - so I have commented this out.  See [[http://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg887754.html]] for information on this condition.
{{{
#TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile  /etc/ldap/ssl/slapd.pem
TLSCertificateFile    /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem
}}}
In '''/etc/default/slapd''', set the OpenLDAP server to offer an secure SSL connection. Do not include the server name in this line.
{{{
SLAPD_SERVICES="ldap:/// ldaps:///"
}}}
Restart the OpenLDAP server.
{{{
sudo /etc/init.d/slapd restart
  Stopping OpenLDAP: slapd.
  Starting OpenLDAP: slapd.
}}}

=== Test SSL Connection ===
{{{
openssl s_client -connect localhost:636 -showcerts
  CONNECTED(00000003)
  depth=0 /C=AU/ST=NSW/O=Collins/CN=server.mybusiness.com
  verify error:num=18:self signed certificate
    :  :  :
    :  :  :
  New, TLSv1/SSLv3, Cipher is AES256-SHA
  Server public key is 1024 bit
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : AES256-SHA
      Session-ID: A0EF768030C8CDE2F1CA00A15B4A7638DA135524395731937577EEAC14329C99
  :  :  :
}}}

== Configure LDAP Client ==

=== Installation ===
{{{
sudo apt-get install openssh-client ldap-utils
}}}

=== Modify Config File ===
In '''/etc/ldap.conf''', set your client machine to use SSL to connect to LDAP and also allow the self-signed certificate.
{{{
URI ldaps://server.mybusiness.com/
TLS_REQCERT allow
}}}

=== Test SSL Connection ===
Test your LDAP lookup.
{{{
ldapsearch -xLLL
}}}

Test SSH connection using openssl command.
{{{
openssl s_client -connect server.mybusiness.com:636 -showcerts
}}}

In one terminal, start a session using ''su'' with an account that is in the LDAP database.
{{{
su fred
  password:
}}}

In a 2nd terminal, check that connections are '''ldaps''' - not ldap ..
{{{
ss -a | grep "ESTAB"
ESTAB  0  0 dali.local:42946  server.mybusiness.com:ldaps
ESTAB  0  0 dali.local:42948  server.mybusiness.com:ldaps
}}}

== See Also ==

 * [[OpenLDAP-SambaPDC-OrgInfo-Posix]] - how to set up Open LDAP for multiple purposes - the article you are reading follows on from this.
 * the man pages on the configuration files are often quite useful to understanding how things are set up.  Although the information in them is sparse, it will ordinarily be up-to-date and accurate.  Run ''man slapd.conf'' and ''man ldap.conf''.

== External Links ==

 * [[http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate#secure_openldap]] - the article by 'dvogels' on which this article is based
 * [[http://www.openldap.org/doc/admin24/]] - OpenLDAP Software 2.4 Administrator's Guide