||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<BR>><<TableOfContents(3)>>|| == Introduction == This article documents how to secure OpenLDAP connections with SSL using a self-signed certificate. Why do LDAP connections need to be made 'secure'? With a basic LDAP connection (ie. ldap://server) passwords and other LDAP information are sent across the network as clear text. This may not be a problem in a home network or a small one-office business, but beyond that is is good practice to encrypt the LDAP information going over the network. This article shows one of the simplest ways to encrypt OpenLDAP connections and is based on [[http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate#secure_openldap]] although a couple of changes were required to get a working system in Hardy. == Tested Systems == This has been tested on Hardy Xubuntu 8.04 with all related software installed from the standard repositories. The server has Samba and Smbldap-tools installed in addition to Open LDAP. Please add other tested systems in this section. == Configure OpenLDAP Server == === Installation === {{{ sudo apt-get install openssh-server }}} === Create Certificate === Create a PKCS#10 self-signed certificate. You will be asked several questions - most are unimportant. For Common Name, enter the fully-qualified domain name of your LDAP server (eg. server.mybusiness.com), if it has one - else enter the short name (eg. server). {{{ sudo mkdir -v /etc/ldap/ssl pushd /etc/ldap/ssl sudo openssl req -newkey rsa:1024 -x509 -nodes \ -out slapd.pem -keyout slapd.pem -days 3650 # Make this readable to openldap only .. sudo chown -v openldap:openldap /etc/ldap/ssl/slapd.pem sudo chmod -v 400 /etc/ldap/ssl/slapd.pem popd }}} === Modify Config Files === Put these lines in '''/etc/ldap/slapd.conf''' in the global directives section. In Ubuntu 8.04, there is a condition that prevents the slapd service from starting if the shown 'TLSCipherSuite' line is included - so I have commented this out. See [[http://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg887754.html]] for information on this condition. {{{ #TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /etc/ldap/ssl/slapd.pem TLSCertificateFile /etc/ldap/ssl/slapd.pem TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem }}} In '''/etc/default/slapd''', set the OpenLDAP server to offer an secure SSL connection. Do not include the server name in this line. {{{ SLAPD_SERVICES="ldap:/// ldaps:///" }}} Restart the OpenLDAP server. {{{ sudo /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd. }}} === Test SSL Connection === {{{ openssl s_client -connect localhost:636 -showcerts CONNECTED(00000003) depth=0 /C=AU/ST=NSW/O=Collins/CN=server.mybusiness.com verify error:num=18:self signed certificate : : : : : : New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: A0EF768030C8CDE2F1CA00A15B4A7638DA135524395731937577EEAC14329C99 : : : }}} == Configure LDAP Client == === Installation === {{{ sudo apt-get install openssh-client ldap-utils }}} === Modify Config File === In '''/etc/ldap.conf''', set your client machine to use SSL to connect to LDAP and also allow the self-signed certificate. {{{ URI ldaps://server.mybusiness.com/ TLS_REQCERT allow }}} === Test SSL Connection === Test your LDAP lookup. {{{ ldapsearch -xLLL }}} Test SSH connection using openssl command. {{{ openssl s_client -connect server.mybusiness.com:636 -showcerts }}} In one terminal, start a session using ''su'' with an account that is in the LDAP database. {{{ su fred password: }}} In a 2nd terminal, check that connections are '''ldaps''' - not ldap .. {{{ ss -a | grep "ESTAB" ESTAB 0 0 dali.local:42946 server.mybusiness.com:ldaps ESTAB 0 0 dali.local:42948 server.mybusiness.com:ldaps }}} == See Also == * [[OpenLDAP-SambaPDC-OrgInfo-Posix]] - how to set up Open LDAP for multiple purposes - the article you are reading follows on from this. * the man pages on the configuration files are often quite useful to understanding how things are set up. Although the information in them is sparse, it will ordinarily be up-to-date and accurate. Run ''man slapd.conf'' and ''man ldap.conf''. == External Links == * [[http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate#secure_openldap]] - the article by 'dvogels' on which this article is based * [[http://www.openldap.org/doc/admin24/]] - OpenLDAP Software 2.4 Administrator's Guide