To improve the security of the communication with the ldap servers, it’s very interesting to configure the protocol SSL/TLS to encrypt all the data across the network. This configuration requires a valid X.509 certificate signed by a CA (certified authority) or signed yourself. In the configuration show in this post I’ll use a self-signed certificate and this will be configured in the ldap server and finally configure an ldap client to the ldap server across SSL/TLS:

ssl-tls

Configuring ldap server

– Creating a self signed certificate with openssl utility:

# mkdir /etc/ldap/ssl
# openssl genrsa -out /etc/ldap/ssl/private.key 2048
# openssl req -new -x509 -key /etc/ldap/ssl/private.key -out /etc/ldap/ssl/cert.pem -days 432
# chown openldap
# chown -R openldap:openldap /etc/ldap/ssl/

– Edit the slapd.conf file to add the new certificate and the key created:

# vi /etc/ldap/slapd.conf

TLSCACertificateFile /etc/ldap/ssl/cert.pem
TLSCertificateFile /etc/ldap/ssl/cert.pem
TLSCertificateKeyFile /etc/ldap/ssl/private.key
TLSCipherSuite SECURE256:!AES-128-CBC

– TLSCipherSuite directive defines the list of ciphers from which slapd will negotiate in the connection. To show the list ciphers available in your system type the next command (it’s necessary to be installed gnutls-bin package):

# gnutls-cli -l

– Edit /etc/default/slapd:

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"

– Restarting slapd:

# service slapd restart

Configuring the client

– Edit /etc/ldap/ldap.conf

BASE dc=opentodo,dc=net
URI ldaps://172.16.0.100
TLS_CACERT /etc/ldap/cert.pem
#the server don't check the certificate
#necessary for self signed certificates
TLS_REQCERT never

– Sources:

http://www.zytrax.com/books/ldap/ch15/

Configure OpenLDAP with SSL/TLS
Tagged on:                 

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers: