Home
|
UNIX
|
Oracle
|
Code
|
Practical
|
Private
Enable LDAPS (self-signed)
Introduction
We're assuming you've already got OpenLDAP running. We're just adding LDAPS support. We're also assuming you've got an LDAP server and at least one client server, and hostname resolutions works accordingly,
vi /etc/hosts
Note. we prefer to use the short hostname form here.
Self-signed certificate
Create the self-signed certificate. As root,
cd ~/
openssl req -newkey rsa:1024 -x509 -nodes -out /root/server.pem -keyout server.pem -days 365
mv /root/server.pem /var/lib/ldap
chown root:ldap /var/lib/ldap/server.pem
chmod 440 /var/lib/ldap/server.pem
And link it as server certificate also,
ln -s ../server.pem /etc/openldap/cacerts/server.pem
Server configuration
Configure the LDAP server (vi /etc/openldap/slapd.conf),
TLSCACertificateFile /etc/openldap/server.pem
TLSCertificateFile /etc/openldap/server.pem
TLSCertificateKeyFile /etc/openldap/server.pem
Enable ldaps (vi /etc/sysconfig/ldap),
SLAPD_LDAPS=yes
Force ldaps *only* and force the hostname,
vi /etc/init.d/ldap,
like,
#harg="ldap:///"
if grep -q ^TLS /etc/openldap/slapd.conf || test x$SLAPD_LDAPS = xyes ; then
harg="ldaps://SRV_HOSTNAME/"
fi
Restart the service and check the LDAP server is listening on the right ports,
service ldap restart
netstat -an --inet | grep 389
netstat -an --inet | grep 636
telnet mju2.base.mju 636
^C
Check for the certification using OpenSSL,
openssl s_client -connect mju2.base.mju:636 -showcerts -state
# -CAfile /etc/openldap/server.pem
Client configuration
Prepare the next two configurations,
system-config-authentication > user information > use LDAP > *no TLS*
system-config-authentication > user information > use LDAP > ldaps://example.com/
system-config-authentication > authentication > use LDAP > *no TLS*
system-config-authentication > authentication > use LDAP > ldaps://example.com/
system-config-authentication > Options > use shadow passwords
system-config-authentication > Options > use md5 passwords
system-config-authentication > Options > local authorization is sufficient for local users
Check nss_ldap configuration,
vi /etc/ldap.conf
like,
uri ldaps://SRV_HOSTNAME/
Note. this only line should be enough. But here's a few other options,
#ldap_version 3
#base dc=example,dc=com
#ssl on
#tls_cacertdir /etc/openldap/cacerts
#pam_password md5
#timelimit 120
#bind_timelimit 120
#idle_timelimit 3600
#nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
Note. you don't want 'ssl start_tls' as we're already saying ldaps://. It would start TLS twice.
Check ldap client configuration,
vi /etc/openldap/ldap.conf
like,
URI ldaps://SRV_HOSTNAME/
BASE dc=example,dc=com
TLS_CACERT /etc/openldap/cacerts/server.pem
TLS_CACERTDIR /etc/openldap/cacerts
Note TLS_CACERT needs to be defined *before* TLS_CACERTDIR.
Note. see the "man ldap.conf" for all configuration options.
Ready to go
Check for local users and groups. On the LDAP server,
getent passwd
getent group
and on clients,
getent passwd
getent group
Also check with ldapsearch, from any machine that resolvs SRV_HOSTNAME and has openldap-clients installed,
ldapsearch -h 2>&1 | less
ldapsearch -H ldaps://SRV_HOSTNAME -D 'cn=admin,dc=example,dc=com' -x -W
Note. answer : "No client certificate CA names sent" is fine for self-signed certificates
Note. don't use "-Z" and "-H ldaps://SRV_HOSTNAME" at the same time. This would start TLS twice too.
Note. if you're using "-Z", rather try "-ZZ" which is nicer. It stops if there's something wrong.
Note. "-LL" is nice to get the LDIF without comments. Same for -LLL but with the LDAP protocol version.
Note. "-W" is mandatory here (because of ldaps ?)
Note. "-v" for verbosity
Check each servers than connects to the LDAP are still able to login as "root" eventhough the LDAP is down. On the LDAP server,
service ldap stop
# try to login as "root"
and on clients,
# try to login as "root"
When you finish don't forget to start the ldap service again. On the LDAP server,
service ldap start
References