Nethence Newdoc Olddoc Lab Your IP BBDock  


Warning: those guides are mostly obsolete, please have a look at the new documentation.

UnixWindowsOracleObsoleteHardwareDIYMechanicsScriptsConfigs

Enabling LDAP SSL/TLS (self-signed)
 
 
Server configuration
Make sure you've got those available (RHEL5),
rpm -q \
openssl \
openssl-devel \
openldap-servers
 
Make the self-signed key,
cd /etc/openldap/
openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365
grep ^ldap /etc/passwd
chown ldap:ldap server.pem
chmod 440 server.pem
 
Enable SSL/TLS,
cd /etc/openldap/
vi slapd.conf
add,
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/server.pem
TLSCertificateFile /etc/openldap/server.pem
TLSCertificateKeyFile /etc/openldap/server.pem
TLSVerifyClient never
Note. for TLSVerifyClient, we're using 'never' (the default) instead of 'demand'. The server doesn't ask the client for a certificate.
 
 
Client configuration
Make sure you've got those available (RHEL5),
rpm -q \
openldap-clients \
nss_ldap
 
Send server side's /etc/openldap/server.pem to /etc/openldap/cacerts/server.pem on the client and make the required OpenSSL hash file,
cd /etc/openldap/cacerts/
ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0
 
Backup and clean-up the default system authentication configurations,
cd /etc/
mv nsswitch.conf nsswitch.conf.dist
sed '/^#/d; /^$/d;' nsswitch.conf.dist > nsswitch.conf.dist.clean
cp nsswitch.conf.dist.clean nsswitch.conf
ls -l nsswitch.conf*
 
cd /etc/
mv ldap.conf ldap.conf.dist
sed '/^#/d; /^$/d;' ldap.conf.dist > ldap.conf.dist.clean
cp ldap.conf.dist.clean ldap.conf
ls -l ldap.conf*
 
cd /etc/openldap/
mv ldap.conf ldap.conf.dist
sed '/^#/d; /^$/d;' ldap.conf.dist > ldap.conf.dist.clean
cp ldap.conf.dist.clean ldap.conf
ls -l ldap.conf*
 
Configure system authentication (RHEL5),
authconfig-tui
like,
use ldap
use ldap authentication
local authorization is sufficient
(next)
use tls
server: ldap://ldapsrv/
base db: dc=lusers,dc=example,dc=net
 
Ready to go,
ldapsearch -x -ZZ
getent passwd
Note. -Z issues StartTLS, -ZZ requires the operation to be successful
 
 
Client troubbleshooting
See if the ldap server is available without ssl/tls and look for your base dn,
ldapsearch -x -H "ldap://ldapsrv/" -b '' -s base '(objectclass=*)' namingContexts
ldapsearch -x -H "ldap://ldapsrv/" -b "dc=lusers,dc=example,dc=net"
configure your ldap client so you don't have to specify host and base dn again,
cd /etc/openldap/
vi ldap.conf
like,
BASE dc=lusers,dc=example,dc=net
URI ldap://ldapsrv/
check again,
ldapsearch -x -s base '(objectclass=*)' namingContexts
ldapsearch -x
 
Now configure your ldap client to use ssl/tls,
cd /etc/openldap/
vi ldap.conf
add,
TLS_CACERTDIR /etc/openldap/cacerts
Note. openssl hash should be there (see above)
Note. you could also force the .pem file with TLS_CACERT (doesn't require the hash) instead of TLS_CACERTDIR but then we would have to find a relative trick for /etc/ldap.conf
 
 
References
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
http://www.openldap.org/doc/admin23/tls.html ==> 12.2.2.2. TLS_CACERTDIR <path>
 

(obsolete, see the new doc)