Enabling LDAP SSL/TLS (self-signed)

this is obsolete doc -- see http://doc.nethence.com/ instead

Server configuration

Make sure you've got those available (RHEL5),

rpm -q \

openssl \

openssl-devel \

openldap-servers

Make the self-signed key,

cd /etc/openldap/

openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365

grep ^ldap /etc/passwd

chown ldap:ldap server.pem

chmod 440 server.pem

Enable SSL/TLS,

cd /etc/openldap/

vi slapd.conf

add,

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /etc/openldap/server.pem

TLSCertificateFile /etc/openldap/server.pem

TLSCertificateKeyFile /etc/openldap/server.pem

TLSVerifyClient never

Note. for TLSVerifyClient, we're using 'never' (the default) instead of 'demand'. The server doesn't ask the client for a certificate.

Client configuration

Make sure you've got those available (RHEL5),

rpm -q \

openldap-clients \

nss_ldap

Send server side's /etc/openldap/server.pem to /etc/openldap/cacerts/server.pem on the client and make the required OpenSSL hash file,

cd /etc/openldap/cacerts/

ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0

Backup and clean-up the default system authentication configurations,

cd /etc/

mv nsswitch.conf nsswitch.conf.dist

sed '/^#/d; /^$/d;' nsswitch.conf.dist > nsswitch.conf.dist.clean

cp nsswitch.conf.dist.clean nsswitch.conf

ls -l nsswitch.conf*

cd /etc/

mv ldap.conf ldap.conf.dist

sed '/^#/d; /^$/d;' ldap.conf.dist > ldap.conf.dist.clean

cp ldap.conf.dist.clean ldap.conf

ls -l ldap.conf*

cd /etc/openldap/

mv ldap.conf ldap.conf.dist

sed '/^#/d; /^$/d;' ldap.conf.dist > ldap.conf.dist.clean

cp ldap.conf.dist.clean ldap.conf

ls -l ldap.conf*

Configure system authentication (RHEL5),

authconfig-tui

like,

use ldap

use ldap authentication

local authorization is sufficient

(next)

use tls

server: ldap://ldapsrv/

base db: dc=lusers,dc=example,dc=net

Ready to go,

ldapsearch -x -ZZ

getent passwd

Note. -Z issues StartTLS, -ZZ requires the operation to be successful

Client troubbleshooting

See if the ldap server is available without ssl/tls and look for your base dn,

ldapsearch -x -H "ldap://ldapsrv/" -b '' -s base '(objectclass=*)' namingContexts

ldapsearch -x -H "ldap://ldapsrv/" -b "dc=lusers,dc=example,dc=net"

configure your ldap client so you don't have to specify host and base dn again,

cd /etc/openldap/

vi ldap.conf

like,

BASE dc=lusers,dc=example,dc=net

URI ldap://ldapsrv/

check again,

ldapsearch -x -s base '(objectclass=*)' namingContexts

ldapsearch -x

Now configure your ldap client to use ssl/tls,

cd /etc/openldap/

vi ldap.conf

add,

TLS_CACERTDIR /etc/openldap/cacerts

Note. openssl hash should be there (see above)

Note. you could also force the .pem file with TLS_CACERT (doesn't require the hash) instead of TLS_CACERTDIR but then we would have to find a relative trick for /etc/ldap.conf

References

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html

http://www.openldap.org/doc/admin23/tls.html ==> 12.2.2.2. TLS_CACERTDIR <path>