This blog posting is a part of a series of blog postings:
- Part 1 – OpenLDAP setup
- Part 2 – SSL/TLS
- Part 3 – Schemas for samba, autofs and kerberos
- Part 4 – Kerberos setup
- Part 5 – DNS settings for kerberos using dnsmasq
- Part 6 – NFSv4 with kerberos
- Part 7 – Autofs
After getting OpenLDAP running, the next step is to get TLS authentication working. This continues the first part.
The following documents were used:
- Ubuntu’s OpenLDAP documentation for Karmic
- HowtoForge’s article on installing OpenLDAP on Karmic
- gnutls manual: Invoking certtool
- GnuTLS howto on Ubuntuforums
There are various tutorials around the net telling how to make self-signed certificates using openssl. Googling reveals quite a few problems with using self-signed certificates created with openssl with debian’s and ubuntu’s slapd that uses gnutls. For this example I’ll use the certtool that comes with the gnutls-bin.
The goal here is to create CA (ca.edu.example.org) and sign the server key with the CA. The client can then use the CA certificate to check the validity of the server key (ldap.edu.example.org) that is used by the slapd daemon.
To get started the gnutls-bin package needs to be installed:
sudo apt-get install gnutls-bin
First the CA key needs to be created and signed:
certtool --generate-privkey --outfile slapd-ca-key.pem certtool --generate-self-signed --load-privkey slapd-ca-key.pem --outfile slapd-ca-cert.pem
This asks questions about the usage of the certificate. To get a ten year one I used the following options:
Common name: ca.edu.example.org The certificate will expire in (days): 3650 Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): -1 Will the certificate be used to sign other certificates? (y/N): y
Next create the server key and certificate:
certtool --generate-privkey --outfile slapd-server.key certtool --generate-certificate --load-privkey slapd-server.key --outfile slapd-server.crt --load-ca-certificate slapd-ca-cert.pem --load-ca-privkey slapd-ca-key.pem
The common name needs to be ldap.edu.example.org for the slapd certificate:
Common name: ldap.edu.example.org The certificate will expire in (days): 3650 Will the certificate be used for signing (required for TLS)? (y/N): y Will the certificate be used for encryption (not required for TLS)? (y/N): y
The files slapd-ca-cert.pem slapd-server.{crt|key} need to be copied to /etc/ssl/certs/ where slapd can load them:
sudo install -D -o openldap -g openldap -m 600 slapd-server.crt
/etc/ssl/certs/slapd-server.crt
sudo install -D -o openldap -g openldap -m 600 slapd-server.key
/etc/ssl/certs/slapd-server.key#!/bin/sh ldapmodify -Y EXTERNAL -H ldapi:/// << EOF dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/slapd-ca-cert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/slapd-server.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/certs/slapd-server.key EOF
On the client copy ca-cert.pem to /etc/ldap/ssl:
sudo install -o root -g root -m 644 slapd-ca-cert.pem
/etc/ssl/certs/slapd-ca-cert.pemURI ldap://ldap.edu.example.org/ TLS_CACERT /etc/ssl/certs/slapd-ca-cert.pem
Now we can check that TLS works:
ldapsearch -x -h ldap.edu.example.org -ZZ -b dc=edu,dc=example,dc=org
It should return the organizationalUnits created earlier.
Thanks for all the people who have documented the various tools needed to get this working! Next it's time to get to see how the kerberos setup has changed..
Veli-Matti Lintu
There were some typos in the first version of the article that should be now fixed.
Hey, good deal at all, but i had the Problem that when i use perm 600 on slapd-server.key and slapd-server.crt the client gets: ldap_start_tls: Protocol error (2)
so i set chmod 644 also and it works fine.
My Client is on another machine with /etc/hosts
192.168.0.1 ldap.edu.example.org
set cause the cert would not work without it.
But still thx worked for me :).
A brilliant series of documents, but I have a problem with my TLS set-up. I’ve followed your instructions, but when I run the test command above I get:
ldap_start_tls: Connect error (-11)
additional info: A TLS packet with unexpected length was received.
Without -ZZ everything works just fine. Can you offer any help?
How you solved this problem (if you managed to solve it) ?
Thanks.
on the client i can’t do the verification at the end —
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
are you missing an ldap install in this post somewhere?
you forgot to install the ca-cert on the server as well…
sudo install -D -o openldap -g openldap -m 600 slapd-server.crt
/etc/ssl/certs/slapd-server.crt
sudo install -D -o openldap -g openldap -m 600 slapd-server.key
/etc/ssl/certs/slapd-server.key
You actually describe it properly but the code is missing the following:
sudo install -D -o openldap -g openldap -m 644 slapd-ca-cert.pem
/etc/ssl/certs/slapd-ca-cert.pem
Thanks for the great article… Very well documented but ran into an issue with
The following ldif sets the configuration parameters in cn=config: Am I suppose to create a file, edit a file, run each command individually?
It’s pretty much straight forward for someone trying to learn (like myself) but lost with that part.
Yes, the text above the box is a bit confusing. One should write the script in the box with needed changes in a file and execute it. The script call ldapmodify and feeds the ldif to it.
For me a restart of the slapd servicewas required for the ldapsearch to work. Before the restart would always get:
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
I keep getting an error
ldap_start_tls: Can’t contact LDAP server (-1)
when I run
ldapsearch -x -h ldap.edu.example.org -ZZ -b dc=edu,dc=example,dc=org
Do you have connections working without encryption? If those don’t work, make sure that ldap.edu.example.org points to the rights place and the server is actually listening.