This blog posting is a part of a series of blog postings:

After getting OpenLDAP running, the next step is to get TLS authentication working. This continues the first part.

The following documents were used:

There are various tutorials around the net telling how to make self-signed certificates using openssl. Googling reveals quite a few problems with using self-signed certificates created with openssl with debian’s and ubuntu’s slapd that uses gnutls. For this example I’ll use the certtool that comes with the gnutls-bin.

The goal here is to create CA (ca.edu.example.org) and sign the server key with the CA. The client can then use the CA certificate to check the validity of the server key (ldap.edu.example.org) that is used by the slapd daemon.

To get started the gnutls-bin package needs to be installed:

sudo apt-get install gnutls-bin

First the CA key needs to be created and signed:

certtool --generate-privkey --outfile slapd-ca-key.pem
certtool --generate-self-signed --load-privkey slapd-ca-key.pem 
--outfile slapd-ca-cert.pem

This asks questions about the usage of the certificate. To get a ten year one I used the following options:

Common name: ca.edu.example.org
The certificate will expire in (days): 3650
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Will the certificate be used to sign other certificates? (y/N): y

Next create the server key and certificate:

certtool --generate-privkey --outfile slapd-server.key
certtool --generate-certificate --load-privkey slapd-server.key 
--outfile slapd-server.crt --load-ca-certificate slapd-ca-cert.pem 
 --load-ca-privkey slapd-ca-key.pem

The common name needs to be ldap.edu.example.org for the slapd certificate:

Common name: ldap.edu.example.org
The certificate will expire in (days): 3650
Will the certificate be used for signing (required for TLS)? (y/N): y
Will the certificate be used for encryption (not required for TLS)? (y/N): y

The files slapd-ca-cert.pem slapd-server.{crt|key} need to be copied to /etc/ssl/certs/ where slapd can load them:

sudo install -D -o openldap -g openldap -m 600 slapd-server.crt 
             /etc/ssl/certs/slapd-server.crt
sudo install -D -o openldap -g openldap -m 600 slapd-server.key 
             /etc/ssl/certs/slapd-server.key
The following ldif sets the configuration parameters in cn=config:
#!/bin/sh

ldapmodify -Y EXTERNAL -H ldapi:/// << EOF
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/slapd-ca-cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/slapd-server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/certs/slapd-server.key
EOF

On the client copy ca-cert.pem to /etc/ldap/ssl:

sudo install -o root -g root -m 644 slapd-ca-cert.pem 
             /etc/ssl/certs/slapd-ca-cert.pem
Then add the following in /etc/ldap/ldap.conf:
URI ldap://ldap.edu.example.org/
TLS_CACERT /etc/ssl/certs/slapd-ca-cert.pem

Now we can check that TLS works:

ldapsearch -x -h ldap.edu.example.org -ZZ -b dc=edu,dc=example,dc=org

It should return the organizationalUnits created earlier.

Thanks for all the people who have documented the various tools needed to get this working! Next it's time to get to see how the kerberos setup has changed..

Veli-Matti Lintu