OpenLDAP Server With Server-Side SSL/TLS using Self Signed Certificates

This document assumes that you already have OpenLdap installed. We used the OpenLdap 2.3 RPMs available from http://anorien.csc.warwick.ac.uk/mirrors/buchan/openldap/rhel4/. There is some good documentation on installing setting up OpenLdap at http://web.singnet.com.sg/~garyttt/Installing and configuring OpenLDAP for RedHat Enterprise Linux3.htm .

OpenLdap should be configured and tested without TLS to make sure it works properly. Once you can authenticate and OpenLdap works predictably you can move on to using TLS.

Certificate Creation

TLSCACertificateFile server.pem TLSCertificateFile server.pem TLSCertificateKeyFile server.pem

Creating a CA for self signed certificates

Redhat ES 4.0 keeps it's ssl CA files in /usr/share/ssl

The steps:
1. cd /usr/share/ssl

2. vi /usr/share/ssl/openssl.cnf and look for the line:

dir = ./demoCA # this means that if you run "/usr/share/ssl/misc CA -newca" it will create /usr/share/ssl/demoCA

If you modify openssl.cnf you can replace the default questions about regions and company info (ie use US instead of GB for country)

Note: in RedHat ES 4 it's /usr/share/ssl/CA in other distros it's CA.sh.

2. From /usr/share/ssl, run the OpenSSL CA script (in /usr/share/ssl/misc/ on my box):

% cd /usr/share/ssl % /usr/share/ssl/misc/CA -newca CA certificate filename (or enter to create) <enter> Making CA certificate ... Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ..........................++++++ .........................++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: <ca pass> Verifying password - Enter PEM pass phrase: <ca pass again> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Austin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org Organizational Unit Name (eg, section) []:Example Unit Common Name (eg, YOUR name) []:example.com Email Address []:. %

This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key).

3. Stay in /usr/share/ssl and make your server certificate signing request (CSR):

% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ..............++++++ ..........................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Austin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org Organizational Unit Name (eg, section) []:Example Org Unit Common Name (eg, YOUR name) []:myserver.com Email Address []:ldap@myserver.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <pass> An optional company name []:. %

The result is newreq.pem.

4. Have the CA sign the CSR:

% /usr/share/ssl/misc/CA.sh -sign Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: <ca pass> Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Texas' localityName :PRINTABLE:'Austin' organizationName :PRINTABLE:'Example Org' organizationalUnitName:PRINTABLE:'Example Org Unit' commonName :PRINTABLE:'myserver.com' emailAddress :IA5STRING:'ldap@myserver.com' Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Unit, CN=example.com Validity Not Before: Apr 11 18:58:58 2003 GMT Not After : Apr 10 18:58:58 2004 GMT Subject: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Org Unit, CN=myserver.com/Email=ldap@myserver.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): < ... > Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D0:C0:9D:46:30:65:2A:9C:63:63:6A:E6:FE:E4:AC:F7:21:F8:33:61 X509v3 Authority Key Identifier: keyid:31:2E:0D:FB:A0:74:5A:0B:4B:C5:C4:E0:69:7F:32:6D:AF:46:82:F1 DirName:/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/CN=example.com serial:00 Signature Algorithm: md5WithRSAEncryption < ... > -----BEGIN CERTIFICATE----- < ... > -----END CERTIFICATE----- Signed certificate is in newcert.pem %

This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem.

5. Now the certificates can be moved to the desired certificate repository and renamed.
We are using the RPMs for openldap 2.3 that makes /etc/openldap2.3/certs/ as our certificate directory. (slapd.conf will need to be modified with the names of these certs).

% cp demoCA/cacert.pem /etc/openldap2.3/certs/cacert.pem % mv newcert.pem /etc/openldap2.3/certs/servercrt.pem % mv newreq.pem /etc/openldap2.3/certs/serverkey.pem % chmod 400 /etc/openldap2.3/certs/serverkey.pem

The last command makes the private key read-only by the user who runs slapd. A 'chown' command will be necessary if the owner of the server key is not the same as the user who runs slapd. The certificates should be publicly readable.

6. Set the cert info in slapd.conf and restart openldap

TLSRandFile /dev/random
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap2.3/cert/servercrt.pem
TLSCertificateKeyFile /etc/openldap2.3/cert/serverkey.pem
TLSCACertificateFile /etc/openldap2.3/cert/cacert.pem

7. Make the CA certificate available to your LDAP clients.
scp /etc/openldap2.3/certs/cacert.pm user@ldapclient:/etc/openldap/cacerts

8. On RedHat clients run authconfig and select USE TLS

9. Test clients. If clients don't work check /var/log/messages and /var/log/secure

also try these commands to see output: (192.168.1.3 = ldap server, you can use localhost if running from the ldap server)

openssl s_client -connect 192.168.1.3:636 -showcerts

ldapsearch -x -H ldaps://192.168.1.3/ -b 'dc=domain,dc=org' '(objectclass=*)'

---