This document assumes that you already have OpenLDAP installed.
We used the OpenLDAP 2.3 RPMs available from: http://anorien.csc.warwick.ac.uk/mirrors/buchan/openldap/rhel4/.
There is some good documentation on installing setting up OpenLdap at http://web.singnet.com.sg/~garyttt/Installing and configuring OpenLDAP for RedHat Enterprise Linux3.htm .
OpenLDAP should be configured and tested without TLS to make sure it works properly. Once you can authenticate and OpenLdap works predictably you can move on to using TLS.
Creating a CA for self signed certificates
Redhat ES 4.0 keeps it’s ssl CA files in /usr/share/ssl
- cd /usr/share/ssl
- vi /usr/share/ssl/openssl.cnf and look for the line:
dir = ./demoCA # this means that if you run “/usr/share/ssl/misc CA -newca” it will create /usr/share/ssl/demoCA
If you modify openssl.cnf you can replace the default questions about regions and company info (ie use US instead of GB for country)
Note: in RedHat ES 4 it’s /usr/share/ssl/CA in other distros it’s CA.sh.
- From /usr/share/ssl, run the OpenSSL CA script (in /usr/share/ssl/misc/ on my box):
% cd /usr/share/ssl
% /usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create)
—– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) :Austin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org Organizational Unit Name (eg, section) :Example Unit Common Name (eg, YOUR name) :example.com Email Address :. %This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key).
- Stay in /usr/share/ssl and make your server certificate signing request (CSR):
% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key…………..++++++……………………..++++++writing new private key to ‘newreq.pem’—–You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:TexasLocality Name (eg, city) :AustinOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Example OrgOrganizational Unit Name (eg, section) :Example Org UnitCommon Name (eg, YOUR name) :myserver.comEmail Address :firstname.lastname@example.org
Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password :
- Have the CA sign the CSR:
% /usr/share/ssl/misc/CA.sh -sign
Using configuration from /etc/ssl/openssl.cnfEnter PEM pass phrase:
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedCertificate:Data:Version: 3 (0x2)Serial Number: 1 (0x1)Signature Algorithm: md5WithRSAEncryptionIssuer: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Unit, CN=example.comValidityNot Before: Apr 11 18:58:58 2003 GMTNot After : Apr 10 18:58:58 2004 GMTSubject: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Org Unit, CN=myserver.com/Emailemail@example.com
Subject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)Modulus (1024 bit):
Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:D0:C0:9D:46:30:65:2A:9C:63:63:6A:E6:FE:E4:AC:F7:21:F8:33:61X509v3 Authority Key Identifier:keyid:31:2E:0D:FB:A0:74:5A:0B:4B:C5:C4:E0:69:7F:32:6D:AF:46:82:F1DirName:/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/CN=example.comserial:00
Signature Algorithm: md5WithRSAEncryption
Signed certificate is in newcert.pem%This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem.
- Now the certificates can be moved to the desired certificate repository and renamed.
We are using the RPMs for openldap 2.3 that makes /etc/openldap2.3/certs/ as our certificate directory. (slapd.conf will need to be modified with the names of these certs).
% cp demoCA/cacert.pem /etc/openldap2.3/certs/cacert.pem
% mv newcert.pem /etc/openldap2.3/certs/servercrt.pem
% mv newreq.pem /etc/openldap2.3/certs/serverkey.pem
% chmod 400 /etc/openldap2.3/certs/serverkey.pem
The last command makes the private key read-only by the user who runs slapd. A ‘chown’ command will be necessary if the owner of the server key is not the same as the user who runs slapd. The certificates should be publicly readable.
- Set the cert info in slapd.conf and restart openldap
- Make the CA certificate available to your LDAP clients.
scp /etc/openldap2.3/certs/cacert.pm user@ldapclient:/etc/openldap/cacerts
- On RedHat clients run authconfig and select USE TLS
- Test clients. If clients don’t work check /var/log/messages and /var/log/secure
also try these commands to see output: (192.168.1.3 = ldap server, you can use localhost if running from the ldap server)
openssl s_client -connect 192.168.1.3:636 -showcerts
ldapsearch -x -H ldaps://192.168.1.3/ -b ‘dc=domain,dc=org’ ‘(objectclass=*)’