Configuring TLS or SSL security for openLDAP server

From Notes_Wiki

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > TLS or SSL Security

Create certificates

Create CA and server certificates for openldap server. All certificate generation related steps can be done using easy-rsa scripts which are supplied with openVPN

Configuring openldap server to use generated certificates

To configure openldap server to use generated certificates add following lines to 'slapd.conf' file before pidfile configuration:

#This forces TLS mode to be used by all clients.
security  tls=1

#SSF stands for security strengh factor. By having ssf=1 default ssf for any operation would be set to 1.
#By making update_ssf=112 any update would require security strength factors of up to 112 and by making
#simple_bind=64 simple_bind would require security of atleast 64
#No security has ssf=0; Integrity protection impies ssf=1; DES and other weak cyphers have ssf=56; 
#Triple DES and other strong have ssf=112; RC4, Bluefish and other strong cyphers have ssf=128. Hence
#ssf is roughly equivalent to encryption key length in bits.
security    ssf=1 update_ssf=112 simple_bind=64

TLSVerifyClient  allow
TLSCACertificateFile /etc/pki/CA/newcerts/
TLSCertificateFile /etc/pki/tls/
TLSCertificateKeyFile /etc/pki/tls/

The server can be run using command:

slapd -h 'ldap:/// ldaps:///' -u ldap -f /etc/openldap/slapd.conf

which indicates that server should support both ldap:// and ldaps:// and also that it should be run using user ldap. Finally configuration file to be used is /etc/openldap/slapd.conf. It would be good to do 'chown -R ldap:ldap /var/lid/ldap' before doing this so that user ldap has sufficient access rights. Also ensure that user ldap has permission to read the used certificates and keys, if they are moved elsewhere after generation. Finally, check whether slapd is running or not using 'ps aux | grep slapd' and debug by running with '-d 1' option, if required.

For the setup to work the hostname of the ldap server must be set to '' as mentioned in cn in certificate. For name to work either /etc/hosts or DNS server should convert from name to correct IP address of the ldap server. Verify using 'hostname' command that the name setup is correct. The same should also be entered in '/etc/openldap/ldap.conf' file as ldap server. Also verify that name to IP conversion is working by using ping

Testing generated certificates

To test generated certificates save following as a shell script:

OPENSSL_TEST="openssl s_client -connect -showcerts -state -CAfile"

function testCA {
        ${OPENSSL_TEST} /etc/pki/CA/newcerts/

function testCerts {
        ${OPENSSL_TEST} /etc/pki/CA/newcerts/ \
        -cert           /etc/pki/tls/ \
        -key            /etc/pki/tls/
# Test 'Certificate of Issuing Authority'
# Test 'Server Certificate' and 'Server Key Certificate'

Remember to replace '' in above script and even the certificate file-names and path correctly.

Then run using './<>'. The ideal output should end with lines:

    Verify return code: 0 (ok)

Debugging connection issues

Sometimes ldap server is not able to listen on port 636 as portreserve or other application is blocking it. To debug try following approaches:

  • Try to connect to server using telnet such as 'telnet 636' and verify that connection works.
    If connection fails then try to stop portreserve using 'service portreserve stop'
  • You can also try to force openldap to listen on 636 for ldaps using 'slapd -h 'ldap:/// ldaps://' -u ldap -f /etc/openldap/slapd.conf'
    If the above command fails then try to debug using '-d 1'

Configuring SSL ldap client

To configure SSL ldap client modify '/etc/openldap/ldap.conf' file so that it has:

BASE	dc=sbarjatiya,dc=com
URI    ldaps://
#TLS_CACERTDIR	/etc/openldap/certs
TLS_CACERT /etc/pki/CA/newcerts/

Note that 'TLC_CACERTDIR' should be commented for setup to work.

Downloading certificate on client from server

If a server is not deployed by the same admin than the server certificate can be downloaded and put in cacert directory using following steps:

  1. Run
    openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
  2. cd /etc/openldap/cacerts
  3. Save area between BEGIN_CERTIFICATE and END_CERTIFICATE from openssl output (including these two lines) in cacert.pem file
  4. Restart appropriate service and check again. If necessary reboot system.

Learned from

Verifying client configuration

If simple anonymous bind is enabled try using:

ldapwhoami -x

If /etc/openldap/ldap.conf specified URI as ldaps:// then this would result into TLS secured connection

If SSL is required then use:

ldapwhoami -x -ZZ

If /etc/openldap/ldap.conf specified URI as ldaps:// then this command may give TLS_already started error

For SSL with authentication use:

ldapwhoami -x -ZZ -D 'cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com' -W


ldapwhoami -x -D 'cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com' -W -H 'ldaps://'

Thus, both -ZZ or -H 'ldaps://' can be used to indicate SSL based authentication.

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > TLS or SSL Security