Configuring TLS or SSL security for openLDAP server

From Notes_Wiki
Revision as of 09:32, 2 December 2012 by Saurabh (talk | contribs)

<yambe:breadcrumb self="TLS or SSL Security">OpenLDAP server configuration|OpenLDAP</yambe:breadcrumb>

Configuring TLS or SSL security for openLDAP server

Certificate generation

All certificate generation related steps can also be done using 'easy-rsa' scripts which are supplied with openVPN

Generating CA certification

To generate CA certificate use:

cd /etc/pki/tls
./misc/CA -newca

Leave the file name to be default by pressing 'return'. Then enter CA passphrase. It is important to remember this for long run as this passphrase is required for signing certificate requests with this CA. Example values are:

Country code
IN
State
Andhra Pradesh
City
Hyderabad
Organization
Virtual labs
Department
VLEAD
Hostname
ca.virtual-labs.ac.in
Email address
barjatiya.saurabh@gmail.com

We can leave request passphrase and optional company name blank.


The generated CA file would be saved in '/etc/pki/CA/newcerts' folder. One can refer to '/etc/pki/CA/index.txt' file to figure out which certicate is CA certificate and optionally rename it similar to ca.virtual-labs.ac.in.cert.pem. The private key for CA would be stored in '/etc/pki/CA/private/cakey.pem' file. One can leave this file as it is as renaming it or moving it would cause problems while using the CA shell script for managing certificates.


Generating server certificate request and signing it

To generate a server certificate such that it is not protected by password use:

cd /etc/pki/tls
./misc/CA -newreq-nodes

Then enter appropriate values for various options. Example values are:

Country code
IN
State
Andhra Pradesh
City
Hyderabad
Organization
Virtual labs
Department
VLEAD
Hostname
ldap.virtual-labs.ac.in
Email address
barjatiya.saurabh@gmail.com

This would cause a certificate request with name newreq.pem created in current folder. To sign this request use:

./misc/CA -sign

This would cause certificate request to be signed by CA generated earlier. For this to succeed one should enter correct CA key passphrase that was entered while creating new CA. The generated certificate is stored in two locations. One certificate would be stored in current folder with name 'newcert.pem'. Other copy would be stored in '/etc/pki/CA/newcerts' folder. One can refer to '/etc/pki/CA/index.txt' to figure out filename for the currently generated certificate. It is good practise to rename the generated certificates and key files to good names such as ldap.virtual-labs.ac.in-cert.pem and ldap.virtual-labs.ac.in-key.pem.


Note that above generated private key for ldap.iiit.ac.in server is not password protected as openLDAP at least for now does not supports password protected certificate files.


Configuring openldap server to use generated certificates

To configure openldap server to use generated certificates add following lines to 'slapd.conf' file before pidfile configuration:

#This forces TLS mode to be used by all clients.
security  tls=1

#SSF stands for security strengh factor. By having ssf=1 default ssf for any operation would be set to 1.
#By making update_ssf=112 any update would require security strength factors of up to 112 and by making
#simple_bind=64 simple_bind would require security of atleast 64
#No security has ssf=0; Integrity protection impies ssf=1; DES and other weak cyphers have ssf=56; 
#Triple DES and other strong have ssf=112; RC4, Bluefish and other strong cyphers have ssf=128. Hence
#ssf is roughly equivalent to encryption key length in bits.
security    ssf=1 update_ssf=112 simple_bind=64


TLSVerifyClient  allow
TLSCACertificateFile /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem
TLSCertificateFile /etc/pki/tls/ldap.virtual-labs.ac.in-cert.pem
TLSCertificateKeyFile /etc/pki/tls/ldap.virtual-labs.ac.in-key.pem

The server can be run using command:

slapd -h 'ldap:/// ldaps:///' -u ldap -f /etc/openldap/slapd.conf

which indicates that server should support both ldap:// and ldaps:// and also that it should be run using user ldap. Finally configuration file to be used is /etc/openldap/slapd.conf. It would be good to do 'chown -R ldap:ldap /var/lid/ldap' before doing this so that user ldap has sufficient access rights. Also ensure that user ldap has permission to read the used certificates and keys, if they are moved elsewhere after generation. Finally, check whether slapd is running or not using 'ps aux | grep slapd' and debug by running with '-d 1' option, if required.

For the setup to work the hostname of the ldap server must be set to 'ldap.virtual-labs.ac.in' as mentioned in cn in certificate. For name to work either /etc/hosts or DNS server should convert from name to correct IP address of the ldap server. Verify using 'hostname' command that the name setup is correct. The same should also be entered in '/etc/openldap/ldap.conf' file as ldap server. Also verify that name to IP conversion is working by using ping


Testing generated certificates

To test generated certificates save following as a shell script:

#!/bin/sh
OPENSSL_TEST="openssl s_client -connect 10.3.1.21:636 -showcerts -state -CAfile"

function testCA {
        ${OPENSSL_TEST} /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem
}

function testCerts {
        ${OPENSSL_TEST} /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem \
        -cert           /etc/pki/tls/ldap.virtual-labs.ac.in-cert.pem \
        -key            /etc/pki/tls/ldap.virtual-labs.ac.in-key.pem
}
# Test 'Certificate of Issuing Authority'
testCA
# Test 'Server Certificate' and 'Server Key Certificate'
testCerts

Remember to replace '10.3.1.21' in above script and even the certificate file-names and path correctly.

Then run using './<script_filename.sh>'. The ideal output should end with lines:

    Verify return code: 0 (ok)
---


Debugging connection issues

Sometimes ldap server is not able to listen on port 636 as portreserve or other application is blocking it. To debug try following approaches:

  • Try to connect to server using telnet such as 'telnet 10.3.1.21 636' and verify that connection works.
    If connection fails then try to stop portreserve using 'service portreserve stop'
  • You can also try to force openldap to listen on 636 for ldaps using 'slapd -h 'ldap:/// ldaps://0.0.0.0:636/' -u ldap -f /etc/openldap/slapd.conf'
    If the above command fails then try to debug using '-d 1'


Configuring SSL ldap client

To configure SSL ldap client modify '/etc/openldap/ldap.conf' file so that it has:

BASE	dc=sbarjatiya,dc=com
HOST    ldap.virtual-labs.ac.in
#TLS_CACERTDIR	/etc/openldap/certs
TLS_CACERT /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem

Note that 'TLC_CACERTDIR' should be commented for setup to work.


Verifying client configuration

If simple anonymous bind is enabled try using:

ldapwhoami -x

If SSL is required then use:

ldapwhoami -x -ZZ

For SSL with authentication use:

ldapwhoami -x -ZZ -D 'cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com' -W

OR

ldapwhoami -x -D 'cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com' -W -H 'ldaps://ldap.virtual-labs.ac.in/'

Thus, both -ZZ or -H 'ldaps://' can be used to indicate SSL based authentication.


<yambe:breadcrumb self="TLS or SSL Security">OpenLDAP server configuration|OpenLDAP</yambe:breadcrumb>