This is a multi-part article where I will cover different areas of configuration of OpenLDAP server in CentOS 7 Linux node. You can use below links to refer different parts of this tutorial
Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Step-by-Step Tutorial: Install and Configure OpenLDAP
Step-by-Step Tutorial: Configure OpenLDAP with TLS certificates
Step-by-Step Tutorial: Configure LDAP client to authenticate with LDAP server
Configure OpenLDAP with TLS certificates
Before starting with this article to configure OpenLDAP with TLS certificates on Linux you must be aware of basic LDAP terminologies. For the demonstration of this article I am using CentOS 7. In this article I will share detailed steps to secure LDAP connections with TLS. By default, when using LDAP connections, all information is sent in plain text. There’s no need to insist again on the importance of ciphering all traffic transmitted between the client and the server.
We begin by creating a certificate. We have already seen this many times, but this time, we’re going to take a different approach. So far, we have created self-signed certificates in order to provide secure connections to known services. This is more than enough to secure the traffic in a local network. A stricter use of certificates would require the use of a certificate signed by a certification authority, or CA. This is what Internet sites usually do. They request a signed certificate to a well-known CA.
In our case, however, we’ll create our own CA and sign our certificate to use it with LDAP.
Install pre-requisite rpms
To configure OpenLDAP with TLS certificates we need
openssl package. This will give us a directory hierarchy for creating the certificates to configure OpenLDAP with TLS certificates
[[email protected] ~]# yum -y install openssl
Creating a CA
After installing the openssl package, we should have a predefined tree structure under
/etc/pki/CA under which we can create our certificates to configure OpenLDAP with TLS certificates.
[[email protected] ~]# ls -l /etc/pki/CA/ total 16 drwxr-xr-x. 2 root root 4096 Oct 31 04:12 certs drwxr-xr-x. 2 root root 4096 Oct 31 04:12 crl drwxr-xr-x. 2 root root 4096 Oct 31 04:12 newcerts drwx------. 2 root root 4096 Oct 31 04:12 private
To keep track of the issued certificates, we create
index.txt and serial files.
[[email protected] CA]# cd /etc/pki/CA [[email protected] CA]# echo 0001 > serial [[email protected] CA]# touch index.txt
Now we create the key for the CA.
[[email protected] ~]# openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem Generating RSA private key, 2048 bit long modulus .................................................+++ .................+++ e is 65537 (0x10001) Enter pass phrase for /etc/pki/CA/private/ca.key.pem: Verifying - Enter pass phrase for /etc/pki/CA/private/ca.key.pem:
In this case, we haven’t specified the number of bits used to generate the keys, so the default value of 512 bits is used. When working in a test environment, this is acceptable; however, for production environments, you should specify a higher value, such as 4096. This way, the keys will be much more secure.
Once we have the key file, we create the CA certificate itself.
[[email protected] ~]# openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem Enter pass phrase for /etc/pki/CA/private/ca.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :KARNATAKA Locality Name (eg, city) [Default City]:BENGALURU Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud Organizational Unit Name (eg, section) :Test Common Name (eg, your name or your server's hostname) :ldap-server.example.com Email Address :[email protected]
Now we are ready to generate the key and certificate files to use with openldap.
[[email protected] ~]# cd /etc/pki/CA/ [[email protected] CA]# openssl genrsa -out private/ldap.example.com.key Generating RSA private key, 2048 bit long modulus ............................+++ ............................................................................................................+++ e is 65537 (0x10001)
[[email protected] CA]# openssl req -new -key private/ldap.example.com.key -out certs/ldap.example.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :KARNATAKA Locality Name (eg, city) [Default City]:BENGALURU Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud Organizational Unit Name (eg, section) :Test Common Name (eg, your name or your server's hostname) :ldap-server.example.com Email Address :[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password :redhat An optional company name :GoLinuxCloud
We already have the certificate, but now we have to sign it with our CA.
[[email protected] CA]# openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -in certs/ldap.example.com.csr -out certs/ldap.example.com.crt Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for private/ca.key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Feb 9 18:21:04 2019 GMT Not After : Feb 9 18:21:04 2020 GMT Subject: countryName = IN stateOrProvinceName = KARNATAKA organizationName = GoLinuxCloud organizationalUnitName = Test commonName = ldap-server.example.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 56:0E:8A:CD:76:30:9A:99:71:E5:67:13:FA:8D:31:2D:36:C2:78:5E X509v3 Authority Key Identifier: keyid:3C:54:A4:F2:26:CD:B8:73:B3:BF:F7:6F:51:76:51:32:DC:21:25:3F Certificate is to be certified until Feb 9 18:21:04 2020 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Now that the certificate has been signed by the CA , we can see that the
index.txt file has been updated.
[[email protected] CA]# cat index.txt V 200209182104Z 01 unknown /C=IN/ST=KARNATAKA/O=GoLinuxCloud/OU=Test/CN=ldap-server.example.com/[email protected]
We can also verify the issued certificate against our CA.
[[email protected] CA]# openssl verify -CAfile certs/ca.cert.pem certs/ldap.example.com.crt certs/ldap.example.com.crt: OK
After signing the certificate, we copy both the certificate and the key file to
/etc/openldap/certs/. We also copy the CA certificate to
/etc/openldap/cacerts/. Later, we’ll have to modify the openldap configuration accordingly.
[[email protected] CA]# cp -v certs/* /etc/openldap/certs/ ‘certs/ca.cert.pem’ -> ‘/etc/openldap/certs/ca.cert.pem’ ‘certs/ldap.example.com.crt’ -> ‘/etc/openldap/certs/ldap.example.com.crt’ ‘certs/ldap.example.com.csr’ -> ‘/etc/openldap/certs/ldap.example.com.csr’ [[email protected] CA]# cp -v private/ldap.example.com.key /etc/openldap/certs/ ‘private/ldap.example.com.key’ -> ‘/etc/openldap/certs/ldap.example.com.key’ [[email protected] CA]# cp -v certs/ca.cert.pem /etc/openldap/cacerts/ ‘certs/ca.cert.pem’ -> ‘/etc/openldap/cacerts/ca.cert.pem’
Securing the LDAP protocol
In CentOS 7, there are already default values for the TLS related attributes. We can see these values with
[[email protected] ~]# slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile" olcTLSCertificateFile: "OpenLDAP Server" olcTLSCertificateKeyFile: /etc/openldap/certs/password
We have to modify the values of the
olcTLSCertificateKeyFile attributes. So, we create the following LDIF file:
[[email protected] ~]# cat tls7.ldif dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/ldap.example.com.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.example.com.key
And we run the
ldapmodify command with this LDIF file .
[[email protected] ~]# ldapmodify -Y EXTERNAL -H ldapi:// -f tls7.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
Next add a new attribute
olcTLSCACertificateFile for CA certificate file. For this we will create another ldiff file
[[email protected] ~]# cat tls7_1.ldif dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/cacerts/ca.cert.pem [[email protected] ~]# ldapmodify -Y EXTERNAL -H ldapi:// -f tls7_1.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
Validate the new values using
[[email protected] ~]# slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile|olcTLSCACertificateFile" olcTLSCertificateFile: /etc/openldap/certs/ldap.example.com.crt olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.example.com.key olcTLSCACertificateFile: /etc/openldap/cacerts/ca.cert.pem
Now we edit the
/etc/sysconfig/slapd file to add
ldaps:/// to the
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
Change the below in
#TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT never
Then we restart the service
[[email protected] ~]# systemctl restart slapd
Validate TLS connectivity for LDAP
To make sure that TLS for LDAP is working properly, we can check it by passing the
-ZZ option to
Thus, we’re telling
ldapsearch to establish a TLS connection.
[[email protected] certs]# ldapsearch -x -ZZ # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1
ldapsearch, sometimes the system expects the certificate files to be in a special numeric format. This numeric format can be obtained with
openssl, like this:
[[email protected] certs]# openssl x509 -in /etc/openldap/certs/ca.cert.pem -hash 5e379662 -----BEGIN CERTIFICATE----- MIIEETCCAvmgAwIBAgIJAIUTUHlq/B9HMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD VQQGEwJJTjESMBAGA1UECAwJS0FSTkFUQUtBMRIwEAYDVQQHDAlCRU5HQUxVUlUx
First, in the server, we’ll have to allow incoming traffic to port ldap (389) and ldaps (636)
[[email protected] ~]# firewall-cmd --add-service=ldap success [[email protected] ~]# firewall-cmd --add-service=ldaps success
Learn CentOS Linux Network Services
Lastly I hope the steps from the article to Configure OpenLDAP with TLS certificates on Linux was helpful. So, let me know your suggestions and feedback using the comment section.