This is a multi-part article where I will cover different areas of configuration of OpenLDAP server in CentOS 7 Linux node. You can use below links to refer different parts of this tutorial

Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Step-by-Step Tutorial: Install and Configure OpenLDAP
Step-by-Step Tutorial: Configure OpenLDAP with TLS certificates
Step-by-Step Tutorial: Configure LDAP client to authenticate with LDAP server

 

Step-by-Step Tutorial: Configure OpenLDAP with TLS certificates CentOS 7 Linux

 

Configure OpenLDAP with TLS certificates

Before starting with this article to configure OpenLDAP with TLS certificates on Linux you must be aware of basic LDAP terminologies. For the demonstration of this article I am using CentOS 7. In this article I will share detailed steps to secure LDAP connections with TLS. By default, when using LDAP connections, all information is sent in plain text. There’s no need to insist again on the importance of ciphering all traffic transmitted between the client and the server.

We begin by creating a certificate. We have already seen this many times, but this time, we’re going to take a different approach. So far, we have created self-signed certificates in order to provide secure connections to known services. This is more than enough to secure the traffic in a local network.  A stricter use of certificates would require the use of a certificate signed by a certification authority, or CA. This is what Internet sites usually do. They request a signed certificate to a well-known CA.

In our case, however, we’ll create our own CA and sign our certificate to use it with LDAP.

 

Install pre-requisite rpms

To configure OpenLDAP with TLS certificates we need openssl package. This will give us a directory hierarchy for creating the certificates to configure OpenLDAP with TLS certificates

[[email protected] ~]# yum -y install openssl

 

Creating a CA

After installing the openssl package, we should have a predefined tree structure under /etc/pki/CA under which we can create our certificates to configure OpenLDAP with TLS certificates.

[[email protected] ~]# ls -l /etc/pki/CA/
total 16
drwxr-xr-x. 2 root root 4096 Oct 31 04:12 certs
drwxr-xr-x. 2 root root 4096 Oct 31 04:12 crl
drwxr-xr-x. 2 root root 4096 Oct 31 04:12 newcerts
drwx------. 2 root root 4096 Oct 31 04:12 private

To keep track of the issued certificates, we create index.txt and serial files.

[[email protected] CA]# cd /etc/pki/CA
[[email protected] CA]# echo 0001 > serial
[[email protected] CA]# touch index.txt

Now we create the key for the CA.

[[email protected] ~]# openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem
Generating RSA private key, 2048 bit long modulus
.................................................+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/ca.key.pem:
Verifying - Enter pass phrase for /etc/pki/CA/private/ca.key.pem:

In this case, we haven’t specified the number of bits used to generate the keys, so the default value of 512 bits is used. When working in a test environment, this is acceptable; however, for production environments, you should specify a higher value, such as 4096. This way, the keys will be much more secure.

Once we have the key file, we create the CA certificate itself.

[[email protected] ~]# openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem
Enter pass phrase for /etc/pki/CA/private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:KARNATAKA
Locality Name (eg, city) [Default City]:BENGALURU
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:Test
Common Name (eg, your name or your server's hostname) []:ldap-server.example.com
Email Address []:[email protected]

Now we are ready to generate the key and certificate files to use with openldap.

IMPORTANT NOTE:
It is very important that the common name matches the server’s hostname.
[[email protected] ~]# cd /etc/pki/CA/
[[email protected] CA]# openssl genrsa -out private/ldap.example.com.key
Generating RSA private key, 2048 bit long modulus
............................+++
............................................................................................................+++
e is 65537 (0x10001)
[[email protected] CA]# openssl req -new -key private/ldap.example.com.key -out certs/ldap.example.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:KARNATAKA
Locality Name (eg, city) [Default City]:BENGALURU
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:Test
Common Name (eg, your name or your server's hostname) []:ldap-server.example.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:redhat
An optional company name []:GoLinuxCloud

We already have the certificate, but now we have to sign it with our CA.

[[email protected] CA]# openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -in certs/ldap.example.com.csr -out certs/ldap.example.com.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 9 18:21:04 2019 GMT
Not After : Feb 9 18:21:04 2020 GMT
Subject:
countryName = IN
stateOrProvinceName = KARNATAKA
organizationName = GoLinuxCloud
organizationalUnitName = Test
commonName = ldap-server.example.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
56:0E:8A:CD:76:30:9A:99:71:E5:67:13:FA:8D:31:2D:36:C2:78:5E
X509v3 Authority Key Identifier:
keyid:3C:54:A4:F2:26:CD:B8:73:B3:BF:F7:6F:51:76:51:32:DC:21:25:3F

Certificate is to be certified until Feb 9 18:21:04 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Now that the certificate has been signed by the CA , we can see that the index.txt file has been updated.

[[email protected] CA]# cat index.txt
V 200209182104Z 01 unknown /C=IN/ST=KARNATAKA/O=GoLinuxCloud/OU=Test/CN=ldap-server.example.com/[email protected]

We can also verify the issued certificate against our CA.

[[email protected] CA]# openssl verify -CAfile certs/ca.cert.pem certs/ldap.example.com.crt
certs/ldap.example.com.crt: OK

After signing the certificate, we copy both the certificate and the key file to /etc/openldap/certs/. We also copy the CA certificate to /etc/openldap/cacerts/. Later, we’ll have to modify the openldap configuration accordingly.

[[email protected] CA]# cp -v certs/* /etc/openldap/certs/
‘certs/ca.cert.pem’ -> ‘/etc/openldap/certs/ca.cert.pem’
‘certs/ldap.example.com.crt’ -> ‘/etc/openldap/certs/ldap.example.com.crt’
‘certs/ldap.example.com.csr’ -> ‘/etc/openldap/certs/ldap.example.com.csr’

[[email protected] CA]# cp -v private/ldap.example.com.key /etc/openldap/certs/
‘private/ldap.example.com.key’ -> ‘/etc/openldap/certs/ldap.example.com.key’

[[email protected] CA]# cp -v certs/ca.cert.pem /etc/openldap/cacerts/
‘certs/ca.cert.pem’ -> ‘/etc/openldap/cacerts/ca.cert.pem’

 

Securing the LDAP protocol

In CentOS 7, there are already default values for the TLS related attributes. We can see these values with slapcat.

[[email protected] ~]# slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile"
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password

We have to modify the values of the olcTLSCertificateFile and olcTLSCertificateKeyFile attributes. So, we create the following LDIF file:

[[email protected] ~]# cat tls7.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.example.com.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.example.com.key

And we run the ldapmodify command with this LDIF file .

[[email protected] ~]# ldapmodify -Y EXTERNAL -H ldapi:// -f tls7.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Next add a new attribute olcTLSCACertificateFile for CA certificate file. For this we will create another ldiff file

[[email protected] ~]# cat tls7_1.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/cacerts/ca.cert.pem

[[email protected] ~]# ldapmodify -Y EXTERNAL -H ldapi:// -f tls7_1.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Validate the new values using slapchat.

[[email protected] ~]# slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile|olcTLSCACertificateFile"
olcTLSCertificateFile: /etc/openldap/certs/ldap.example.com.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.example.com.key
olcTLSCACertificateFile: /etc/openldap/cacerts/ca.cert.pem

Now we edit the /etc/sysconfig/slapd file to add ldaps:/// to the SLAPD_URLS parameter.

SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

Change the below in /etc/openldap/ldap.conf

#TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT never

Then we restart the service

[[email protected] ~]# systemctl restart slapd

 

Validate TLS connectivity for LDAP

To make sure that TLS for LDAP is working properly, we can check it by passing the -ZZ option to ldapsearch.

Thus, we’re telling ldapsearch to establish a TLS connection.

[[email protected] certs]# ldapsearch -x -ZZ
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 3
result: 32 No such object

# numResponses: 1

When using ldapsearch, sometimes the system expects the certificate files to be in a special numeric format. This numeric format can be obtained with openssl, like this:

[[email protected] certs]# openssl x509 -in /etc/openldap/certs/ca.cert.pem -hash
5e379662
-----BEGIN CERTIFICATE-----
MIIEETCCAvmgAwIBAgIJAIUTUHlq/B9HMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJJTjESMBAGA1UECAwJS0FSTkFUQUtBMRIwEAYDVQQHDAlCRU5HQUxVUlUx

 

Configure Firewall

First, in the server, we’ll have to allow incoming traffic to port ldap (389) and ldaps (636)

[[email protected] ~]# firewall-cmd --add-service=ldap
success

[[email protected] ~]# firewall-cmd --add-service=ldaps
success

 

References:
Learn CentOS Linux Network Services

 

Lastly I hope the steps from the article to Configure OpenLDAP with TLS certificates on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *