Table of Contents
OpenLDAP over SSL/TLS - Overview
It is always good practice to authenticate to an OpenLDAP server using an encrypted session. This can be accomplished using TLS. Transport Layer Security (TLS) is the standard name for the Secure Socket Layer (SSL). LDAPS allows for the encryption of LDAP data in transit during any communication with the LDAP server, thereby protecting against credential theft. If client authentication is desired, then a client certificate and key pair must be presented to the LDAP server.
There are two ways to create and install a server certificate.
Please refer to the below links to know more about LDAP:
You need to Configure OpenLDAP on Rocky Linux 8 before starting with this tutorial.
On Rocky Linux/RHEL/CentOS 7/8 you can use yum or dnf commands and on Ubuntu use
apt-get to install OpenSSL packages. In the example, I have installed the OpenSSL on Rocky Linux using
[root@ldapmaster ~]# dnf install openssl
Configure OpenLDAP over TLS with Self Signed Certificate
A self-signed certificate is a security certificate that is not signed by a certificate authority. a self-signed certificate provides acceptable security in some situations. For many uses of public key infrastructure (PKI), the correct method for signing a certificate is to use a well-known, trusted third party, a certificate authority (CA).
No browsers and operating systems trust self-signed certificates. People feel cautious about sharing their personal information (such as credit card numbers, bank details, passwords, date of birth, phone number, email addresses, physical address, etc.) when a website is labeled as "not secure".
Self-signed certificates are suitable for internal (intranet) sites or testing environments
Step-1: Create Self Signed Certificate
Please refer the article OpenSSL create self signed certificate Linux with example for a more detailed explanation about creating a self-signed certificate. In this article, we have briefly added only the commands to generate the certificate.
Change the directory and generate the certificate key.
[root@ldapmaster ~]# cd /etc/openldap/certs/ [root@ldapmaster certs]# openssl genrsa 2048 > ldapserver.key
We are using the certificate without a password in OpenLDAP. So we need to remove the passphrase.
Step-2: Create Certificate Signing Request (CSR) certificate
Generate Certificate Signing request
[root@ldapmaster certs]# openssl req -utf8 -new -key ldapserver.key -out ldapserver.csr
While creating the certificate, you will be asked to enter information that will be incorporated into your certificate request like Country Name , Common Name, etc. You need to fill those and complete the CSR.
Step-3: Create self-signed certificate
Generate self signed certificate using the above created private key and CSR
[root@ldapmaster certs]# openssl x509 -in ldapserver.csr -out ldapserver.crt -req -signkey ldapserver.key -days 3650 Signature ok subject=C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com Getting Private key
Now we have created a Self Signed certificate for domain
example.com The corticates are under the directory as below:
[root@ldapmaster certs]# ls -al total 12 drwxr-xr-x. 2 root root 72 Aug 23 08:31 . drwxr-xr-x. 5 root root 92 Aug 23 08:17 .. -rw-r--r--. 1 root root 1176 Aug 23 08:30 ldapserver.crt -rw-r--r--. 1 root root 985 Aug 23 08:30 ldapserver.csr -rw-r--r--. 1 root root 1679 Aug 23 08:28 ldapserver.key
Step-4: Import the Certificates to OpenLDAP configuration.
Once the certificates are ready, we need to add the certificates to the server. Before adding certificates, make sure the permissions are set up properly.
Update certificate file permissions
[root@ldapmaster certs]# chown -R ldap. /etc/openldap/certs
Create an LDIF file
Let us create a file
ImportSSL.ldif and add the below contents to update the slapd configurations
dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/ldapserver.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key
Import certificates to OpenLDAP
[root@ldapmaster certs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ImportSSL.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" [root@ldapmaster certs]#
Once the certificates are imported, they should be under the slapd configuration. We can verify this like below
[root@ldapmaster ~]# cat /etc/openldap/slapd.d/cn\=config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 64be1b5b dn: cn=config objectClass: olcGlobal cn: config structuralObjectClass: olcGlobal entryUUID: e1ca9768-9857-103b-8ca4-bb081b41894f creatorsName: cn=config createTimestamp: 20210823121751Z olcTLSCertificateFile: /etc/openldap/certs/ldapserver.crt olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key entryCSN: 20210823142544.987134Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20210823142544Z [root@ldapmaster ~]#
Step-5: Verify the LDAPS connection
To verify the LDAPS connections, we can use the commands
[root@ldapmaster certs]# openssl s_client -connect example.com:636 -showcerts| head depth=0 C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com i:C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com -----BEGIN CERTIFICATE----- MIIDazCCAlMCFHkbd+TZztV+IKwSIXXY79QTEDEpMA0GCSqGSIb3DQEBCwUAMHIx CzAJBgNVBAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJhbmdh bG9yZTEVMBMGA1UECgwMR29saW51eENsb3VkMQ4wDAYDVQQLDAVMaW51eDEUMBIG A1UEAwwLZXhhbXBsZS5jb20wHhcNMjEwODI1MDgzMDQ3WhcNMzEwODIzMDgzMDQ3
In the above example,
openssl command is used to check the connection and certificate details. In the example, we are able to connect the LDAPS port 636 and it shows the first few lines of the certificate details.
In the below example, the connection error has occurred due to a Self-signed certificate.
[root@ldapmaster certs]# ldapsearch -x -b dc=example,dc=com -ZZ ldap_start_tls: Connect error (-11) additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)
Step-6: Ignore untrusted certificates for self-signed certificate
You have to explicitly tell the LDAP client to ignore untrusted certificates. You can do so by adding the following to your
If you Test TLS connectivity after adding the above to
ldap.conf, you will get the output like below :
[root@ldapmaster ~]# ldapsearch -x -b dc=example,dc=com -ZZ # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: My example Organisation dc: example # Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: OpenLDAP Manager # People, example.com dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People # Group, example.com dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group # testuser, People, example.com dn: uid=testuser,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: testuser sn: temp loginShell: /bin/bash uidNumber: 2000 gidNumber: 2000 homeDirectory: /home/testuser shadowMax: 0 shadowWarning: 0 uid: testuser # testuser, Group, example.com dn: cn=testuser,ou=Group,dc=example,dc=com objectClass: posixGroup cn: testuser gidNumber: 2000 memberUid: testuser
This solution is not the preferred one though. This solution can cause problems for public-enabled LDAP servers, someone can perform Man in the middle (MITM) attack. For these reasons, it is strongly recommended to use CA-signed certificates!
Configure OpenLDAP over TLS with RootCA Issued Certificate
SSL Certificates that are signed by a Certificate Authority (CA) are trusted by clients. We can connect any services with a certificate signed by your root CA without any errors.
We can create our own CA. However, you must install the CA root certificate in all clients connecting to the server. For example, if you are browsing a website with your own CA, You must import the CA root certificates to your browser to trust the certificate. For this reason, being your own CA is mainly suitable for the services used by a small group of users or clients in a LAN environment.
Even though we can easily get the free SSL certificates from third-party Trusted CA, If you want to create your own certificate; please go through the article Create Certificate Authority and sign a certificate with Root CA for a detailed explanation.
In the following example, we will be creating our own CA-signed certificate for demonstration purposes only. I have used the domain 'example.com'. On the production servers, you need to use a real domain name only.
Step-1: Create Certificate Authority (CA) certificate
In the example, you will be prompted for the passphrase of your private key (ca.key), we are creating the key with a password and removing it in the next command for using the certificates for OpenLDAP. While creating a CA certificate using ca.key a bunch of questions will be asked to provide details about the root CA certificates. I suggest using the
Common Name something that you’ll recognize as your root certificate(For example golinuxcloud.com in our example). Other answers are not that important.
# Create key for CA [root@ldapmaster certs]# openssl genrsa -des3 -out ca.key 4096 # Remove password from ca.key [root@ldapmaster certs]# openssl rsa -in ca.key -out ca.key # Create CA certificate using ca.key [root@ldapmaster certs]# openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem
Using the above commands we have generated a root CA certificate that can be verified using the below command:
[root@ldapmaster certs]# openssl x509 -noout -text -in ca.cert.pem | head Certificate: Data: Version: 3 (0x2) Serial Number: 23:e7:c2:c6:bc:57:ab:cd:de:ba:f5:e6:7d:dc:a7:fd:df:ba:5e:37 Signature Algorithm: sha256WithRSAEncryption Issuer: C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = golinuxcloud.com Validity Not Before: Aug 25 17:42:08 2021 GMT Not After : Aug 25 17:42:08 2022 GMT [root@ldapmaster certs]#
Step-2: Creating RootCA-Signed Server Certificates
In the previous section, we have created our own CA certificate and now we have a Certificate Authority for all our certificates. We can sign certificates for any new certificate requests using our CA certificate. In the example, we are just demonstrating with a domain
example.com. When you Generate CSR in the below commands, you will be asked to enter information regarding the certificate. Under the Common Name section, provide a valid domain name (instead of example.com that we are using for testing)
# Generate a server key [root@ldapmaster certs]# openssl genrsa -des3 -out example.key 4096 # Remove password from the key [root@ldapmaster certs]# openssl rsa -in example.key -out example.key # Generate request for signing (CSR) [root@ldapmaster certs]# openssl req -new -key example.key -out example.csr # Sign a certificate with CA [root@ldapmaster certs]# openssl x509 -req -days 365 -in example.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out example.crt Signature ok subject=C = IN, L = Default City, O = Default Company Ltd, CN = example.com Getting CA Private Key
Step-3: Assign proper permisisons to the certificates
Once the certificates are generated, make sure to change the permissions.
[root@ldapmaster certs]# chown -R ldap. /etc/openldap/certs/ [root@ldapmaster certs]# ls -l total 24 -rw-r--r--. 1 ldap ldap 2074 Aug 25 13:42 ca.cert.pem -rw-r--r--. 1 ldap ldap 41 Aug 25 13:58 ca.cert.srl -rw-------. 1 ldap ldap 3247 Aug 25 13:41 ca.key -rw-r--r--. 1 ldap ldap 1911 Aug 25 13:58 example.crt -rw-r--r--. 1 ldap ldap 1675 Aug 25 13:58 example.csr -rw-------. 1 ldap ldap 3243 Aug 25 13:58 example.key
Step-4: Import certificates to OpenLDAP
Let us create an LDIF file and import the certificates to the OpenLDAP server. In the example, I have used the certificates generated in the previous section. You can use the same file format to import a Trusted certificate from Let's Encrypt or any other commercial entity.
dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/example.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/example.key
I have copied the above contents to file
importCAcert.ldif and imported to OpenLDAP server as below:
[root@ldapmaster certs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f importCAcert.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
Step-5: Validate TLS connection
We can verify the SSL connection using
openssl command like below.
[root@ldapmaster ~]# openssl s_client -connect example.com:636 -showcerts| head depth=1 C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = golinuxcloud.com verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = golinuxcloud.com verify return:1 depth=0 C = IN, L = Default City, O = Default Company Ltd, CN = example.com verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:C = IN, L = Default City, O = Default Company Ltd, CN = example.com i:C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = golinuxcloud.com -----BEGIN CERTIFICATE----- MIIFVjCCAz4CFAEXRYpmjpwinDb49vXIxR4H85N7MA0GCSqGSIb3DQEBCwUAMHcx CzAJBgNVBAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJhbmdh bG9yZTEVMBMGA1UECgwMR29saW51eENsb3VkMQ4wDAYDVQQLDAVMaW51eDEZMBcG A1UEAwwQZ29saW51eGNsb3VkLmNvbTAeFw0yMTA4MjUxNzU4NDRaFw0yMjA4MjUx
ldapsearch command also you can verify the TLS connection. If your certificate is trusted, the command will show the details.
[root@ldapmaster ~]# ldapsearch -x -b dc=example,dc=com -ZZ | head # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com
OpenLDAP Client Certificate
Client certificates are created similarly to server certificates. The RockyLinux/RHEL/CentOS system uses the System Security Services Daemon (SSSD) service to retrieve user data.
You must Copy the file containing the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server’s SSL/TLS certificate into the
/etc/openldap/cacerts or any folder on the client machine. In this article, we have used our own CA certificate
ca.cert.pem to generate a CA-signed certificate. You need to copy this to a client machine so that the client-server can trust your own CA.
Please refer the article 8 simple steps to configure LDAP client RHEL/CentOS 8 to configure OpenLDAP client using SSSD to retrieve data from LDAP server in an encrypted way. In the article steps to Enable TLS in SSSD and LDAP are mentioned in detail. The article can be referred to as Rocky Linux installations too.
In the article, we have learned to use Self-signed and CA-signed certificates on the OpenLDAP server. The article is tested on the Rocky Linux 8 machine. You can also use the same steps to configure it on CentOS/RHEL machines.