Configure OpenLDAP over SSL/TLS [Step-by-Step] Rocky Linux 8

OpenLDAP over SSL/TLS - Overview

It is always good practice to authenticate to an OpenLDAP server using an encrypted session. This can be accomplished using TLS. Transport Layer Security (TLS) is the standard name for the Secure Socket Layer (SSL). LDAPS allows for the encryption of LDAP data in transit during any communication with the LDAP server, thereby protecting against credential theft. If client authentication is desired, then a client certificate and key pair must be presented to the LDAP server.

There are two ways to create and install a server certificate.

• Self Signed Certificate
• CA Issued Certificate

Please refer to the below links to know more about LDAP:

Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Basic LDAP Concepts

Prerequisites

You need to Configure OpenLDAP on Rocky Linux 8 before starting with this tutorial.

On Rocky Linux/RHEL/CentOS 7/8 you can use yum or dnf commands and on Ubuntu use apt-get to install OpenSSL packages. In the example, I have installed the OpenSSL on Rocky Linux using dnf

[root@ldapmaster ~]# dnf install openssl

Configure OpenLDAP over TLS with Self Signed Certificate

A self-signed certificate is a security certificate that is not signed by a certificate authority. a self-signed certificate provides acceptable security in some situations. For many uses of public key infrastructure (PKI), the correct method for signing a certificate is to use a well-known, trusted third party, a certificate authority (CA).

No browsers and operating systems trust self-signed certificates. People feel cautious about sharing their personal information (such as credit card numbers, bank details, passwords, date of birth, phone number, email addresses, physical address, etc.) when a website is labeled as "not secure".

Self-signed certificates are suitable for internal (intranet) sites or testing environments

Step-1: Create Self Signed Certificate

Please refer the article OpenSSL create self signed certificate Linux with example for a more detailed explanation about creating a self-signed certificate. In this article, we have briefly added only the commands to generate the certificate.

Change the directory and generate the certificate key.

[root@ldapmaster ~]# cd /etc/openldap/certs/
[root@ldapmaster certs]# openssl genrsa 2048 > ldapserver.key

We are using the certificate without a password in OpenLDAP. So we need to remove the passphrase.

Step-2: Create Certificate Signing Request (CSR) certificate

Generate Certificate Signing request

[root@ldapmaster certs]# openssl req -utf8 -new -key ldapserver.key -out ldapserver.csr

While creating the certificate, you will be asked to enter information that will be incorporated into your certificate request like Country Name , Common Name, etc. You need to fill those and complete the CSR.

Step-3: Create self-signed certificate

Generate self signed certificate using the above created private key and CSR

[root@ldapmaster certs]# openssl x509 -in ldapserver.csr -out ldapserver.crt -req -signkey ldapserver.key -days 3650
Signature ok
subject=C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com
Getting Private key

Now we have created a Self Signed certificate for domain example.com The corticates are under the directory as below:

[root@ldapmaster certs]# ls -al
total 12
drwxr-xr-x. 2 root root   72 Aug 23 08:31 .
drwxr-xr-x. 5 root root   92 Aug 23 08:17 ..
-rw-r--r--. 1 root root 1176 Aug 23 08:30 ldapserver.crt
-rw-r--r--. 1 root root  985 Aug 23 08:30 ldapserver.csr
-rw-r--r--. 1 root root 1679 Aug 23 08:28 ldapserver.key

Step-4: Import the Certificates to OpenLDAP configuration.

Once the certificates are ready, we need to add the certificates to the server. Before adding certificates, make sure the permissions are set up properly.

Update certificate file permissions

[root@ldapmaster certs]# chown -R ldap. /etc/openldap/certs

Create an LDIF file

Let us create a file ImportSSL.ldif and add the below contents to update the slapd configurations

dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapserver.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key

Import certificates to OpenLDAP

[root@ldapmaster certs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ImportSSL.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

[root@ldapmaster certs]#

Once the certificates are imported, they should be under the slapd configuration. We can verify this like below

[root@ldapmaster ~]# cat /etc/openldap/slapd.d/cn\=config.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 64be1b5b
dn: cn=config
objectClass: olcGlobal
cn: config
structuralObjectClass: olcGlobal
entryUUID: e1ca9768-9857-103b-8ca4-bb081b41894f
creatorsName: cn=config
createTimestamp: 20210823121751Z
olcTLSCertificateFile: /etc/openldap/certs/ldapserver.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key
entryCSN: 20210823142544.987134Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210823142544Z
[root@ldapmaster ~]# 

Step-5: Verify the LDAPS connection

To verify the LDAPS connections, we can use the commands openssl or ldapsearch.

[root@ldapmaster certs]# openssl s_client -connect example.com:636 -showcerts| head
depth=0 C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com
   i:C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = example.com
-----BEGIN CERTIFICATE-----
MIIDazCCAlMCFHkbd+TZztV+IKwSIXXY79QTEDEpMA0GCSqGSIb3DQEBCwUAMHIx
CzAJBgNVBAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJhbmdh
bG9yZTEVMBMGA1UECgwMR29saW51eENsb3VkMQ4wDAYDVQQLDAVMaW51eDEUMBIG
A1UEAwwLZXhhbXBsZS5jb20wHhcNMjEwODI1MDgzMDQ3WhcNMzEwODIzMDgzMDQ3

In the above example, openssl command is used to check the connection and certificate details. In the example, we are able to connect the LDAPS port 636 and it shows the first few lines of the certificate details.

In the below example, the connection error has occurred due to a Self-signed certificate.

[root@ldapmaster certs]# ldapsearch -x -b dc=example,dc=com -ZZ
ldap_start_tls: Connect error (-11)
	additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)

Step-6: Ignore untrusted certificates for self-signed certificate

You have to explicitly tell the LDAP client to ignore untrusted certificates. You can do so by adding the following to your /etc/openldap/ldap.conf file:

TLS_REQCERT never

If you Test TLS connectivity after adding the above to ldap.conf, you will get the output like below :

[root@ldapmaster ~]# ldapsearch -x -b dc=example,dc=com -ZZ
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: My example Organisation
dc: example

# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: OpenLDAP Manager

# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

# Group, example.com
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
sn: temp
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/testuser
shadowMax: 0
shadowWarning: 0
uid: testuser

# testuser, Group, example.com
dn: cn=testuser,ou=Group,dc=example,dc=com
objectClass: posixGroup
cn: testuser
gidNumber: 2000
memberUid: testuser

This solution is not the preferred one though.  This solution can cause problems for public-enabled LDAP servers, someone can perform Man in the middle (MITM) attack. For these reasons, it is strongly recommended to use CA-signed certificates!

Configure OpenLDAP over TLS with RootCA Issued Certificate

SSL Certificates that are signed by a Certificate Authority (CA) are trusted by clients. We can connect any services with a certificate signed by your root CA without any errors.

We can create our own CA. However, you must install the CA root certificate in all clients connecting to the server. For example, if you are browsing a website with your own CA, You must import the CA root certificates to your browser to trust the certificate. For this reason, being your own CA is mainly suitable for the services used by a small group of users or clients in a LAN environment.

Even though we can easily get the free SSL certificates from third-party Trusted CA, If you want to create your own certificate; please go through the article Create Certificate Authority and sign a certificate with Root CA for a detailed explanation.

In the following example, we will be creating our own  CA-signed certificate for demonstration purposes only. I have used the domain 'example.com'. On the production servers, you need to use a real domain name only.

Step-1: Create Certificate Authority (CA) certificate

In the example, you will be prompted for the passphrase of your private key (ca.key), we are creating the key with a password and removing it in the next command for using the certificates for OpenLDAP. While creating a CA certificate using ca.key a bunch of questions will be asked to provide details about the root CA certificates. I suggest using the Common Name something that you’ll recognize as your root certificate(For example golinuxcloud.com in our example). Other answers are not that important.

# Create key for CA
[root@ldapmaster certs]#  openssl genrsa -des3 -out ca.key 4096

# Remove password from ca.key
[root@ldapmaster certs]# openssl rsa -in ca.key -out ca.key 

# Create CA certificate using ca.key
[root@ldapmaster certs]# openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem

Using the above commands we have generated a root CA certificate that can be verified using the below command:

[root@ldapmaster certs]# openssl x509 -noout -text -in ca.cert.pem | head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            23:e7:c2:c6:bc:57:ab:cd:de:ba:f5:e6:7d:dc:a7:fd:df:ba:5e:37
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = golinuxcloud.com
        Validity
            Not Before: Aug 25 17:42:08 2021 GMT
            Not After : Aug 25 17:42:08 2022 GMT
[root@ldapmaster certs]# 

Step-2: Creating RootCA-Signed Server Certificates

In the previous section, we have created our own CA certificate and now we have a Certificate Authority for all our certificates. We can sign certificates for any new certificate requests using our CA certificate. In the example, we are just demonstrating with a domain example.com. When you Generate CSR in the below commands, you will be asked to enter information regarding the certificate. Under the Common Name section, provide a valid domain name (instead of example.com that we are using for testing)

# Generate a server key
[root@ldapmaster certs]# openssl genrsa -des3 -out example.key 4096

# Remove password from the key
[root@ldapmaster certs]# openssl rsa -in example.key -out example.key

# Generate request for signing (CSR)
[root@ldapmaster certs]# openssl req -new -key example.key -out example.csr

# Sign a certificate with CA
[root@ldapmaster certs]# openssl x509 -req -days 365 -in example.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out example.crt
Signature ok
subject=C = IN, L = Default City, O = Default Company Ltd, CN = example.com
Getting CA Private Key

Step-3: Assign proper permisisons to the certificates

Once the certificates are generated, make sure to change the permissions.

[root@ldapmaster certs]# chown -R ldap. /etc/openldap/certs/

[root@ldapmaster certs]# ls -l
total 24
-rw-r--r--. 1 ldap ldap 2074 Aug 25 13:42 ca.cert.pem
-rw-r--r--. 1 ldap ldap   41 Aug 25 13:58 ca.cert.srl
-rw-------. 1 ldap ldap 3247 Aug 25 13:41 ca.key
-rw-r--r--. 1 ldap ldap 1911 Aug 25 13:58 example.crt
-rw-r--r--. 1 ldap ldap 1675 Aug 25 13:58 example.csr
-rw-------. 1 ldap ldap 3243 Aug 25 13:58 example.key

Step-4: Import certificates to OpenLDAP

Let us create an LDIF file and import the certificates to the OpenLDAP server. In the example, I have used the certificates generated in the previous section. You can use the same file format to import a Trusted certificate from Let's Encrypt or any other commercial entity.

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/example.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/example.key

I have copied the above contents to file importCAcert.ldif and imported to OpenLDAP server as below:

[root@ldapmaster certs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f  importCAcert.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Step-5: Validate TLS connection

We can verify the SSL connection using openssl command like below.

[root@ldapmaster ~]# openssl s_client -connect example.com:636 -showcerts| head
depth=1 C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = golinuxcloud.com
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = golinuxcloud.com
verify return:1
depth=0 C = IN, L = Default City, O = Default Company Ltd, CN = example.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:C = IN, L = Default City, O = Default Company Ltd, CN = example.com
   i:C = IN, ST = Karnataka, L = Bangalore, O = GolinuxCloud, OU = Linux, CN = golinuxcloud.com
-----BEGIN CERTIFICATE-----
MIIFVjCCAz4CFAEXRYpmjpwinDb49vXIxR4H85N7MA0GCSqGSIb3DQEBCwUAMHcx
CzAJBgNVBAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJhbmdh
bG9yZTEVMBMGA1UECgwMR29saW51eENsb3VkMQ4wDAYDVQQLDAVMaW51eDEZMBcG
A1UEAwwQZ29saW51eGNsb3VkLmNvbTAeFw0yMTA4MjUxNzU4NDRaFw0yMjA4MjUx

Using ldapsearch command also you can verify the TLS connection. If your certificate is trusted, the command will show the details.

[root@ldapmaster ~]# ldapsearch -x -b dc=example,dc=com -ZZ | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com

OpenLDAP Client Certificate

Client certificates are created similarly to server certificates. The RockyLinux/RHEL/CentOS system uses the System Security Services Daemon (SSSD) service to retrieve user data.

You must Copy the file containing the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server’s SSL/TLS certificate into the /etc/openldap/cacerts or any folder on the client machine. In this article, we have used our own  CA certificate ca.cert.pem to generate a CA-signed certificate. You need to copy this to a client machine so that the client-server can trust your own CA.

Please refer the article  8 simple steps to configure LDAP client RHEL/CentOS 8  to configure OpenLDAP client using SSSD to retrieve data from LDAP server in an encrypted way. In the article steps to Enable TLS in SSSD and LDAP are mentioned in detail. The article can be referred to as Rocky Linux installations too.

Summary

In the article, we have learned to use Self-signed and CA-signed certificates on the OpenLDAP server. The article is tested on the Rocky Linux 8 machine. You can also use the same steps to configure it on CentOS/RHEL machines.

References

OpenLDAP Documentation