Secure OpenLDAP Server with SSL/TLS on Ubuntu 22.04|20.04|18.04

Posted on 88 views

In our previous articles, we discussed the installation of OpenLDAP Server on Ubuntu and how to setup OpenLDAP client on Ubuntu. This short tutorial will cover securing LDAP Server with SSL/TLS certificate and key. You have two options of obtaining an SSL certificate used for securing LDAP Server.

  1. Using Self Signed SSL Certificate
  2. Purchasing SSL certificates from trusted CA

This guide will explain use of self signed certificates. So Let’s get started.

Step 1: Generate Self signed SSL cerificates

Login to your LDAP server and generate SSL certificates to be used.

$ mkdir ~/ldap_ssl && cd ~/ldap_ssl
$ openssl genrsa -aes128 -out ldap_server.key 4096 

Generating RSA private key, 4096 bit long modulus
 …………………………………………………………………………………..++
 ………………………………….++
 e is 65537 (0x010001)
 Enter pass phrase for ldap_server.key: 
 Verifying - Enter pass phrase for ldap_server.key: 

Remove passphrase from the generated private key:

$ openssl rsa -in ldap_server.key -out ldap_server.key
Enter pass phrase for ldap_server.key: 
writing RSA key

Generate csr.

$ openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr 

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:KE
State or Province Name (full name) [Some-State]:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Computingpost
Organizational Unit Name (eg, section) []:Computingpost
Common Name (e.g. server FQDN or YOUR name) []:ldap.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:        
An optional company name []:

Then sign your certificate:

$ sudo openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650

Signature ok
subject=C = KE, ST = Nairobi, L = Nairobi, O = Computingpost, OU = Computingpost, CN = ldap.example.com, emailAddress = [email protected]
Getting Private key

Step 2: Configure SSL on LDAP Server

Copy Certificates and Key to /etc/ldap/sasl2/ directory.

sudo cp ldap_server.key,ldap_server.crt /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/

Set ownership of the certificates to openldap user.

sudo chown -R openldap. /etc/ldap/sasl2

Configure LDAP Server to use SSL certificates. Create LDAP configuration file for SSL,

$ vim ldap_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key

Apply configuration using the following command.

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif 
SASL/EXTERNAL authentication started SASL
username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Restart LDAP server:

sudo systemctl restart slapd

Step 3: Configure LDAP Client for TLS/SSL Connection

Configure LDAP client to ensure connection between client and server is encrypted. Add TLS_REQCERT allow line to /etc/ldap/ldap.conf .

echo "TLS_REQCERT allow" | sudo tee /etc/ldap/ldap.conf 

Now configure OpenLDAP SSL mechanism by uncommenting the lines below on file ldap.conf.

$ sudo vim /etc/ldap.conf
# Line 259 - OpenLDAP SSL mechanism
ssl start_tls
ssl on

You can now enjoy SSL connection between LDAP client and Server.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.