Configure OpenLDAP with SSL/TLS

From Zarafa wiki

Jump to: navigation, search

Setting up SSL for OpenLDAP requires you to create an SSL certificate, install the certificate, and set up slapd (the OpenLDAP server process) to accept connections on the SSL port. If you already have an SSL certificate (for example, for Apache), then you can use that certificate for slapd also. First, create a private key with:

 $ openssl genrsa -out private.pem 2048

This will create the file 'private.pem' with a 2048-bit private RSA key. You can then create a self-signed SSL certificate with:

 $ openssl req -new -x509 -key private.pem -out cert.pem -days 1095

Make sure that the private.pem file stays secret to anybody except the server process serving the SSL (ie slapd), while the cert.pem file is freely available to clients wanting to access the server. Normally, you would place private.pem in /etc/ldap/private.pem and cert.pem in /etc/ssl/certs/<servername>.pem. You must also create the hash link in /etc/ssl/certs: In debian, this is accomplished by running 'update-ca-certificates'. In other Linux distributions, you must create the link manually with:

 $ ln -s /etc/ssl/certs/server.pem `openssl x509 -noout -hash -in /etc/ssl/certs/server.pem` 

Configuring OpenLDAP's slapd to use SSL To configure openldap to use SSL, you need to add the following configuration directives to /etc/ldap/slapd.conf:

 TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
 TLSCACertificateFile /etc/ssl/certs/server.pem
 TLSCertificateFile /etc/ssl/certs/server.pem
 TLSCertificateKeyFile /etc/ldap/private.pem
 TLSVerifyClient never

The service then needs to be restarted:

 $ /etc/init.d/slapd restart 

or

 $ /etc/init.d/ldap restart


Whether the SSL connection works can be tested with:

 $ openssl s_client -connect <ip>:636 -CApath /etc/ssl/certs

To test whether the SSL connection is working correctly with LDAP, use the following command:

 $ ldapsearch -x -H ldaps://openldap.domain.com -b <BASEDN> -D <binddn> -w
Personal tools