Sunday, November 27, 2011

Howto configure LDAP with TLS

Configuring LDAP over TLS is a crucial step in order to achieve a secure directory based authentication.
In the following tutorial I'll demonstrate how to configure OpenLDAP with TLS.

For the demonstration both server & client I've used are CentOS 5.5 x86_64
My LDAP server is OpenLDAP v2.3.43

Let's get started.

Step1 - Generating and Signing Certificates:

First of all we need to generate and sign the OpenLDAP server certificates.
In this scenario we will both generate and sign our certificate (self signed), this solution is good for internal and usually small environments.
If you ever plan to use this in a big enterprise production environment you will need a proper CA, like Verisign or Terrena to sign the certificates.

Before continuing please make sure the open SSL package is installed.


Generate your private key and a certificate request form:

#cd /etc/openldap/cacerts
#openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr  Sign the certificate with:
#openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
 
Now you got both private and public keys.

After the certificates have been generated, assign the correct permissions and ownerships:

#chown ldap server.*
#chmod 0400 server.key
#chmod 0644 server.crt

Step2 - Server Side:

The following two lines need to be added in your server configuration file
(/etc/openldap/slapd.conf):



TLSCertificateFile      /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile   /etc/openldap/cacerts/server.key
 
Restart the LDAP server:
#/etc/init.d/ldap restart 

Step3 - Client Side:

Make sure the ssl parameter in your LDAP client configuration file (/etc/ldap.conf) looks like this:

ssl start_tls

Also, make sure /etc/openldap/ldap.conf includes the following parameters:

TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow



That's it, from this point your OpenLDAP is ready to be used over TLS.
Stay secure ;)



Friday, November 4, 2011

IPv6 Subnetting

In this article I will try to explain the basic concepts of IPv6 subnetting.
IPv6 subnetting may seem awkward at first glance but once you get used to the technique, it's really not that hard, actually whoever is familiar with IPv4 subnetting will feel comfortable really soon - just some practice is needed.

A fast refresher before we start:

1)IPv6 address consists of 128 bits total , when the first 64 bits represent the network and the last 64 bit represent represent the host, it's presented in Hexadecimal values.

2) Every character in IPv6 address represents 4 bits.

3) Each IPv6 set (like 2ffe) represent 16 bits  (4 characters ,each one is 4 bits length).


So, as an example let's suppose that our ISP has allocated our small corporation the following range:

2001:dead:beef:dd00::/56

Our requirement is to allocate one subnet to each department ,there are 8 departments in total.

Let's get busy:

Since we are required to have 8 subnets we need to understand how many bits are going to represent this subnetting.
In order to understand how many bits we will need, we will have to find which power of 2 will be enough for the needed allocation.

The formula here is very simple:

S=total subnets required
B=number of bits for subnet presentation

2^B >= S

In our case we will get:2^3>=8

That means 3 bits needed for our subnetting, so our new prefix will be /59 (56 that were given +3 subnet representation bits).

 /59 - means that 59 bits will be reserved for the network portion of the IPv6 address.

The subnetting will take place on the 3rd nibble of the 4th set (dd00).

We will represent the 3rd nibble of the 4th set (dd00) as Binaries, since only 3 bits are needed for subnetting - our lowest possible value will be 000 and our highest possible value will be 111, the last (4th) bit of the set stays untouched.

000 0
001 0
010 0
011 0
100 0
101 0
110 0
111 0

Next, we will convert the Binary values to Hexadecimal values, pay attention that we the change accurs on the 3 bits only while the 4th bit stays the same (0):

000 0 =>0
001 0 =>2
010 0 =>4
011 0 =>6
100 0 =>8
101 0 =>a
110 0 =>c
111 0 =>e

Lastly we will write down all the subnets we got ,it will look something like this:

2001:dead:beef:dd00::/59
2001:dead:beef:dd20::/59
2001:dead:beef:dd40::/59
2001:dead:beef:dd60::/59
2001:dead:beef:dd80::/59
2001:dead:beef:dda0::/59
2001:dead:beef:ddc0::/59
2001:dead:beef:dde0::/59


And whoila, we got 8 subnets for each department - just what we wanted to achieve.

You can dissect the adress even more and add more layers of subnetting depending on your needs.