Sunday, November 27, 2011

Howto configure LDAP with TLS

Configuring LDAP over TLS is a crucial step in order to achieve a secure directory based authentication.
In the following tutorial I'll demonstrate how to configure OpenLDAP with TLS.

For the demonstration both server & client I've used are CentOS 5.5 x86_64
My LDAP server is OpenLDAP v2.3.43

Let's get started.

Step1 - Generating and Signing Certificates:

First of all we need to generate and sign the OpenLDAP server certificates.
In this scenario we will both generate and sign our certificate (self signed), this solution is good for internal and usually small environments.
If you ever plan to use this in a big enterprise production environment you will need a proper CA, like Verisign or Terrena to sign the certificates.

Before continuing please make sure the open SSL package is installed.


Generate your private key and a certificate request form:

#cd /etc/openldap/cacerts
#openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr  Sign the certificate with:
#openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
 
Now you got both private and public keys.

After the certificates have been generated, assign the correct permissions and ownerships:

#chown ldap server.*
#chmod 0400 server.key
#chmod 0644 server.crt

Step2 - Server Side:

The following two lines need to be added in your server configuration file
(/etc/openldap/slapd.conf):



TLSCertificateFile      /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile   /etc/openldap/cacerts/server.key
 
Restart the LDAP server:
#/etc/init.d/ldap restart 

Step3 - Client Side:

Make sure the ssl parameter in your LDAP client configuration file (/etc/ldap.conf) looks like this:

ssl start_tls

Also, make sure /etc/openldap/ldap.conf includes the following parameters:

TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow



That's it, from this point your OpenLDAP is ready to be used over TLS.
Stay secure ;)