This tip assumes that OpenLDAP is currently running properly on port 389 without SSL/TLS configured and that the database is being used to store the config file via cn=config.
1. Generate an SSL key pair
a. private key
openssl genrsa -out slapd.key 2048
b. self-signed certificate
re: http://www.openssl.org/docs/HOWTO/certificates.txt
openssl req -new -x509 -key slapd.key -out slapd.crt -days 1095
2. copy the certificate file and key to /etc/openldap/tls or appropriate location — be sure to modify the following LDIF if not maintaining the standard thus far in this tip
3. Create a file called tls.ldif and copy the following contents into it:
# # re: ldapmodify -x -D "cn=admin,cn=config" -w $password -f tls.ldif # dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/tls/slapd.crt - add: olcTLSCACertificatePath olcTLSCACertificatePath: /etc/openldap/tls - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/tls/slapd.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/tls/slapd.key - add: olcTLSCipherSuite olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
4. Execute the following command to modify the database, based on the contents in the LDIF, enter the password for the DN cn=admin,cn-config when prompted:
ldapmodify -x -D "cn=admin,cn=config" -W -f tls.ldif
Once that step is complete, TLS connections should succeed. To validate this assumption, execute an ldapsearch with the -ZZ flags to force a successful TLS connection.
ldapsearch -xZZ -D "cn=manager,dc=example,dc=com" -W
5. Once TLS connections have been configured and validated, configure all clients to connect via TLS.
6. The next step is to *require* TLS connections from all clients, using the following LDIF — require-tls.ldif:
dn: cn=config changetype: modify add: olcSecurity olcSecurity: minssf=256
Do not do this until clients are configured or you will risk being locked out!
7. Run ldapmodify to modify cn=config:
ldapmodify -x -D "cn=admin,cn=config" -W -f require-tls.ldif
Leave a Reply