Require TLS on OpenLDAP

A common question that comes up on the LDAP mailing list and among peers of mine who work with OpenLDAP is “how do I force clients to use secure connections when connecting to my LDAP directory?”.

The correct way to require TLS using OpenLDAP is to set


under cn=config using the olcSecurity attribute.

Here is a sample LDIF that will allow a dynamic update to your directory.

dn: cn=config
changetype:  modify
add: olcSecurity
olcSecurity: minssf=256

Be sure all clients support TLS connections before enforcing this requirement to minimize down time.

To add the LDIF above, copy the text to require-tls.ldif, and execute the following command:

ldapmodify -xZZH ldap://$LDAPHOST/ -D "cn=admin,cn=config" -w $BINDPW -f require-tls.ldif

SSH Public Key Authentication via OpenLDAP on RHEL/CentOS 6.x

With the release of RHEL/CentOS 6.x there are some changes to the way clients authenticate using public keys over SSH with keys stored in OpenLDAP. I was able to get this working with the following modifications.

* RHEL / CentOS 6.x
* openssh-ldap

Setup the sshd_config by setting up the AuthorizedKeysCommand. This will execute the ssh-ldap-wrapper and output the users public key:

AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper

Next, ensure a proper ldap.conf in /etc/ssh — be sure to setup the appropriate level of TLS security to suite your environment:

ldap_version 3
bind_policy soft

binddn cn=readonly,ou=people,dc=example,dc=com
bindpw secret

ssl no
ssl start_tls
tls_reqcert never
tls_cacertdir /etc/openldap/cacerts

host 10.x.x.x
port 389
base dc=example,dc=com

If the LDAP server is setup with the proper schema and contains public keys, this configuration should work.

For more information on how to setup the schema and insert public keys, review the documents here but be sure to note that things have changed with client configuration.

TLS Issue with Amazon OpenLDAP 2.4.23-15

Today I had an issue getting a good TLS connection from an OpenLDAP client to an OpenLDAP server on an EC2 instance using the packages supplied by Amazon.

The problem packages were:


The problem was resolved through updating to version 2.4.23-20 via:

yum -y update openldap-clients

The problem was produced via the following ldapsearch command:

# ldapsearch -xZZ -d 4
TLS: did not find any valid CA certificates in /etc/openldap/cacerts
TLS: could perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -5939:No more entries in the directory
TLS: can't create ssl handle.
ldap_start_tls: Connect error (-11)

Configuring Existing OpenLDAP 2.4+ Directory to Accept TLS Connections

This tip assumes that OpenLDAP is currently running properly on port 389 without SSL/TLS configured and that the database is being used to store the config file via cn=config.

1. Generate an SSL key pair

a. private key

openssl genrsa -out slapd.key 2048

b. self-signed certificate


openssl req -new -x509 -key slapd.key -out slapd.crt -days 1095

2. copy the certificate file and key to /etc/openldap/tls or appropriate location — be sure to modify the following LDIF if not maintaining the standard thus far in this tip

3. Create a file called tls.ldif and copy the following contents into it:

# re:  ldapmodify -x -D "cn=admin,cn=config" -w $password -f tls.ldif
dn: cn=config
changetype:  modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/tls/slapd.crt
add: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/openldap/tls
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/tls/slapd.crt
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/tls/slapd.key
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2

4. Execute the following command to modify the database, based on the contents in the LDIF, enter the password for the DN cn=admin,cn-config when prompted:

ldapmodify -x -D "cn=admin,cn=config" -W -f tls.ldif

Once that step is complete, TLS connections should succeed. To validate this assumption, execute an ldapsearch with the -ZZ flags to force a successful TLS connection.

ldapsearch -xZZ -D "cn=manager,dc=example,dc=com" -W

5. Once TLS connections have been configured and validated, configure all clients to connect via TLS.

6. The next step is to *require* TLS connections from all clients, using the following LDIF — require-tls.ldif:

dn: cn=config
changetype:  modify
add: olcSecurity
olcSecurity: minssf=256

Do not do this until clients are configured or you will risk being locked out!

7. Run ldapmodify to modify cn=config:

ldapmodify -x -D "cn=admin,cn=config" -W -f require-tls.ldif