If you have set up replication between servers, it is an always a better practice to encrypt (StartTLS) the replication traffic to stop others from sniffing your data. This is distinct from using encryption with authentication as we did in https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralised-authentication-on-ubuntu-lts-12-04-part-3 . Le us see discuss how to do the LDAP replication with tls authetication.
The assumption here is that you have set up replication between Provider and Consumer following https://www.supportsages.com/2012/07/how-to-setup-a-backup-ldap-server-through-ldap-replication and have configured TLS for authentication on the Provider by following https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralised-authentication-on-ubuntu-lts-12-04-part-3
As I mentioned before, the objective for us with replication is high availability for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. What other things to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary files over to the Consumer.
On the Provider(ldapserver.int.sages.com)
Create a holding directory (which will be used for the eventual transfer) and then the Consumer’s private key:
root@ldapserver:]# mkdir ldapreplserver-ssl
root@ldapserver:]# cd ldapreplserver-ssl
root@ldapserver:ldapreplserver-ssl]# certtool –generate-privkey –bits 1024 –outfile
ldapreplserver.int.sages.com_slapd_key.pem
Create an info file, ldapreplserver.info, for the Consumer server, adjusting it’s values accordingly:
root@ldapserver:]# vi ldapreplserver.info
=========================================================
organization = Support Sages
cn = ldapreplserver.int.sages.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650
=========================================================
The expiration_days attribute define the number of days the cert is valid. The above certificate is good for 10 years.(Rough calculation)
Create the Consumer’s certificate:
root@ldapserver:]# certtool –generate-certificate –load-privkey ldapreplserver.int.sages.com_slapd_key.pem –load-ca-certificate /etc/ssl/certs/cacert.pem –load-ca-privkey /etc/ssl/private/cakey.pem –template ldap02.info –outfile ldapreplserver.int.sages.com_slapd_cert.pem
Get a copy of the CA certificate:
root@ldapserver:ldapreplserver-ssl]# cp /etc/ssl/certs/cacert.pem .
We’re done. Now transfer the ldapreplserver-ssl directory to the Consumer.
Here we use scp (adjust accordingly):
root@ldapserver:ldapreplserver-ssl]# cd ..
root@ldapserver:]# scp -r ldapreplserver-ssl root@ldapreplserver:
On the Consumer
Install the ssl-cert package first:
root@ldapreplserver:]# apt-get install ssl-cert
Add the openldap user to ssl-cert group and adjust the permissions as shown below:
root@ldapreplserver:]# adduser openldap ssl-cert
root@ldapreplserver:]# cp ldapreplserver.int.sages.com_slapd_cert.pem /etc/ssl/certs
root@ldapreplserver:]# cp ldapreplserver.int.sages.com_slapd_key.pem /etc/ssl/private
root@ldapreplserver:]# chgrp ssl-cert /etc/ssl/private/ldapreplserver.int.sages.com_slapd_key.pem
root@ldapreplserver:]# chmod g+r /etc/ssl/private/ldapreplserver.int.sages.com_slapd_key.pem
root@ldapreplserver:]# chmod o-r /etc/ssl/private/ldapreplserver.int.sages.com_slapd_key.pem
Create the file /etc/ssl/certinfo.ldif with the following contents (adjust accordingly):
root@ldapreplserver:]# vi /etc/ssl/certinfo.ldif
=========================================
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
–
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldapreplserver.int.sages.com_slapd_cert.pem
–
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldapreplserver.int.sages.com_slapd_key.pem
Configure the slapd-config database:
root@ldapreplserver:]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
Configure /etc/default/slapd as on the Provider (SLAPD_SERVICES).
On the Consumer, configure TLS for Consumer-side replication. Modify the existing olcSyncrepl attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute’s value(s).
Create the file consumer_sync_tls.ldif with the following contents:
root@ldapreplserver:]# vi consumer_sync_tls.ldif
===================================================
dn: olcDatabase={1}hdb,cn=config
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldapserver.int.sages.com bindmethod=simple binddn=”cn=admin,dc=int,dc=sages,dc=com” credentials=sages123 searchbase=”dc=int,dc=sages,dc=com” logbase=”cn=accesslog” logfilter=”(&(objectClass=auditWriteObject)(reqResult=0))”
schemachecking=on type=refreshAndPersist retry=”60 +” syncdata=accesslog
starttls=critical tls_reqcert=demand
===================================================
The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider’s identity.
Implement these changes to our LDAP tree:
root@ldapreplserver:]# ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif
And restart slapd:
root@ldapreplserver:]# /etc/init.d/slapd restart
On the Provider(ldapserver.int.sages.com),
Check to see that a TLS session has been established. In /var/log/syslog, providing you have ‘conns’-level logging set up, you should see messages similar to:
=============================================================
slapd[3620]: conn=1047 fd=20 ACCEPT from IP=xx.xx.xx.xx:57922 (IP=0.0.0.0:389)
slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[3620]: conn=1047 op=0 STARTTLS
slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=
slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128
slapd[3620]: conn=1047 op=1 BIND dn=”cn=admin,dc=int,dc=sages,dc=com” method=128
slapd[3620]: conn=1047 op=1 BIND dn=”cn=admin,dc=int,dc=sages,dc=com” mech=SIMPLE ssf=0
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text
=============================================================
