TLS Authentication of LDAP sessions:
Till now all the sessions made by the LDAP client to the server is open and not encrypted. Its time to make our LDAP client-server sessions encrypted by some mechanisms. The most common encryption method includes Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL) encryption.
Here, we are using own Certificate Authority (CA) and then create and sign our LDAP server certificate as that CA. The first step in the process is to obtain or create a certificate. Because slapd is compiled using the gnutls library, the certtool utility will be used to create certificates. Now we install the gnutls-bin package by running the following command as root from the LDAP server:
root@ubuntuserver:]# apt-get install gnutls-bin
(Click To Enlarge Screenshots)
After the package is installed, we create a private key for the Certificate Authority (CA) by the following command:
root@ubuntuserver:]# sh -c “certtool –generate-privkey > /etc/ssl/private/cakey.pem”
The –generate-privkey option generates a private key and it is saved to file /etc/ssl/private/cakey.pem.
Now we create a template file /etc/ssl/ca.info to define the CA with the following entries as shown below:
root@ubuntuserver:]# : vi /etc/ssl/ca.info
============================================
cn = Support Sages
ca
cert_signing_key
============================================
Now create the self-signed CA certificate using the following command:
root@ubuntuserver:]# certtool –generate-self-signed –load-privkey /etc/ssl/private/cakey.pem \
–template /etc/ssl/ca.info –outfile /etc/ssl/certs/cacert.pem
Note that we are using the –template option to pass the template file /etc/ssl/ca.info created before to define the template for our self-signed CA. The –load-privkey loads the CA private key file cakey.pem which we created earlier and the –outfile option creates the required self-signed CA cert /etc/ssl/certs/cacert.pem
Now make a private key for the LDAP server by:
root@ubuntuserver:]# certtool –generate-privkey –outfile /etc/ssl/private/ldapserver.int.sages.com_slapd_key.pem
Replace ldapserver.int.sages.com in the slapd key filename with your server’s hostname.
To sign the server’s certificate with the CA, create the /etc/ssl/ldapserver.int.sages.com.info info file containing:
root@ubuntuserver:]# : vi /etc/ssl/ldapserver.int.sages.com.info
=========================================================
organization = Support Sages
cn = ldapserver.int.sages.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650
=========================================================
The expiration_days attribute define the number of days the cert is valid. The above certificate is good for 10 years.(Rough calculation)
Replace canonical name cn ldapserver.int.sages.com with your server’s hostname.
And now we create the server certificate with the following command:
root@ubuntuserver:]# certtool –generate-certificate –load-privkey /etc/ssl/private/ldapserver.int.sages.com_slapd_key.pem \
–load-ca-certificate /etc/ssl/certs/cacert.pem –load-ca-privkey /etc/ssl/private/cakey.pem \
–template /etc/ssl/ldapserver.int.sages.com.info –outfile /etc/ssl/certs/ldapserver.int.sages.com_slapd_cert.pem
In the above command we pass the template file ldapserver.int.sages.com.info using the –template option to define the template for our server cert as we did for creating our self-signed CA. The –load-privkey loads the servers private key file ldapserver.int.sages.com_slapd_key.pem which we created earlier, –load-ca-privkey loads our CA private key , –load-ca-certificate option passes the CA cert cacert.pem and the –outfile option creates the cert /etc/ssl/certs/ldapserver.int.sages.com_slapd_cert.pem.
Now we have a certificate, key, and CA cert installed. Use ldapmodify command to add the new configuration options to slapd tree. As we know that ldapmodify is a command to modify our DIT and we use LDIF file format for this. So we create an LDIF file certinfo.ldif with the following entries:
root@ubuntuserver:]# : vi certinfo.ldif
=========================================================================
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
–
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldapserver.int.sages.com_slapd_cert.pem
–
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldapserver.int.sages.com_slapd_key.pem
=========================================================================
Note that the certificate file names should be configured correctly in the above file with respect to the certs you created for your hostname.
Now we use the ldapmodify command to add the data to the cn=config DIT and tell slapd that our TLS work via the slapd-config(cn=config) database.
root@ubuntuserver:]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
You can see an output as shown below:
===================================
modifying entry “cn=config”
===================================
Once this is done make usre that the follwing entry is uncomented in /etc/default/slapd file:
SLAPD_SERVICES=”ldap:/// ldapi:///”
Contrary to our popular belief, we do not need ldaps:// in /etc/default/slapd in order to use TLS encryption. You should have just:
SLAPD_SERVICES=”ldap:/// ldapi:///”
LDAP over TLS works using StartTLS. STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. So here an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL. Whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636. We are using STARTLS for our encryption.
Now its time to set permissions and ownerships for our certificate files such that the openldap user gets access to these certificates:
root@ubuntuserver:]# adduser openldap ssl-cert
At times you will get an error mesasge as given below while excecuting the adduser command:
===================================
adduser: The group `ssl-cert’ does not exist.
===================================
To overcome this install the package ssl-cert by:
root@ubuntuserver:]# apt-get install ssl-cert
This installs the ssl-cert package which creates the ssl-cert group automatically. Now excecute the adduser command:
root@ubuntuserver:]# adduser openldap ssl-cert
Run the following commands to change the group and permissions:
root@ubuntuserver:]# chgrp ssl-cert /etc/ssl/private/ldapserver.int.sages.com_slapd_key.pem
root@ubuntuserver:]# chmod g+r /etc/ssl/private/ldapserver.int.sages.com_slapd_key.pem
Now restart slapd by:
root@ubuntuserver:]# /etc/init.d/slapd restart
If slapd restarts fine, then we can make sure that the TLS configurations are fine. Or if you run into troubles with the server not starting, check the /var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, it is likely there is a configuration problem. Check that the certificate is signed by the authority from in the files configured, and that the ssl-cert group has read permissions on the private key.
Now we should configure our LDAP server to use TLS by editing the /etc/ldap/ldap.conf file as shown below:
===========================================
BASE dc=int,dc=sages,dc=com
URI ldap//ldapserver.int.sages.com
SIZELIMIT 12
TIMELIMIT 15
DEREF never
TLS_REQCERT allow
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
===========================================
Now we should make our client use TLS authentication. This can be done by editing the configuration file /etc/ldap.conf on the LDAP client machine:
[ldapclient@ubuntuserver:]# vi /etc/ldap.conf
Make sure the following entries are uncommented :
======================
ssl start_tls
tls_checkpeer no
======================
These two entries in ldap.conf makes the client use TLS certs for encrypted sessions with our LDAP server. Lets check whether the session is using TLS using ldapsearch command.
You can use the ZZ switch to the ldapsearch utility to see if we are using encrypted sessions.
[ldapclient@ubuntuserver:]# ldapsearch -xZZ -h ldapserver.int.sages.com
(-x disables SASL authentication, -Z tells to start TLS request (-ZZ to require successful response) , -h defines the hostname of our LDAP server)
But this command returns an error as show below:
========================================
ldapsearch -xZZ -h ldapserver.sages.com
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
========================================
Note that the ldapsearch is an ldap utility which we got when we installed ldap-utils package. And the ldap-utils uses /etc/ldap/ldap.conf file. So make sure the following entries are there in /etc/ldap/ldap.conf on LDAP client :
========================================
BASE dc=int,dc=sages,dc=com
URI ldap//ldapserver.int.sages.com
SIZELIMIT 12
TIMELIMIT 15
DEREF never
TLS_REQCERT allow
========================================
Now run the ldapsearch from the LDAP client as follows:
[ldapclient@ubuntuserver:]# ldapsearch -xZZ -h ldapserver.int.sages.com
You will see all our LDAP users from our LDAP server. If all the users are listed while using the -ZZ switch with ldapsearch command we can make sure that the session is encrypted for that listed users.
