top of page
Edgar Resendiz

Implementing LDAPS in Symas OpenLDAP 2.5+

Updated: Jun 8, 2022



Please note that the certificates must be in a pem format (.pem or .crt). You will need three certificates: Root CA certificate, server certificate (with the fqdn of server in subject line or in the subject alt name line) and a server key. When creating the certificate, please refrain from setting a pass phrase on the server certificate. Once you have the certificates, you will update the TLS section in slapd.conf.


You will need to modify three files to enable LDAPS/StartTLS:

/etc/default/symas-openldap
/opt/symas/etc/openldap/slapd.conf
/opt/symas/etc/openldap/ldap.conf


Overriding slapd Defaults

By default, the slapd process will listen on ldap:/// (389) and ldapi:///. To enable LDAPS requires making a systemd override file.


Modify the host list in /etc/default/symas-openldap to make sure that slapd will listen on port 636

vi /etc/default/symas-openldap
SLAPD_URLS=”ldap:/// ldaps:/// ldapi:///"
SLAPD_OPTIONS="-u root -g root

Save changes and restart the slapd service

systemctl restart slapd


Using Certificates with a Single Root CA Certificate

Places the server certificate and server key in a folder, e.g. “/opt/symas/ssl” or “/opt/symas/ssl/certs”. We recommend that you create a directory to place the Root CA certificate in a separate directory, e.g. “/opt/symas/ssl/ca”.


Modify slapd.conf to include the Root CA, server certificate and server key

vi /opt/symas/etc/openldap/slapd.conf
# TLS Setup Section
#
# TLSCACertificateFile <filename>
#TLSCACertificatePath <directory path>
# Specifies the file that contains certificates for all
# of the Certificate Authorities that slapd will
# recognize.
#TLSCACertificatePath /opt/symas/ssl/ca
TLSCACertificateFile "/opt/symas/ssl/ca/cacert.pem"
​
#
# TLSCertificateFile <filename>
# Specifies the file that contains the slapd server
# certificate.
TLSCertificateFile "/opt/symas/ssl/certs/server.pem"
​
#
# TLSCertificateKeyFile <filename>
# Specifies the file that contains the slapd server
# private key that matches the certificate stored in the
# TLSCertificateFile file. Currently, the private key
# must not be protected with a password, so it is of
# critical importance that it is protected carefully.
TLSCertificateKeyFile "/opt/symas/ssl/certs/server.key"
​
#
# TLSCipherSuite <cipher-suite-spec>
# Permits configuring what ciphers will be accepted and the
# preference order. <cipher-suite-spec> should be a cipher
# specification for the TLS library in use (OpenSSL, GnuTLS, or
# Mozilla NSS).
TLSCipherSuite HIGH:MEDIUM
TLSVerifyClient allow

Modify ldap.conf to include the Root CA

vi /opt/symas/etc/openldap/ldap.conf
# The client will not request or  check  any  server certificate.
#
# allow
# The server certificate is requested. If no certificate is
# provided, the session proceeds normally. If a bad certificate is
# provided, it will  be ignored and the session proceeds normally.
#
# try 
# The server certificate is requested. If no certificate is provided,
# the session proceeds normally. If a bad certificate is provided, the
# session is immediately terminated.
#
# demand | hard
#     These keywords are equivalent. The server certificate is
# requested. If no certificate is provided, or a bad certificate is
# provided, the session is immediately terminated. This is the default
# setting.
TLS_REQCERT try
​
# TLS_CACERT
# Path to the CA's certificate. The SSL library needs access to
# the certificate belonging to the CA that is used to sign certificates in
# this deployment of Symas OpenLDAP, hence this file. This is usually global to
# a Symas OpenLDAP installation and therefore should be set here.
TLS_CACERT  /opt/symas/ssl/ca/cacert.pem
​
# TLS_CACERTDIR
# Specifies the path of a directory that contains Certificate Authority
# certificates in separate individual files. The TLS_CACERT is always used
# before TLS_CACERTDIR.
#TLS_CACERTDIR  /opt/symas/ssl/ca

Save changes and restart slapd service

systemctl restart slapd

Using Intermediate certificate(s)

If the certificates that are created contain an intermediate cert, you will need to concatenate (combine) the certificates. The order must be intermediate certificate first, followed by the root certificate.


Concatenate the Root CA and the intermediate certificate

cp {Intermediate_Cert}.pem combined.pem
cat {Root_CA}.pem >>combined.pem
cp combined.pem /opt/symas/etc/ca/cacert.pem

Modify slapd.conf to include the Root CA, server certificate and server key

vi /opt/symas/etc/openldap/slapd.conf
# TLS Setup Section
#
# TLSCACertificateFile <filename>
#TLSCACertificatePath <directory path>
# Specifies the file that contains certificates for all
# of the Certificate Authorities that slapd will
# recognize.
#TLSCACertificatePath /opt/symas/ssl/ca
TLSCACertificateFile "/opt/symas/ssl/ca/cacert.pem"
​
#
# TLSCertificateFile <filename>
# Specifies the file that contains the slapd server
# certificate.
TLSCertificateFile "/opt/symas/ssl/certs/server.pem"
​
#
# TLSCertificateKeyFile <filename>
# Specifies the file that contains the slapd server
# private key that matches the certificate stored in the
# TLSCertificateFile file. Currently, the private key
# must not be protected with a password, so it is of
# critical importance that it is protected carefully.
TLSCertificateKeyFile "/opt/symas/ssl/certs/server.key"
​
#
# TLSCipherSuite <cipher-suite-spec>
# Permits configuring what ciphers will be accepted and the
# preference order. <cipher-suite-spec> should be a cipher
# specification for the TLS library in use (OpenSSL, GnuTLS, or
# Mozilla NSS).
TLSCipherSuite HIGH:MEDIUM
TLSVerifyClient allow

Modify ldap.conf to include the Root CA

vi /opt/symas/etc/openldap/ldap.conf
# The client will not request or  check  any  server certificate.
#
# allow
# The server certificate is requested. If no certificate is
# provided, the session proceeds normally. If a bad certificate is
# provided, it will  be ignored and the session proceeds normally.
#
# try 
# The server certificate is requested. If no certificate is provided,
# the session proceeds normally. If a bad certificate is provided, the
# session is immediately terminated.
#
# demand | hard
#     These keywords are equivalent. The server certificate is
# requested. If no certificate is provided, or a bad certificate is
# provided, the session is immediately terminated. This is the default
# setting.
TLS_REQCERT try
​
# TLS_CACERT
# Path to the CA's certificate. The SSL library needs access to
# the certificate belonging to the CA that is used to sign certificates in
# this deployment of Symas OpenLDAP, hence this file. This is usually global to
# a Symas OpenLDAP installation and therefore should be set here.
TLS_CACERT  /opt/symas/ssl/ca/cacert.pem
​
# TLS_CACERTDIR
# Specifies the path of a directory that contains Certificate Authority
# certificates in separate individual files. The TLS_CACERT is always used
# before TLS_CACERTDIR.
#TLS_CACERTDIR  /opt/symas/ssl/ca

If the concatenated certificate does not work you will need to separate the Root_CA and Intermediate certificates into separate files. Place the certificates in ‘/opt/symas/ssl/ca’ and create symbolic links.


Separating Certificates

Separate the Root CA and intermediate certificates into their own file. Each certificate will begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----


Place all the separated certificates in /opt/symas/ssl/ca/


Change directories to /opt/symas/bin and create the symbolic links. (If needed install the symas-openssl modulednf install symas-openssl)

cd /opt/symas/binsudo ./c_rehash /opt/symas/ssl/ca/.

Modify slapd.conf to include the directory in which the certificates reside

# TLS Setup Section
#
# TLSCACertificateFile <filename>
#TLSCACertificatePath <directory path>
# Specifies the file that contains certificates for all
# of the Certificate Authorities that slapd will
# recognize.
#TLSCACertificateFile "/opt/symas/ssl/ca/cacert.pem"
TLSCACertificatePath "/opt/symas/ssl/ca"
​
#
# TLSCertificateFile <filename>
# Specifies the file that contains the slapd server
# certificate.
TLSCertificateFile "/opt/symas/ssl/certs/server.pem"
​
#
# TLSCertificateKeyFile <filename>
# Specifies the file that contains the slapd server
# private key that matches the certificate stored in the
# TLSCertificateFile file. Currently, the private key
# must not be protected with a password, so it is of
# critical importance that it is protected carefully.
TLSCertificateKeyFile "/opt/symas/ssl/certs/server.key"
​
#
# TLSCipherSuite <cipher-suite-spec>
# Permits configuring what ciphers will be accepted and the
# preference order. <cipher-suite-spec> should be a cipher
# specification for the TLS library in use (OpenSSL, GnuTLS, or
# Mozilla NSS).
TLSCipherSuite HIGH:MEDIUM
TLSVerifyClient allow

Modify ldap.conf to include the directory /opt/symas/ssl/ca

# The client will not request or  check  any  server certificate.
#
# allow
# The server certificate is requested. If no certificate is
# provided, the session proceeds normally. If a bad certificate is
# provided, it will  be ignored and the session proceeds normally.
#
# try 
# The server certificate is requested. If no certificate is provided,
# the session proceeds normally. If a bad certificate is provided, the
# session is immediately terminated.
#
# demand | hard
#     These keywords are equivalent. The server certificate is
# requested. If no certificate is provided, or a bad certificate is
# provided, the session is immediately terminated. This is the default
# setting.
TLS_REQCERT try
​
# TLS_CACERT
# Path to the CA's certificate. The SSL library needs access to
# the certificate belonging to the CA that is used to sign certificates in
# this deployment of Symas OpenLDAP, hence this file. This is usually global to
# a Symas OpenLDAP installation and therefore should be set here.
#TLS_CACERT /opt/symas/ssl/ca/cacert.pem
​
# TLS_CACERTDIR
# Specifies the path of a directory that contains Certificate Authority
# certificates in separate individual files. The TLS_CACERT is always used
# before TLS_CACERTDIR.
TLS_CACERTDIR /opt/symas/ssl/ca

Restart the slapd service

systemctl restart slapd

Other helpful information

To convert a certificate to a .pem format from pksc7 format.

openssl pkcs7 -print_certs -in [certificate.p7b] -out [certificate.pem]

To remove a passphrase from a certificate.

openssl rsa -in [original.key] -out [new.key]

Enter the passphrase of the original key when asked. The [new.key] should now not have a passphrase


On occasions the certificates can be in a format that is not recognized in Linux, especially if the certificate was created in a Windows environment.


Run the following to change the format of the certificate(s)

dos2unix [Certificate_Name].pem
1,131 views0 comments

Recent Posts

See All

The Achilles Heel of LRU Caches

Ever since we released LMDB, our advice to software designers has been "don't do application level caching. Let the kernel handle it for...

OpenLDAP & LMDB Sizing Guide

Jan 17, 2022 Introduction Symas OpenLDAP configured with LMDB has been extensively tested and its performance characteristics are well...

Comments


bottom of page