Please note that the certificates must be in a pem format (.pem or .crt). You will need three certificates: Root CA certificate, server certificate (with the fqdn of server in subject line or in the subject alt name line) and a server key. When creating the certificate, please refrain from setting a pass phrase on the server certificate. Once you have the certificates, you will update the TLS section in slapd.conf.
You will need to modify three files to enable LDAPS/StartTLS:
/etc/default/symas-openldap
/opt/symas/etc/openldap/slapd.conf
/opt/symas/etc/openldap/ldap.conf
Overriding slapd Defaults
By default, the slapd process will listen on ldap:/// (389) and ldapi:///. To enable LDAPS requires making a systemd override file.
Modify the host list in /etc/default/symas-openldap to make sure that slapd will listen on port 636
vi /etc/default/symas-openldap
SLAPD_URLS=”ldap:/// ldaps:/// ldapi:///"
SLAPD_OPTIONS="-u root -g root
Save changes and restart the slapd service
systemctl restart slapd
Using Certificates with a Single Root CA Certificate
Places the server certificate and server key in a folder, e.g. “/opt/symas/ssl” or “/opt/symas/ssl/certs”. We recommend that you create a directory to place the Root CA certificate in a separate directory, e.g. “/opt/symas/ssl/ca”.
Modify slapd.conf to include the Root CA, server certificate and server key
vi /opt/symas/etc/openldap/slapd.conf
# TLS Setup Section
#
# TLSCACertificateFile <filename>
#TLSCACertificatePath <directory path>
# Specifies the file that contains certificates for all
# of the Certificate Authorities that slapd will
# recognize.
#TLSCACertificatePath /opt/symas/ssl/ca
TLSCACertificateFile "/opt/symas/ssl/ca/cacert.pem"
#
# TLSCertificateFile <filename>
# Specifies the file that contains the slapd server
# certificate.
TLSCertificateFile "/opt/symas/ssl/certs/server.pem"
#
# TLSCertificateKeyFile <filename>
# Specifies the file that contains the slapd server
# private key that matches the certificate stored in the
# TLSCertificateFile file. Currently, the private key
# must not be protected with a password, so it is of
# critical importance that it is protected carefully.
TLSCertificateKeyFile "/opt/symas/ssl/certs/server.key"
#
# TLSCipherSuite <cipher-suite-spec>
# Permits configuring what ciphers will be accepted and the
# preference order. <cipher-suite-spec> should be a cipher
# specification for the TLS library in use (OpenSSL, GnuTLS, or
# Mozilla NSS).
TLSCipherSuite HIGH:MEDIUM
TLSVerifyClient allow
Modify ldap.conf to include the Root CA
vi /opt/symas/etc/openldap/ldap.conf
# The client will not request or check any server certificate.
#
# allow
# The server certificate is requested. If no certificate is
# provided, the session proceeds normally. If a bad certificate is
# provided, it will be ignored and the session proceeds normally.
#
# try
# The server certificate is requested. If no certificate is provided,
# the session proceeds normally. If a bad certificate is provided, the
# session is immediately terminated.
#
# demand | hard
# These keywords are equivalent. The server certificate is
# requested. If no certificate is provided, or a bad certificate is
# provided, the session is immediately terminated. This is the default
# setting.
TLS_REQCERT try
# TLS_CACERT
# Path to the CA's certificate. The SSL library needs access to
# the certificate belonging to the CA that is used to sign certificates in
# this deployment of Symas OpenLDAP, hence this file. This is usually global to
# a Symas OpenLDAP installation and therefore should be set here.
TLS_CACERT /opt/symas/ssl/ca/cacert.pem
# TLS_CACERTDIR
# Specifies the path of a directory that contains Certificate Authority
# certificates in separate individual files. The TLS_CACERT is always used
# before TLS_CACERTDIR.
#TLS_CACERTDIR /opt/symas/ssl/ca
Save changes and restart slapd service
systemctl restart slapd
Using Intermediate certificate(s)
If the certificates that are created contain an intermediate cert, you will need to concatenate (combine) the certificates. The order must be intermediate certificate first, followed by the root certificate.
Concatenate the Root CA and the intermediate certificate
cp {Intermediate_Cert}.pem combined.pem
cat {Root_CA}.pem >>combined.pem
cp combined.pem /opt/symas/etc/ca/cacert.pem
Modify slapd.conf to include the Root CA, server certificate and server key
vi /opt/symas/etc/openldap/slapd.conf
# TLS Setup Section
#
# TLSCACertificateFile <filename>
#TLSCACertificatePath <directory path>
# Specifies the file that contains certificates for all
# of the Certificate Authorities that slapd will
# recognize.
#TLSCACertificatePath /opt/symas/ssl/ca
TLSCACertificateFile "/opt/symas/ssl/ca/cacert.pem"
#
# TLSCertificateFile <filename>
# Specifies the file that contains the slapd server
# certificate.
TLSCertificateFile "/opt/symas/ssl/certs/server.pem"
#
# TLSCertificateKeyFile <filename>
# Specifies the file that contains the slapd server
# private key that matches the certificate stored in the
# TLSCertificateFile file. Currently, the private key
# must not be protected with a password, so it is of
# critical importance that it is protected carefully.
TLSCertificateKeyFile "/opt/symas/ssl/certs/server.key"
#
# TLSCipherSuite <cipher-suite-spec>
# Permits configuring what ciphers will be accepted and the
# preference order. <cipher-suite-spec> should be a cipher
# specification for the TLS library in use (OpenSSL, GnuTLS, or
# Mozilla NSS).
TLSCipherSuite HIGH:MEDIUM
TLSVerifyClient allow
Modify ldap.conf to include the Root CA
vi /opt/symas/etc/openldap/ldap.conf
# The client will not request or check any server certificate.
#
# allow
# The server certificate is requested. If no certificate is
# provided, the session proceeds normally. If a bad certificate is
# provided, it will be ignored and the session proceeds normally.
#
# try
# The server certificate is requested. If no certificate is provided,
# the session proceeds normally. If a bad certificate is provided, the
# session is immediately terminated.
#
# demand | hard
# These keywords are equivalent. The server certificate is
# requested. If no certificate is provided, or a bad certificate is
# provided, the session is immediately terminated. This is the default
# setting.
TLS_REQCERT try
# TLS_CACERT
# Path to the CA's certificate. The SSL library needs access to
# the certificate belonging to the CA that is used to sign certificates in
# this deployment of Symas OpenLDAP, hence this file. This is usually global to
# a Symas OpenLDAP installation and therefore should be set here.
TLS_CACERT /opt/symas/ssl/ca/cacert.pem
# TLS_CACERTDIR
# Specifies the path of a directory that contains Certificate Authority
# certificates in separate individual files. The TLS_CACERT is always used
# before TLS_CACERTDIR.
#TLS_CACERTDIR /opt/symas/ssl/ca
If the concatenated certificate does not work you will need to separate the Root_CA and Intermediate certificates into separate files. Place the certificates in ‘/opt/symas/ssl/ca’ and create symbolic links.
Separating Certificates
Separate the Root CA and intermediate certificates into their own file. Each certificate will begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----
Place all the separated certificates in /opt/symas/ssl/ca/
Change directories to /opt/symas/bin and create the symbolic links. (If needed install the symas-openssl modulednf install symas-openssl)
cd /opt/symas/binsudo ./c_rehash /opt/symas/ssl/ca/.
Modify slapd.conf to include the directory in which the certificates reside
# TLS Setup Section
#
# TLSCACertificateFile <filename>
#TLSCACertificatePath <directory path>
# Specifies the file that contains certificates for all
# of the Certificate Authorities that slapd will
# recognize.
#TLSCACertificateFile "/opt/symas/ssl/ca/cacert.pem"
TLSCACertificatePath "/opt/symas/ssl/ca"
#
# TLSCertificateFile <filename>
# Specifies the file that contains the slapd server
# certificate.
TLSCertificateFile "/opt/symas/ssl/certs/server.pem"
#
# TLSCertificateKeyFile <filename>
# Specifies the file that contains the slapd server
# private key that matches the certificate stored in the
# TLSCertificateFile file. Currently, the private key
# must not be protected with a password, so it is of
# critical importance that it is protected carefully.
TLSCertificateKeyFile "/opt/symas/ssl/certs/server.key"
#
# TLSCipherSuite <cipher-suite-spec>
# Permits configuring what ciphers will be accepted and the
# preference order. <cipher-suite-spec> should be a cipher
# specification for the TLS library in use (OpenSSL, GnuTLS, or
# Mozilla NSS).
TLSCipherSuite HIGH:MEDIUM
TLSVerifyClient allow
Modify ldap.conf to include the directory /opt/symas/ssl/ca
# The client will not request or check any server certificate.
#
# allow
# The server certificate is requested. If no certificate is
# provided, the session proceeds normally. If a bad certificate is
# provided, it will be ignored and the session proceeds normally.
#
# try
# The server certificate is requested. If no certificate is provided,
# the session proceeds normally. If a bad certificate is provided, the
# session is immediately terminated.
#
# demand | hard
# These keywords are equivalent. The server certificate is
# requested. If no certificate is provided, or a bad certificate is
# provided, the session is immediately terminated. This is the default
# setting.
TLS_REQCERT try
# TLS_CACERT
# Path to the CA's certificate. The SSL library needs access to
# the certificate belonging to the CA that is used to sign certificates in
# this deployment of Symas OpenLDAP, hence this file. This is usually global to
# a Symas OpenLDAP installation and therefore should be set here.
#TLS_CACERT /opt/symas/ssl/ca/cacert.pem
# TLS_CACERTDIR
# Specifies the path of a directory that contains Certificate Authority
# certificates in separate individual files. The TLS_CACERT is always used
# before TLS_CACERTDIR.
TLS_CACERTDIR /opt/symas/ssl/ca
Restart the slapd service
systemctl restart slapd
Other helpful information
To convert a certificate to a .pem format from pksc7 format.
openssl pkcs7 -print_certs -in [certificate.p7b] -out [certificate.pem]
To remove a passphrase from a certificate.
openssl rsa -in [original.key] -out [new.key]
Enter the passphrase of the original key when asked. The [new.key] should now not have a passphrase
On occasions the certificates can be in a format that is not recognized in Linux, especially if the certificate was created in a Windows environment.
Run the following to change the format of the certificate(s)
dos2unix [Certificate_Name].pem
Comments