What is the *correct* way to set up Openldap to use SSL/TLS? The documentation is somewhat confusing.
My cn=config.ldif file looks like this:
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid olcTLSCACertificatePath: /etc/openldap/certs olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem olcTLSCertificateFile: /etc/openldap/certs/c764guest.cert olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem structuralObjectClass: olcGlobal entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0 creatorsName: cn=config createTimestamp: 20170918163057Z entryCSN: 20170918163057.597791Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20170918163057Z
in /etc/openldap/certs are these files:
[root@c764guest heller]# ls -l /etc/openldap/certs total 104 -rw-r--r--. 1 root root 5137 Sep 22 14:42 c764guest.cert -rw-r--r--. 1 root root 1074 Sep 22 14:37 c764guest.csr -rw-r--r--. 1 root root 1696 Sep 22 14:18 ca-cert.pem -rw-r--r--. 1 root root 65536 Sep 18 12:30 cert8.db -rw-r--r--. 1 root root 16384 Sep 18 12:30 key3.db -r--r-----. 1 root ldap 45 Jan 10 2016 password -rw-r--r--. 1 root root 1834 Sep 22 14:37 privkey.pem -rw-r--r--. 1 root root 16384 Jan 10 2016 secmod.db
/etc/sysconfig/slapd contains:
# OpenLDAP server configuration # see 'man slapd' for additional information
# Where the server will run (-h option) # - ldapi:/// is required for on-the-fly configuration using client tools # (use SASL with EXTERNAL mechanism for authentication) # - default: ldapi:/// ldap:/// # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// SLAPD_URLS="ldapi:/// ldap://127.0.0.1/ ldap://192.168.250.98/ ldaps:///"
# Any custom options #SLAPD_OPTIONS="-s 128"
# Keytab location for GSSAPI Kerberos authentication #KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
/etc/openldap/ldap.conf contains:
# # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com URI ldaps://192.168.250.98/ TLS_CACERT /etc/openldap/certs/ca-cert.pem TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
But now when I try to do a ldapsearch I get:
[heller@c764guest ~]$ ldapsearch -x ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
even though: [root@c764guest heller]# netstat -a|grep ldap tcp 0 0 0.0.0.0:ldaps 0.0.0.0:* LISTEN tcp 0 0 c764guest.deepsoft:ldap 0.0.0.0:* LISTEN tcp 0 0 localhost:ldap 0.0.0.0:* LISTEN tcp 0 0 c764guest.deepsof:33302 c764guest.deepsoft:ldap ESTABLISHED tcp 0 0 c764guest.deepsoft:ldap c764guest.deepsof:33302 ESTABLISHED tcp6 0 0 [::]:ldaps [::]:* LISTEN
Is this correct? I am not sure if I should be using ldaps:/// or not. And I am not sure what the proper "magic" to get TLS working is.
Two things I notice from below:
olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem -rw-r--r--. 1 root root 1696 Sep 22 14:18 ca-cert.pem
Underscore in the first, dash in the second.
Per netstat you're running ldaps on 636 so you can start your TLS diagnostics with openssl and work your way down to ldapsearch.
openssl s_client -CApath /etc/openldap/certs -connect (if I recall correctly)
ldapsearch -H ldaps://host:636 -x -D binddn -W filter=what (or something)
On Fri, Sep 22, 2017 at 04:16:43PM -0400, Robert Heller wrote:
What is the *correct* way to set up Openldap to use SSL/TLS? The documentation is somewhat confusing.
My cn=config.ldif file looks like this:
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid olcTLSCACertificatePath: /etc/openldap/certs olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem olcTLSCertificateFile: /etc/openldap/certs/c764guest.cert olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem structuralObjectClass: olcGlobal entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0 creatorsName: cn=config createTimestamp: 20170918163057Z entryCSN: 20170918163057.597791Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20170918163057Z
in /etc/openldap/certs are these files:
[root@c764guest heller]# ls -l /etc/openldap/certs total 104 -rw-r--r--. 1 root root 5137 Sep 22 14:42 c764guest.cert -rw-r--r--. 1 root root 1074 Sep 22 14:37 c764guest.csr -rw-r--r--. 1 root root 1696 Sep 22 14:18 ca-cert.pem -rw-r--r--. 1 root root 65536 Sep 18 12:30 cert8.db -rw-r--r--. 1 root root 16384 Sep 18 12:30 key3.db -r--r-----. 1 root ldap 45 Jan 10 2016 password -rw-r--r--. 1 root root 1834 Sep 22 14:37 privkey.pem -rw-r--r--. 1 root root 16384 Jan 10 2016 secmod.db
/etc/sysconfig/slapd contains:
# OpenLDAP server configuration # see 'man slapd' for additional information
# Where the server will run (-h option) # - ldapi:/// is required for on-the-fly configuration using client tools # (use SASL with EXTERNAL mechanism for authentication) # - default: ldapi:/// ldap:/// # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// SLAPD_URLS="ldapi:/// ldap://127.0.0.1/ ldap://192.168.250.98/ ldaps:///"
# Any custom options #SLAPD_OPTIONS="-s 128"
# Keytab location for GSSAPI Kerberos authentication #KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
/etc/openldap/ldap.conf contains:
# # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com URI ldaps://192.168.250.98/ TLS_CACERT /etc/openldap/certs/ca-cert.pem TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
But now when I try to do a ldapsearch I get:
[heller@c764guest ~]$ ldapsearch -x ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
even though: [root@c764guest heller]# netstat -a|grep ldap tcp 0 0 0.0.0.0:ldaps 0.0.0.0:* LISTEN tcp 0 0 c764guest.deepsoft:ldap 0.0.0.0:* LISTEN tcp 0 0 localhost:ldap 0.0.0.0:* LISTEN tcp 0 0 c764guest.deepsof:33302 c764guest.deepsoft:ldap ESTABLISHED tcp 0 0 c764guest.deepsoft:ldap c764guest.deepsof:33302 ESTABLISHED tcp6 0 0 [::]:ldaps [::]:* LISTEN
Is this correct? I am not sure if I should be using ldaps:/// or not. And I am not sure what the proper "magic" to get TLS working is.
-- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller@deepsoft.com -- Webhosting Services
openldap-technical@openldap.org