DevOps - DB

OpenLDAP – Certificate Creation / TLS Activation

By devops-db.com

This step is still optional, for the basic operation of OpenLDAP it is not necessary, but I wanted to have something a little more complete and secure in the integration with services and be able to use SSSD for authentication in Linux.

Certificate Generation.

To do this we have to create a chain of CA and host certificates, it has to be the exact name of the host.

First step, let’s create a folder structure for the certificates.

mkdir -p /work/openldap/{private,certs,newcerts}
vi /usr/lib/ssl/openssl.cnf

[ CA_default ]

#dir             = ./demoCA              # Where everything is kept
dir             = /work/openldap/
certs           = $dir/certs            # Where the issued certs are kept


echo "1001" > /work/openldap/serial
touch /work/openldap/index.txt

Let’s create the CA Key.

openssl genrsa -aes256 \
	-out /work/openldap/private/cakey.pem \
	4096

To remove the passphrase from the CA key;

openssl rsa -in /work/openldap/private/cakey.pem -out /work/openldap/private/cakey.pem

The next step is to create the CA certificate. The following example already has all WildCards.

openssl req -new -x509 \
	-days 3650 \
	-key /work/openldap/private/cakey.pem \
	-out /work/openldap/certs/cacert.pem \
	-subj "/C=PT/ST=Porto/L=Porto/O=Devops-DB/CN=ldap.devops-db.info/emailAddress=admin@devops-db.info" \
	-addext "subjectAltName = DNS:*.devops-db.info,DNS:devops-db.info,DNS:172.21.5.150"

Change the openssl.cnf file configuration to add the v3_req extension.

vi /usr/lib/ssl/openssl.cnf

req_extensions = v3_req # The extensions to add to a certificate request 

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.devops-db.info
DNS.2 = devops-db.info
DNS.3 = 172.21.5.540

From now on, we will generate the Ldap keys and certificates and then sign with the CA certificate.

Generate LDAP server key.

openssl genrsa -aes256 -out /work/openldap/private/ldapserver-key.key 4096

Remove assigned key passphrase.

openssl rsa \
	-in /work/openldap/private/ldapserver-key.key \
	-out /work/openldap/private/ldapserver-key.key

Generate the certificate signing request (CSR). Please note that the data must be the same as what you entered when generating the CA.
If you prefer, there are websites that generate CSR files, example: https://decoder.link/csr_generator

openssl req -new \
	-key /work/openldap/private/ldapserver-key.key \
	-out /work/openldap/certs/ldapserver-cert.csr \
	-subj "/C=PT/ST=Porto/L=Porto/O=Devops-DB/CN=ldap.devops-db.info/emailAddress=admin@devops-db.info"

Now finally generate the LDAP certificate with the CA signature.

$ openssl ca -keyfile /work/openldap/private/cakey.pem \
	-cert /work/openldap/certs/cacert.pem \
	-in /work/openldap/certs/ldapserver-cert.csr \
	-out /work/openldap/certs/ldapserver-cert.crt    


Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
        Validity
            Not Before: Apr  8 11:33:14 2024 GMT
            Not After : Apr  8 11:33:14 2025 GMT
        Subject:
            countryName               = PT
            stateOrProvinceName       = Porto
            organizationName          = Devops-DB
            commonName                = ldap.devops-db.info
            emailAddress              = admin@devops-db.info
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                CF:E6:A1:7B:04:27:1E:A4:35:CC:0C:10:6A:F8:16:E8:9E:5A:F6:17
            X509v3 Authority Key Identifier:
                4D:E8:3D:19:C4:D0:76:A8:5C:9D:F4:94:F1:67:FA:18:48:17:CC:4E
Certificate is to be certified until Apr  8 11:33:14 2025 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated

Ativação do TLS no LDAP

When creating the VM, I have already mapped the /work folder on my host with the VM, which makes it easier for me to copy files, etc.
In this case, as in the previous step, we created all the certificates in /work/openldap/*, we need to copy the certificates to /etc/ssl/openldap on the OpenLDAP VM.
First I create the folder structure and then copy the files.

mkdir -p /etc/ssl/openldap/{private,certs,newcerts}
cp /work/certs/cacert.pem /etc/ssl/openldap/certs/cacert.pem
cp /work/certs/ldapserver-cert.crt  /etc/ssl/openldap/certs/ldapserver-cert.crt
cp /work/private/ldapserver-key.key /etc/ssl/openldap/private/ldapserver-key.key
chown -R openldap: /etc/ssl/openldap/

Validate that the certificates are all OK:

$ openssl verify -CAfile /etc/ssl/openldap/certs/cacert.pem /etc/ssl/openldap/certs/ldapserver-cert.crt
/etc/ssl/openldap/certs/ldapserver-cert.crt: OK

Create the LDIF file with the certificate settings:

Create the LDIF file with the certificate configurations and then import the configuration into LDAP.

cat << EOL > /work/tls/ldap-tls.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key
EOL


ldapmodify -Y EXTERNAL -H ldapi:/// -f /work/tls/ldap-tls.ldif

The result should be:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Validate with slapcat whether the configuration imports were successful.

$ slapcat -b "cn=config" | grep -E "olcTLS"

olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key

Then change the ldap.conf configuration to inform the correct path of the CA certificate.

$ vi /etc/ldap/ldap.conf

TLS_CACERT	/etc/ssl/openldap/certs/cacert.pem

This point is important, and little shown in tutorials, LDAP, despite being ready to accept TLS connections, by default, only listens to the protocol/port ldap:///(389). To start listening to the protocol/port ldaps:/// (636) you need to change a slapd configuration:

vi /etc/default/slapd

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Restart the service:

systemctl restart slapd

Validate that the ports are open correctly and the sldapd service is listening.

$ netstat -ntlp

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      3708/slapd
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      3708/slapd

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By devops-db.com

Related Post

DevOps - Laboratory Jenkins Kubernetes

Jenkins – Pods, Containers and Pipelines

devops-db.com
DevOps - Laboratory Jenkins

Jenkins – Agents in Kubernetes.

devops-db.com
DevOps - Laboratory Docker/Vagrant images Knowledge Base Vagrant

Vagrant – Custom Image/Box (Base Image)

devops-db.com

You Missed

Jenkins Jenkins Knowledge Base Kubernetes

Jenkins – Shared Libraries, Containers and Manifests.

Jenkins Jenkins Kubernetes

Jenkins – Pod Template at Pipeline runtime.

DevOps - Laboratory Jenkins Kubernetes

Jenkins – Pods, Containers and Pipelines

Knowledge Base Kubernetes

Kubernetes – Base image for Jenkins Agent