This step is still optional, for the basic operation of OpenLDAP it is not necessary, but I wanted to have something a little more complete and secure in the integration with services and be able to use SSSD for authentication in Linux.
Certificate Generation.
To do this we have to create a chain of CA and host certificates, it has to be the exact name of the host.
First step, let’s create a folder structure for the certificates.
mkdir -p /work/openldap/{private,certs,newcerts}
vi /usr/lib/ssl/openssl.cnf
[ CA_default ]
#dir = ./demoCA # Where everything is kept
dir = /work/openldap/
certs = $dir/certs # Where the issued certs are kept
echo "1001" > /work/openldap/serial
touch /work/openldap/index.txt
Let’s create the CA Key.
openssl genrsa -aes256 \
-out /work/openldap/private/cakey.pem \
4096
To remove the passphrase from the CA key;
openssl rsa -in /work/openldap/private/cakey.pem -out /work/openldap/private/cakey.pem
The next step is to create the CA certificate. The following example already has all WildCards.
openssl req -new -x509 \
-days 3650 \
-key /work/openldap/private/cakey.pem \
-out /work/openldap/certs/cacert.pem \
-subj "/C=PT/ST=Porto/L=Porto/O=Devops-DB/CN=ldap.devops-db.info/emailAddress=admin@devops-db.info" \
-addext "subjectAltName = DNS:*.devops-db.info,DNS:devops-db.info,DNS:172.21.5.150"
Change the openssl.cnf file configuration to add the v3_req extension.
vi /usr/lib/ssl/openssl.cnf
req_extensions = v3_req # The extensions to add to a certificate request
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.devops-db.info
DNS.2 = devops-db.info
DNS.3 = 172.21.5.540
From now on, we will generate the Ldap keys and certificates and then sign with the CA certificate.
Generate LDAP server key.
openssl genrsa -aes256 -out /work/openldap/private/ldapserver-key.key 4096
Remove assigned key passphrase.
openssl rsa \
-in /work/openldap/private/ldapserver-key.key \
-out /work/openldap/private/ldapserver-key.key
Generate the certificate signing request (CSR). Please note that the data must be the same as what you entered when generating the CA.
If you prefer, there are websites that generate CSR files, example: https://decoder.link/csr_generator
openssl req -new \
-key /work/openldap/private/ldapserver-key.key \
-out /work/openldap/certs/ldapserver-cert.csr \
-subj "/C=PT/ST=Porto/L=Porto/O=Devops-DB/CN=ldap.devops-db.info/emailAddress=admin@devops-db.info"
Now finally generate the LDAP certificate with the CA signature.
$ openssl ca -keyfile /work/openldap/private/cakey.pem \
-cert /work/openldap/certs/cacert.pem \
-in /work/openldap/certs/ldapserver-cert.csr \
-out /work/openldap/certs/ldapserver-cert.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4097 (0x1001)
Validity
Not Before: Apr 8 11:33:14 2024 GMT
Not After : Apr 8 11:33:14 2025 GMT
Subject:
countryName = PT
stateOrProvinceName = Porto
organizationName = Devops-DB
commonName = ldap.devops-db.info
emailAddress = admin@devops-db.info
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
CF:E6:A1:7B:04:27:1E:A4:35:CC:0C:10:6A:F8:16:E8:9E:5A:F6:17
X509v3 Authority Key Identifier:
4D:E8:3D:19:C4:D0:76:A8:5C:9D:F4:94:F1:67:FA:18:48:17:CC:4E
Certificate is to be certified until Apr 8 11:33:14 2025 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated
Ativação do TLS no LDAP
When creating the VM, I have already mapped the /work folder on my host with the VM, which makes it easier for me to copy files, etc.
In this case, as in the previous step, we created all the certificates in /work/openldap/*, we need to copy the certificates to /etc/ssl/openldap on the OpenLDAP VM.
First I create the folder structure and then copy the files.
mkdir -p /etc/ssl/openldap/{private,certs,newcerts}
cp /work/certs/cacert.pem /etc/ssl/openldap/certs/cacert.pem
cp /work/certs/ldapserver-cert.crt /etc/ssl/openldap/certs/ldapserver-cert.crt
cp /work/private/ldapserver-key.key /etc/ssl/openldap/private/ldapserver-key.key
chown -R openldap: /etc/ssl/openldap/
Validate that the certificates are all OK:
$ openssl verify -CAfile /etc/ssl/openldap/certs/cacert.pem /etc/ssl/openldap/certs/ldapserver-cert.crt
/etc/ssl/openldap/certs/ldapserver-cert.crt: OK
Create the LDIF file with the certificate settings:
Create the LDIF file with the certificate configurations and then import the configuration into LDAP.
cat << EOL > /work/tls/ldap-tls.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key
EOL
ldapmodify -Y EXTERNAL -H ldapi:/// -f /work/tls/ldap-tls.ldif
The result should be:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
Validate with slapcat whether the configuration imports were successful.
$ slapcat -b "cn=config" | grep -E "olcTLS"
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key
Then change the ldap.conf configuration to inform the correct path of the CA certificate.
$ vi /etc/ldap/ldap.conf
TLS_CACERT /etc/ssl/openldap/certs/cacert.pem
This point is important, and little shown in tutorials, LDAP, despite being ready to accept TLS connections, by default, only listens to the protocol/port ldap:///(389). To start listening to the protocol/port ldaps:/// (636) you need to change a slapd configuration:
vi /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Restart the service:
systemctl restart slapd
Validate that the ports are open correctly and the sldapd service is listening.
$ netstat -ntlp
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3708/slapd
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 3708/slapd
Leave a Reply