Home Linux Articles Log In Sign Up
Home / Articles / Linux / authentication / 7 / openldaptls

Configure OpenLDAP with TLS/SSL


Configure OpenLDAP Server

  1. Install OpenLDAP-Server RPM

    • Use yum to install following rpm's.

      • [root@openldap-server ~]# yum -y install openldap openldap-servers openldap-clients

    • Start and enable openldap-server deamon

      • [root@openldap-server ~]# systemctl start slapd.service [root@openldap-server ~]# systemctl enable slapd.service Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service. [root@openldap-server ~]#
  2. Set LDAP root account password and generate hash

    • Run slappasswd and set LDAP root password and generate its Hash.

      • Keep a note of both the password and its hash as these will be used later in configurations
      [root@openldap-server ~]# slappasswd New password: Re-enter new password: {SSHA}JNNjNtlq2ZtO7oDvcR+7YbTuOvx8nv5V [root@openldap-server ~]#
  3. Add LDAP server initial configuration Attribute

    • Create base_config.ldif file with following contents:

      • [root@openldap-server ~]# vi base_config.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=linuxtechspace,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=root,dc=linuxtechspace,dc=com dn: olcDatabase={2}hdb,cn=config changeType: modify add: olcRootPW olcRootPW: {SSHA}JNNjNtlq2ZtO7oDvcR+7YbTuOvx8nv5V dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=root,dc=linuxtechspace,dc=com" read by * none

    • Deploy configuration change to LDAP server.

      • [root@openldap-server ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f base_config.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={1}monitor,cn=config"
  4. Create Custom CA-Signed Certificate

    • Create the root CA key

      • [root@openldap-server ~]# cd /etc/openldap/certs/ [root@openldap-server ~]# openssl genrsa -out LTSrootCA.key 2048

    • Using root CA key, Create the self-signed root CA certificate

      • [root@openldap-server ~]# openssl req -x509 -new -nodes -key LTSrootCA.key -sha256 -days 1024 -out LTSrootCA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:TN Locality Name (eg, city) [Default City]:Memphis Organization Name (eg, company) [Default Company Ltd]:Linux Tech Space Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:openldap-server.linuxtechspace.com Email Address []:admin@linuxtechspace.com

    • Create a private key for LDAP server

      • [root@openldap-server ~]# openssl genrsa -out LTSldap.key 2048

    • Using the LDAP server private key, create a certificate signing request (CSR)

      • [root@openldap-server ~]# openssl req -new -key LTSldap.key -out LTSldap.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:TN Locality Name (eg, city) [Default City]:Memphis Organization Name (eg, company) [Default Company Ltd]:Linux Tech Space Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:openldap-server.linuxtechspace.com Email Address []:admin@linuxtechspace.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

    • Sign the certificate signing request (CSR) using the custom root CA

      • [root@openldap-server ~]# openssl x509 -req -in LTSldap.csr -CA LTSrootCA.pem -CAkey LTSrootCA.key -CAcreateserial -out LTSldap.crt -days 1460 -sha256 Signature ok subject=/C=US/ST=TN/L=Memphis/O=Linux Tech Space/OU=IT/CN=openldap-server.linuxtechspace.com/emailAddress=admin@linuxtechspace.com Getting CA Private Key

    • Set the user and group ownership on all newly created certificates

      • [root@openldap-server ~]# chown ldap:ldap /etc/openldap/certs/LTS*

    • Verify the newly created LDAP certificate

      • [root@openldap-server ~]# ls -l /etc/openldap/certs/LTS* -rw-r--r-- 1 ldap ldap 1387 Jun 13 20:10 LTSldap.crt -rw-r--r-- 1 ldap ldap 1094 Jun 13 20:07 LTSldap.csr -rw-r--r-- 1 ldap ldap 1675 Jun 13 20:06 LTSldap.key -rw-r--r-- 1 ldap ldap 1675 Jun 13 20:01 LTSrootCA.key -rw-r--r-- 1 ldap ldap 1505 Jun 13 20:03 LTSrootCA.pem -rw-r--r-- 1 ldap ldap 17 Jun 13 20:10 LTSrootCA.srl
  5. Set self-signed certificate Attribute in LDAP Configuration

    • Create certs.ldif file with following contents:

      • [root@openldap-server ~]# vi certs.ldif dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/LTSldap.crt - replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/LTSrootCA.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/LTSldap.key

    • Deploy configuration change to LDAP server.

      • [root@openldap-server ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0

    • Deploy configuration change to LDAP server.

      • [root@openldap-server ~]# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile dn: cn=config olcTLSCertificateFile: /etc/openldap/certs/LTSldap.crt olcTLSCACertificateFile: /etc/openldap/certs/LTSrootCA.pem olcTLSCertificateKeyFile: /etc/openldap/certs/LTSldap.key
  6. Add in-built LDAP schemas
      7. [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif
  7. Set LDAP Domain Attribute

    • Create create_domain.ldif file with following contents:

      • [root@openldap-server ~]# vi create_domain.ldif dn: dc=linuxtechspace,dc=com objectClass: dcObject objectClass: organization dc: linuxtechspace o: linuxtechspace dn: ou=users,dc=linuxtechspace,dc=com objectClass: organizationalUnit ou: users

    • Deploy configuration change to LDAP server.

      • [root@openldap-server ~]# ldapadd -x -W -D cn=root,dc=linuxtechspace,dc=com -f create_domain.ldif Enter LDAP Password: adding new entry "dc=linuxtechspace,dc=com" adding new entry "ou=users,dc=linuxtechspace,dc=com"

      Enter the LDAP root account password when prompted which we set in initial steps.

  8. Adding LDAP User

    • Create ldap password for sample test user

      • [root@openldap-server ~]# slappasswd New password: Re-enter new password: {SSHA}r/xCHez+Sik4Y7TfirPDVXdsWuD7+Kd4 [root@openldap-server ~]#

    • Create create_test_user.ldif file with following contents:

      • [root@openldap-server ~]# vi create_test_user.ldif dn: uid=test,ou=users,dc=linuxtechspace,dc=com uid: test cn: test objectClass: shadowAccount objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: posixAccount userPassword: {SSHA}r/xCHez+Sik4Y7TfirPDVXdsWuD7+Kd4 shadowLastChange: 17016 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1002 gidNumber: 1002 homeDirectory: /home/test sn: test dn: cn=test,ou=users,dc=linuxtechspace,dc=com objectClass: posixGroup objectClass: top cn: test userPassword: {crypt}x gidNumber: 1002

    • Deploy configuration change to LDAP server.

      • [root@openldap-server ~]# ldapadd -x -W -D cn=root,dc=linuxtechspace,dc=com -f create_test_user.ldif Enter LDAP Password: adding new entry "uid=test,ou=users,dc=linuxtechspace,dc=com" adding new entry "cn=test,ou=users,dc=linuxtechspace,dc=com"

      Enter the LDAP root account password when prompted which we set in initial steps.

  9. Enable TLS/SSL in LDAP configuration file

    • Add the following ldaps option in below parameter

      • [root@openldap-server ~]# vi /etc/sysconfig/slapd SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

    • Add the following parameter

      • [root@openldap-server ~]# vi /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT never

    • Restart service

      • [root@openldap-server ~]# systemctl restart slapd



View OpenLDAP Server Configuration

  1. Check DB File Config
    2. [root@openldap-server ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase=\*
  2. Check Domain Config
    3. [root@openldap-server ~]# ldapsearch -x -b dc=linuxtechspace,dc=com
  3. Check User Config
    4. [root@openldap-server ~]# ldapsearch -x -b "dc=linuxtechspace,dc=com" "(cn=test)"



OpenLDAP Client Configuration

  1. Install OpenLDAP Client RPM
    2. [root@openldap-client ~]# yum -y install openldap openldap-clients nss-pam-ldapd nscd
  2. Enable LDAP Client Configuration
    3. [root@openldap-client ~]# authconfig --enableldap --enableldapauth --ldapserver=ldaps://openldap-server.linuxtechspace.com \\ --ldapbasedn="dc=linuxtechspace,dc=com" --enablemkhomedir --disableldaptls --update
  3. Verify nsswitch Setting

    4. Check /etc/nsswitch.conf file to make sure ldap option is configured for following three parameters

    [root@openldap-client ~]# vi /etc/nsswitch.conf passwd: files sss ldap shadow: files sss ldap group: files sss ldap
  4. Add the following parameter
    5. [root@openldap-client ~]# vi /etc/nslcd.conf tls_reqcert allow
  5. Configure TLS/SSL Certificate

    6. Copy CA certificate from LDAP server

    [root@openldap-client ~]# cd /etc/openldap/cacerts/ [root@openldap-client ~]# scp openldap-server:/etc/openldap/certs/LTSrootCA.pem .

    Create the c hash of the CA certificate

    [root@openldap-client ~]# /etc/pki/tls/misc/c_hash /etc/openldap/cacerts/LTSrootCA.pem 3646b900.0 => /etc/openldap/cacerts/LTSrootCA.pem [root@openldap-client ~]# ln -s /etc/openldap/cacerts/LTSrootCA.pem 3646b900.0 [root@openldap-client ~]# ls -l /etc/openldap/cacerts lrwxrwxrwx 1 root root 35 Jun 13 21:59 3646b900.0 -> /etc/openldap/cacerts/LTSrootCA.pem -rw-r--r-- 1 root root 1505 Jun 13 21:58 LTSrootCA.pem
  6. Start and Enable NSCD Services
    7. [root@openldap-client ~]# systemctl start nscd nslcd [root@openldap-client ~]# systemctl enable nscd nslcd
  7. Query test user information from LDAP Server
    8. [root@openldap-client ~]# getent passwd test test:x:1002:1002:test:/home/test:/bin/bash [root@openldap-client ~]#
  8. Login to server with test user. User home directory will be auto-created
    9. login as: test test@openldap-client's password: Creating directory '/home/test'. [test@openldap-client ~]$
    We are all done now!.

Linux Tech Space © 2020