This page describes the installation of an OpenLDAP server with TLS.
Points of departure:
Italic text is quoted from the OpenLDAP Admin guide.
# mkdir /etc/openldap/certs
# pwgen -sy 32 1 > /etc/openldap/certs/password
# certutil -d /etc/openldap/certs -N -f /etc/openldap/certs/password
# head -c 1024 /dev/urandom > /tmp/noise.txt
# certutil -S -n LDAP-CA -t "C,C,C" -x \ -f /etc/openldap/certs/password \ -d /etc/openldap/certs \ -z /tmp/noise.txt \ -s "CN=LDAP-CA,OU=IT,O=Company,L=City,ST=State,C=NL" \ -v 120 \ -Z SHA256 \ -g 4096
# certutil -S -n 'OpenLDAP Server' -t ",," \ -c LDAP-CA \ -f /etc/openldap/certs/password \ -d /etc/openldap/certs \ -z /tmp/noise.txt \ -s "CN=OpenLDAP Server,OU=IT,O=Company,L=City,ST=State,C=NL" \ -8 "ldap.domain.tld,ldap.mgmt.domain.tld-example!" \ -v 36 \ -Z SHA256 \ -g 4096
# certutil -M -n "LDAP-CA" -t TCu,Cu,Cu -d /etc/openldap/certs
# chmod 440 /etc/openldap/certs/password # chown ldap. /etc/openldap/certs/*
# certutil -L -d /etc/openldap/certs/
# certutil -K -d /etc/openldap/certs/ -f /etc/openldap/certs/password
# certutil -L -d /etc/openldap/certs/ -n LDAP-CA
# certutil -V -d /etc/openldap/certs -n "OpenLDAP Server" -u C certutil: certificate is valid
# firewall-cmd --permanent --zone public --add-service=ldaps success # firewall-cmd --reload success
# yum install openldap-clients openldap-servers openldap pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-devel
# vi /etc/sysconfig/slapd SLAPD_URLS="ldapi:/// ldaps:///" # Any custom options SLAPD_OPTIONS="-g ldap"
# vi /etc/openldap/ldap.conf BASE dc=<domain>,dc=<tld> URI ldaps://<FQDN> TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand
# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
slaptest -u systemctl start slapd systemctl enable slapd
core.schema OpenLDAP core (required) cosine.schema Cosine and Internet X.500 (useful) inetorgperson.schema InetOrgPerson (useful) nis.schema Network Information Services (FYI) ## already exists: # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# slappasswd New password: <password> Re-enter new password: <password> {SSHA}<hash>
# export MYHASH="{SSHA}your-hash" # export MYDOMAIN=your-domain # export MYTLD=your-tld
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: ${MYHASH} - replace: olcAccess olcAccess: {0}to * by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" manage by * none EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read by * none EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=${MYDOMAIN},dc=${MYTLD} - replace: olcRootDN olcRootDN: cn=Manager,dc=${MYDOMAIN},dc=${MYTLD} - add: olcRootPW olcRootPW: ${MYHASH} EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcDbIndex olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uid,memberUid,gidNumber eq - EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by self =xw by anonymous auth by * none olcAccess: {1}to * by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by self read by users read by * none EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: HIGH - replace: olcTLSProtocolMin olcTLSProtocolMin: 3.1 - replace: olcDisallows olcDisallows: bind_anon - replace: olcIdleTimeout olcIdleTimeout: 120 EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: ${MYHASH} - add: olcRequires olcRequires: LDAPv3 authc EOF
# ldapmodify -H ldaps://<FQDN> -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify add: olcSecurity olcSecurity: tls=1 EOF
# slaptest -u # systemctl restart slapd
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt # openssl s_client -connect localhost:636 -showcerts -CAfile /tmp/ca.crt ... Verify return code: 0 (ok) # ldapwhoami -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # ldapsearch -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # ldapsearch -H ldap://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required or: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) # openssl s_client -connect localhost:636 2>&1 | openssl x509 -text | grep DNS
# ldapadd -H ldaps://<FQDN> -x -W -D "cn=Manager,dc=<domain>,dc=<tld>" -f base.ldif dn: ,dc=<domain>,dc=<tld> dc: <domain> objectClass: top objectClass: domain dn: ou=people,dc=<domain>,dc=<tld> ou: people objectClass: top objectClass: organizationalUnit dn: ou=groups,dc=<domain>,dc=<tld> ou: groups objectClass: top objectClass: organizationalUnit dn: ou=hosts,dc=<domain>,dc=<tld> ou: hosts objectClass: top objectClass: organizationalUnit
# nmap --script ssl-enum-ciphers -p 636 ldap.server.tld Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-07 20:54 CEST Nmap scan report for ldap.server.tld () Host is up (0.00025s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | compressors: | NULL |_ least strength: strong MAC Address: (QEMU Virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
tshark -f "tcp port 636" -i any