OpenLDAP (SSL/TLS security)

Now it is time to add SSL/TLS security to the LDAP service to make encrypted communications:

1. Installation: Install the libraries and needed software to support TLS, the successor to SSL:

   • You should use the GnuTLS implementation to manage TLS certificates.

2. Generating TLS keys/certificates: To carry out a process as similar as possible to real life, it will be necessary to create a CA(3) (Certificate Authority). This method is secure and easy to scale but requires more work initially and more long-term maintenance. With that certificate, you will be able to sign and validate service TLS certificates, like the LDAP service certificate:

   • Generate the CA certificate (self-signed) to sign and validate the LDAP service certificate:

     • Generate a CA private key:

       1. File name: CA_server-01.localdomain.key (4).

       2. Key size (bits): 4096

       3. Rest of params by default.

     • Generate the CA certificate and sign it yourself using the private key. The certificate public key will be integrated into the CA certificate (automatically).

       1. File name: CA_server-01.localdomain.cert (5).

       2. Sign mode: self-signed

       3. Profile:

          • This certificate will be a CA certificate

          • This certificate will be used to sign other certificates

       4. Other data (6):

          • Certificate type: X.509 (default)

          • Expiration days: 365 days

          • Country of the subject: ES

          • State: Cantabria

          • Locality: Santander

          • Organization: UC

          • Unit: DGSI

          • “Common name”: server-01.localdomain (8)

          • e-mail: sistemas@localdomain

   • Generate the LDAP service certificate that you will sign using the CA certificate (private key):

     • Generate a LDAP certificate private key:

       1. File name: ldap_server-01.localdomain.key (4).

       2. Key size (bits): 4096

       3. Rest of params by default.

     • Generate the LDAP service certificate and sign it yourself using the CA private key:

       1. File name: ldap_server-01.localdomain.cert (5).

       2. Sign mode: signed by a CA

       3. Profile:

          • This certificate will be used to encrypt data

          • This certificate will be used for a TLS server

       4. Other data (7):

          • Certificate type: X.509 (default)

          • Expiration days: 365 days

          • Country of the subject: ES

          • State: Cantabria

          • Locality: Santander

          • Organization: UC

          • Unit: DGSI

          • “Common name”: server-01.localdomain (9)

          • e-mail: sistemas@localdomain

3. Re-configuration; Enable secure LDAP connections using TLS:

   • System level:

     • LDAP service must be run under the openldap user permission, which will also belong to the ssl-cert group.

     • Modify the group property permission of the LDAP service key (ldap_server-01.localdomain.key) to the ssl-cert group.

       1. Check the access permissions for that file.

   • LDAP Service:

     • Modify the LDAP service (slapd) configuration to enable SSL/TLS security:

       1. Hostname: server-01.localdomain (9)

       2. TCP port: 636

   • LDAP Directory:

     • Add to LDAP directory configuration (OLC --> cn=config) the required entries about the PATHs of CA certificate, LDAP service certificate and its private key (service).

4. Checking:

   • LDAP Service:

     • Check that the LDAP service (slapd) is running and it is listening in the secure TLS port (636).

   • TLS certificate:

     • Check that the LDAP service certificate (TLS) is “ok” through the same LDAP service.

   • LDAP Directory:

     • Check that the LDAP service is operative (ldaps), using the OpenLDAP client tools.

More details in reference [6][7]

(3) A CA (sign) is a trusted entity that issues electronic certificates (docs) that verify a digital entity’s identity on the Internet. In our case, we will act as a CA who will validate service certificates such as the LDAP certificate.

(4) PATH /etc/ssl/private

(5) PATH /etc/ssl/certs --> Make sure that the ldap service (slapd) user is the owner (UNIX permissions) of the LDAP certificate private key file

(6) You can use a template: CA_server-01.localdomain.info

(7) You can use a template: ldap_server-01.localdomain.info

(8) It is very important to use the FQDN and not its IP or another value.

(9) It is very important that you establish here the same name that we used in LDAP service certificate creation. It is the "Common name" field: FQDN