Pages

Monday, September 15, 2014

Configuring Openldap TLS/SSL

Configuring Openldap TLS/SSL

Environment: Cent OS 6.5 64 Bit

1. Configuring the TLS open Ldap

    The following steps needs to be performed to enable the TLS in openldap:

    1.1 Login as a root or sudo user with root previliges

    1.2 Create the ssl Directory

          Create the ssl directory to store the new Certificate Authority, Server Certicate, and Server Key.
       
      mkdir ssl
      cd ssl

     1.3 Create the new Certificate Authority

     
      Execute the following command to create the new ca

       /etc/pki/tls/misc/CA -newca
     
      The following input parameters needed after executing the newca command and I have highlighted  the steps in bold font.

      
       a) Enter Command to create the New CA Private Key
       b) Enter the PEM Pass Phrase
       c) Enter the CA Certificate details and the Common Name is mandatory field.
             
     
      CA certificate filename (or enter to create)
   
     stored in the /etc/pki/CA/private/ as a cakey.pem.
     
Making CA certificate ...
Generating a 2048 bit RSA private key
................................+++
..................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'


Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:Example.EDU
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Example.EDU
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 9263543358417925999 (0x808eb79aa7edf76f)
        Validity
            Not Before: Sep 15 16:35:54 2014 GMT
            Not After : Sep 14 16:35:54 2017 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = CA
            organizationName          = Example.EDU
            commonName                = Example.EDU
        X509v3 extensions:

            X509v3 Subject Key Identifier:
                10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
            X509v3 Authority Key Identifier:
                keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Sep 14 16:35:54 2017 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated


   1.4 Copy the CA certificate from /etc/pki/CA/newcerts/ to ssl

The ca certificate stored in the  /etc/pki/CA/newcerts/ as a random generated string with pem extension. In my example ca certificate name is 808EB79AA7EDF76F.pem.

cp /etc/pki/CA/newcerts/808EB79AA7EDF76F.pem exampleca.pem

You can replace example.pem to your own name.

  1.5 Creating the Cert Reqest

   The following command is being used to create the cert request and it requires the common name parameter as a mandatory parameter and that parameter should be host name of the openldap server. In my example host name is localhost.localdomain.

openssl req -new -nodes -keyout newreq.pem -out newreq.pem





The -nodes argument above prevents encryption of the private key. OpenLDAP only works with unencrypted private keys


Generating a 2048 bit RSA private key
...............................................................................................................................................+++
.+++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:localhost.localdomain
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


After executing the above command it will create the newreq.pem file in the ssl directory.


   1.6 Signing the Certificate

Execute the following command to sign the certificate and it will stored in the ssl directory as newcert.pem.

/etc/pki/tls/misc/CA -sign


sing configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 9263543358417926000 (0x808eb79aa7edf770)
        Validity
            Not Before: Sep 15 16:43:45 2014 GMT
            Not After : Sep 15 16:43:45 2015 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = CA
            localityName              = San Francisco
            organizationName          = Example
            commonName                = localhost.localdomain
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                83:46:4D:C7:B6:3A:3F:62:3B:87:D5:C4:75:10:18:07:FC:45:5D:9A
            X509v3 Authority Key Identifier:
                keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA

Certificate is to be certified until Sep 15 16:43:45 2015 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9263543358417926000 (0x808eb79aa7edf770)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CA, O=Example.com, CN=Example.EDU
        Validity
            Not Before: Sep 15 16:43:45 2014 GMT
            Not After : Sep 15 16:43:45 2015 GMT
        Subject: C=US, ST=CA, L=San Francisco, O=Example, CN=localhost.localdomain
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:20:e8:2b:c3:5c:0d:90:cc:ad:81:3c:34:08:
                    fc:36:d0:ca:6a:0c:06:8c:46:4f:c3:4f:1f:ef:b7:
                    b1:50:42:a7:43:5d:88:73:2f:d2:3e:0a:4e:fe:50:
                    ae:0f:65:26:17:a4:24:cc:4f:1f:5b:72:81:61:fc:
                    ec:32:8e:0f:e5:c3:8e:89:da:87:a7:25:b1:b2:e1:
                    29:db:7e:17:c1:a0:d1:df:80:f1:54:94:2d:30:ef:
                    ab:9f:61:ac:70:24:29:41:7e:a1:31:9f:d4:41:4e:
                    db:23:2e:75:49:b4:c5:e5:92:b2:5f:d9:4b:bd:e3:
                    13:0f:e7:4b:56:a0:bf:70:9b:61:e7:e1:cc:2e:ea:
                    e6:a2:cc:68:ad:83:02:ef:ce:40:31:3f:6a:c4:a0:
                    01:d1:b2:e8:08:a8:a2:93:5f:35:76:56:80:47:3a:
                    4e:65:b3:86:3d:7c:b6:a0:50:66:ca:52:15:7f:f0:
                    4b:41:8e:4d:77:b0:45:ca:f7:ed:ae:c9:a8:26:4e:
                    3d:76:7a:70:f3:ca:ab:2f:89:4c:e3:bb:22:be:24:
                    93:c5:4f:19:c4:a5:3d:99:14:2b:8b:9d:97:57:51:
                    24:c5:d8:88:75:98:fb:d7:35:f7:2c:ab:41:a6:88:
                    40:14:46:c1:2b:88:f7:0c:68:85:97:a8:ad:bb:56:
                    4d:91
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                83:46:4D:C7:B6:3A:3F:62:3B:87:D5:C4:75:10:18:07:FC:45:5D:9A
            X509v3 Authority Key Identifier:
                keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA

    Signature Algorithm: sha1WithRSAEncryption
         aa:03:f3:dc:bc:20:88:ba:bc:3d:16:06:17:c5:25:a7:87:c8:
         18:96:a8:e0:33:9e:21:3f:ce:a0:54:c8:fd:13:c3:9c:3a:c7:
         1d:d7:0d:b3:8d:a9:64:9f:bf:32:50:59:26:2a:2d:9c:a6:fa:
         f7:67:87:ec:1e:f3:ac:0e:9f:b5:48:47:56:af:93:a5:b7:86:
         bf:9c:63:f7:ab:25:73:d1:8e:55:79:2a:7a:23:16:21:77:28:
         93:ad:a8:64:eb:bc:07:e7:a0:eb:14:69:61:b5:52:a9:2a:47:
         ef:84:9d:c6:5b:1d:c8:bd:8b:b4:61:64:14:88:91:45:68:4f:
         17:61:b1:33:f7:9c:3d:91:a9:31:33:54:ed:9b:7b:13:35:22:
         36:1b:52:23:fe:20:f4:3b:33:74:6f:71:fb:e5:ed:76:28:92:
         00:69:d6:12:03:44:a6:c8:02:ed:72:c1:7e:57:57:0c:58:a2:
         95:a3:db:1c:57:89:b6:92:64:64:4e:f2:2d:d2:8f:95:35:91:
         1b:4c:cd:89:87:44:01:68:2c:91:c9:af:79:69:0b:b1:a2:75:
         a3:15:2f:35:02:a3:26:08:5d:01:6f:6b:8e:d0:f3:36:f7:4f:
         c2:26:d2:a0:7f:ce:cc:36:b1:5a:2a:fb:fb:26:f6:93:c9:87:
         1b:59:fe:c4
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIJAICOt5qn7fdwMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UECgwLRXhhbXBsZS5jb20xFDASBgNV
BAMMC0V4YW1wbGUuRURVMB4XDTE0MDkxNTE2NDM0NVoXDTE1MDkxNTE2NDM0NVow
ZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNp
c2NvMRAwDgYDVQQKDAdFeGFtcGxlMR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxk
b21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCIOgrw1wNkMyt
gTw0CPw20MpqDAaMRk/DTx/vt7FQQqdDXYhzL9I+Ck7+UK4PZSYXpCTMTx9bcoFh
/Owyjg/lw46J2oenJbGy4SnbfhfBoNHfgPFUlC0w76ufYaxwJClBfqExn9RBTtsj
LnVJtMXlkrJf2Uu94xMP50tWoL9wm2Hn4cwu6uaizGitgwLvzkAxP2rEoAHRsugI
qKKTXzV2VoBHOk5ls4Y9fLagUGbKUhV/8EtBjk13sEXK9+2uyagmTj12enDzyqsv
iUzjuyK+JJPFTxnEpT2ZFCuLnZdXUSTF2Ih1mPvXNfcsq0GmiEAURsEriPcMaIWX
qK27Vk2RAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSDRk3Htjo/YjuH1cR1
EBgH/EVdmjAfBgNVHSMEGDAWgBQQRdKhny08aY2GrUjNlzyXE7KhqjANBgkqhkiG
9w0BAQUFAAOCAQEAqgPz3LwgiLq8PRYGF8Ulp4fIGJao4DOeIT/OoFTI/RPDnDrH
HdcNs42pZJ+/MlBZJiotnKb692eH7B7zrA6ftUhHVq+TpbeGv5xj96slc9GOVXkq
eiMWIXcok62oZOu8B+eg6xRpYbVSqSpH74SdxlsdyL2LtGFkFIiRRWhPF2GxM/ec
PZGpMTNU7Zt7EzUiNhtSI/4g9DszdG9x++XtdiiSAGnWEgNEpsgC7XLBfldXDFii
laPbHFeJtpJkZE7yLdKPlTWRG0zNiYdEAWgskcmveWkLsaJ1oxUvNQKjJghdAW9r
jtDzNvdPwibSoH/OzDaxWir7+yb2k8mHG1n+xA==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

  1.7 Renaming the Certicates

    This step is optional. For naming convention we are renaming the certs.

     mv newcert.pem servercert.pem
     mv newreq.pem serverkey.pem

  1.8 Copy the Certifcates from ssl to /etc/openldap/certs/


    cp exampleca.pem /etc/openldap/certs/
    cp server* /etc/openldap/certs/

  1.9 Change the OwnerChip from root to ldap

   chown ldap:ldap /etc/openldap/certs/exampleca.pem
   chown ldap:ldap /etc/openldap/certs/server*

  1.10  Include the Server Certificate and Server Key in the cn=Config Object

ldapmodify -D cn=config -H ldap://localhost.localdomain -W
Enter Password:

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/servercert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/serverkey.pem

   1.11 Modifying the ldap.conf file in the /etc/openldap/

    Add the following parameters into the ldap.conf file to enable the TLS.

   SSL ON
   TLS_CACERTDIR   /etc/openldap/certs
   TLS_REQCERT Allow

  1.12 Restart the OpenLdap Server

  /etc/init.d/slapd stop
  /etc/init.d/slapd start


   1.3 Testing the TLS

ldapsearch -H ldap://localhost.localdomain -D cn=Manager,dc=example,dc=edu -b dc=example,dc=edu -s base -W -ZZ
 
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=edu> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# example.edu
dn: dc=example,dc=edu
objectClass: dcObject
objectClass: organization
o: Example
dc: example

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
In the above command i have used -ZZ parameter because to start the TLS Session and also it mandatory to start the TLS Session.


2. Configuring the SSL open Ldap

      2.1 Modify the /etc/sysconfig/ldap file

       Modify the following parameters in the /etc/sysconfig/ldap file to enable the   ssl

SLAPD_LDAPS=yes

    2.2 Restart the OpenLdap Server

     Restart the Open Ldap Server and Take effect the changes.
     
     /etc/init.d/slapd stop
     /etc/init.d/slapd start

     2.3 Testing the SSL Configuration

ldapsearch -H ldaps://localhost.localdomain -D cn=Manager,dc=example,dc=edu -b dc=example,dc=edu -s base -W
 
Enter LDAP Password:
 
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=edu> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# example.edu
dn: dc=example,dc=edu
objectClass: dcObject
objectClass: organization
o: Example
dc: example

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

3. References


Tuesday, September 9, 2014

ldap_add: Other (e.g., implementation specific) error (80) additional info: olcRefintAttribute : attribute type undefined

Hi

Error:

I got the following error while adding the config object to the openldap.

ldapadd -D cn=Config -H ldap://localhost -W

dn: olcOverlay=refint,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcRefIntConfig
objectClass: olcOverlayConfig
objectClass: top
olcRefIntAttribute: memberof member manager owner seeAlos
olcOverlay: refint


ldap_add: Other (e.g., implementation specific) error (80)
    additional info: olcRefintAttribute <seeAlos>: attribute type undefined

Cause:

seeAlos attribute not available in the schema and also syntax error.

Solution:

I have modified the attribute name from seeAlos to seeAlso and issue is resolved.