Configuring Openldap TLS/SSL
Environment: Cent OS 6.5 64 Bit
mkdir ssl
cd ssl
Execute the following command to create the new ca
/etc/pki/tls/misc/CA -newca
The following input parameters needed after executing the newca command and I have highlighted the steps in bold font.
a) Enter Command to create the New CA Private Key
b) Enter the PEM Pass Phrase
c) Enter the CA Certificate details and the Common Name is mandatory field.
CA certificate filename (or enter to create)
stored in the /etc/pki/CA/private/ as a cakey.pem.
Making CA certificate ...
Generating a 2048 bit RSA private key
................................+++
..................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:Example.EDU
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Example.EDU
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9263543358417925999 (0x808eb79aa7edf76f)
Validity
Not Before: Sep 15 16:35:54 2014 GMT
Not After : Sep 14 16:35:54 2017 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = Example.EDU
commonName = Example.EDU
X509v3 extensions:
X509v3 Subject Key Identifier:
10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
X509v3 Authority Key Identifier:
keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 14 16:35:54 2017 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
cp /etc/pki/CA/newcerts/808EB79AA7EDF76F.pem exampleca.pem
You can replace example.pem to your own name.
openssl req -new -nodes -keyout newreq.pem -out newreq.pem
The -nodes argument above prevents encryption of the private key. OpenLDAP only works with unencrypted private keys
Generating a 2048 bit RSA private key
...............................................................................................................................................+++
.+++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:localhost.localdomain
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
After executing the above command it will create the newreq.pem file in the ssl directory.
/etc/pki/tls/misc/CA -sign
sing configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9263543358417926000 (0x808eb79aa7edf770)
Validity
Not Before: Sep 15 16:43:45 2014 GMT
Not After : Sep 15 16:43:45 2015 GMT
Subject:
countryName = US
stateOrProvinceName = CA
localityName = San Francisco
organizationName = Example
commonName = localhost.localdomain
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:46:4D:C7:B6:3A:3F:62:3B:87:D5:C4:75:10:18:07:FC:45:5D:9A
X509v3 Authority Key Identifier:
keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
Certificate is to be certified until Sep 15 16:43:45 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9263543358417926000 (0x808eb79aa7edf770)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, O=Example.com, CN=Example.EDU
Validity
Not Before: Sep 15 16:43:45 2014 GMT
Not After : Sep 15 16:43:45 2015 GMT
Subject: C=US, ST=CA, L=San Francisco, O=Example, CN=localhost.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:20:e8:2b:c3:5c:0d:90:cc:ad:81:3c:34:08:
fc:36:d0:ca:6a:0c:06:8c:46:4f:c3:4f:1f:ef:b7:
b1:50:42:a7:43:5d:88:73:2f:d2:3e:0a:4e:fe:50:
ae:0f:65:26:17:a4:24:cc:4f:1f:5b:72:81:61:fc:
ec:32:8e:0f:e5:c3:8e:89:da:87:a7:25:b1:b2:e1:
29:db:7e:17:c1:a0:d1:df:80:f1:54:94:2d:30:ef:
ab:9f:61:ac:70:24:29:41:7e:a1:31:9f:d4:41:4e:
db:23:2e:75:49:b4:c5:e5:92:b2:5f:d9:4b:bd:e3:
13:0f:e7:4b:56:a0:bf:70:9b:61:e7:e1:cc:2e:ea:
e6:a2:cc:68:ad:83:02:ef:ce:40:31:3f:6a:c4:a0:
01:d1:b2:e8:08:a8:a2:93:5f:35:76:56:80:47:3a:
4e:65:b3:86:3d:7c:b6:a0:50:66:ca:52:15:7f:f0:
4b:41:8e:4d:77:b0:45:ca:f7:ed:ae:c9:a8:26:4e:
3d:76:7a:70:f3:ca:ab:2f:89:4c:e3:bb:22:be:24:
93:c5:4f:19:c4:a5:3d:99:14:2b:8b:9d:97:57:51:
24:c5:d8:88:75:98:fb:d7:35:f7:2c:ab:41:a6:88:
40:14:46:c1:2b:88:f7:0c:68:85:97:a8:ad:bb:56:
4d:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:46:4D:C7:B6:3A:3F:62:3B:87:D5:C4:75:10:18:07:FC:45:5D:9A
X509v3 Authority Key Identifier:
keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
Signature Algorithm: sha1WithRSAEncryption
aa:03:f3:dc:bc:20:88:ba:bc:3d:16:06:17:c5:25:a7:87:c8:
18:96:a8:e0:33:9e:21:3f:ce:a0:54:c8:fd:13:c3:9c:3a:c7:
1d:d7:0d:b3:8d:a9:64:9f:bf:32:50:59:26:2a:2d:9c:a6:fa:
f7:67:87:ec:1e:f3:ac:0e:9f:b5:48:47:56:af:93:a5:b7:86:
bf:9c:63:f7:ab:25:73:d1:8e:55:79:2a:7a:23:16:21:77:28:
93:ad:a8:64:eb:bc:07:e7:a0:eb:14:69:61:b5:52:a9:2a:47:
ef:84:9d:c6:5b:1d:c8:bd:8b:b4:61:64:14:88:91:45:68:4f:
17:61:b1:33:f7:9c:3d:91:a9:31:33:54:ed:9b:7b:13:35:22:
36:1b:52:23:fe:20:f4:3b:33:74:6f:71:fb:e5:ed:76:28:92:
00:69:d6:12:03:44:a6:c8:02:ed:72:c1:7e:57:57:0c:58:a2:
95:a3:db:1c:57:89:b6:92:64:64:4e:f2:2d:d2:8f:95:35:91:
1b:4c:cd:89:87:44:01:68:2c:91:c9:af:79:69:0b:b1:a2:75:
a3:15:2f:35:02:a3:26:08:5d:01:6f:6b:8e:d0:f3:36:f7:4f:
c2:26:d2:a0:7f:ce:cc:36:b1:5a:2a:fb:fb:26:f6:93:c9:87:
1b:59:fe:c4
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIJAICOt5qn7fdwMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UECgwLRXhhbXBsZS5jb20xFDASBgNV
BAMMC0V4YW1wbGUuRURVMB4XDTE0MDkxNTE2NDM0NVoXDTE1MDkxNTE2NDM0NVow
ZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNp
c2NvMRAwDgYDVQQKDAdFeGFtcGxlMR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxk
b21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCIOgrw1wNkMyt
gTw0CPw20MpqDAaMRk/DTx/vt7FQQqdDXYhzL9I+Ck7+UK4PZSYXpCTMTx9bcoFh
/Owyjg/lw46J2oenJbGy4SnbfhfBoNHfgPFUlC0w76ufYaxwJClBfqExn9RBTtsj
LnVJtMXlkrJf2Uu94xMP50tWoL9wm2Hn4cwu6uaizGitgwLvzkAxP2rEoAHRsugI
qKKTXzV2VoBHOk5ls4Y9fLagUGbKUhV/8EtBjk13sEXK9+2uyagmTj12enDzyqsv
iUzjuyK+JJPFTxnEpT2ZFCuLnZdXUSTF2Ih1mPvXNfcsq0GmiEAURsEriPcMaIWX
qK27Vk2RAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSDRk3Htjo/YjuH1cR1
EBgH/EVdmjAfBgNVHSMEGDAWgBQQRdKhny08aY2GrUjNlzyXE7KhqjANBgkqhkiG
9w0BAQUFAAOCAQEAqgPz3LwgiLq8PRYGF8Ulp4fIGJao4DOeIT/OoFTI/RPDnDrH
HdcNs42pZJ+/MlBZJiotnKb692eH7B7zrA6ftUhHVq+TpbeGv5xj96slc9GOVXkq
eiMWIXcok62oZOu8B+eg6xRpYbVSqSpH74SdxlsdyL2LtGFkFIiRRWhPF2GxM/ec
PZGpMTNU7Zt7EzUiNhtSI/4g9DszdG9x++XtdiiSAGnWEgNEpsgC7XLBfldXDFii
laPbHFeJtpJkZE7yLdKPlTWRG0zNiYdEAWgskcmveWkLsaJ1oxUvNQKjJghdAW9r
jtDzNvdPwibSoH/OzDaxWir7+yb2k8mHG1n+xA==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
mv newcert.pem servercert.pem
mv newreq.pem serverkey.pem
cp exampleca.pem /etc/openldap/certs/
cp server* /etc/openldap/certs/
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/servercert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/serverkey.pem
Environment: Cent OS 6.5 64 Bit
1. Configuring the TLS open Ldap
The following steps needs to be performed to enable the TLS in openldap:1.1 Login as a root or sudo user with root previliges
1.2 Create the ssl Directory
Create the ssl directory to store the new Certificate Authority, Server Certicate, and Server Key.mkdir ssl
cd ssl
1.3 Create the new Certificate Authority
Execute the following command to create the new ca
/etc/pki/tls/misc/CA -newca
The following input parameters needed after executing the newca command and I have highlighted the steps in bold font.
a) Enter Command to create the New CA Private Key
b) Enter the PEM Pass Phrase
c) Enter the CA Certificate details and the Common Name is mandatory field.
CA certificate filename (or enter to create)
stored in the /etc/pki/CA/private/ as a cakey.pem.
Making CA certificate ...
Generating a 2048 bit RSA private key
................................+++
..................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:Example.EDU
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Example.EDU
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9263543358417925999 (0x808eb79aa7edf76f)
Validity
Not Before: Sep 15 16:35:54 2014 GMT
Not After : Sep 14 16:35:54 2017 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = Example.EDU
commonName = Example.EDU
X509v3 extensions:
X509v3 Subject Key Identifier:
10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
X509v3 Authority Key Identifier:
keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 14 16:35:54 2017 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
1.4 Copy the CA certificate from /etc/pki/CA/newcerts/ to ssl
The ca certificate stored in the /etc/pki/CA/newcerts/ as a random generated string with pem extension. In my example ca certificate name is 808EB79AA7EDF76F.pem.cp /etc/pki/CA/newcerts/808EB79AA7EDF76F.pem exampleca.pem
You can replace example.pem to your own name.
1.5 Creating the Cert Reqest
The following command is being used to create the cert request and it requires the common name parameter as a mandatory parameter and that parameter should be host name of the openldap server. In my example host name is localhost.localdomain.openssl req -new -nodes -keyout newreq.pem -out newreq.pem
The -nodes argument above prevents encryption of the private key. OpenLDAP only works with unencrypted private keys
Generating a 2048 bit RSA private key
...............................................................................................................................................+++
.+++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:localhost.localdomain
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
After executing the above command it will create the newreq.pem file in the ssl directory.
1.6 Signing the Certificate
Execute the following command to sign the certificate and it will stored in the ssl directory as newcert.pem./etc/pki/tls/misc/CA -sign
sing configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9263543358417926000 (0x808eb79aa7edf770)
Validity
Not Before: Sep 15 16:43:45 2014 GMT
Not After : Sep 15 16:43:45 2015 GMT
Subject:
countryName = US
stateOrProvinceName = CA
localityName = San Francisco
organizationName = Example
commonName = localhost.localdomain
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:46:4D:C7:B6:3A:3F:62:3B:87:D5:C4:75:10:18:07:FC:45:5D:9A
X509v3 Authority Key Identifier:
keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
Certificate is to be certified until Sep 15 16:43:45 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9263543358417926000 (0x808eb79aa7edf770)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, O=Example.com, CN=Example.EDU
Validity
Not Before: Sep 15 16:43:45 2014 GMT
Not After : Sep 15 16:43:45 2015 GMT
Subject: C=US, ST=CA, L=San Francisco, O=Example, CN=localhost.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:20:e8:2b:c3:5c:0d:90:cc:ad:81:3c:34:08:
fc:36:d0:ca:6a:0c:06:8c:46:4f:c3:4f:1f:ef:b7:
b1:50:42:a7:43:5d:88:73:2f:d2:3e:0a:4e:fe:50:
ae:0f:65:26:17:a4:24:cc:4f:1f:5b:72:81:61:fc:
ec:32:8e:0f:e5:c3:8e:89:da:87:a7:25:b1:b2:e1:
29:db:7e:17:c1:a0:d1:df:80:f1:54:94:2d:30:ef:
ab:9f:61:ac:70:24:29:41:7e:a1:31:9f:d4:41:4e:
db:23:2e:75:49:b4:c5:e5:92:b2:5f:d9:4b:bd:e3:
13:0f:e7:4b:56:a0:bf:70:9b:61:e7:e1:cc:2e:ea:
e6:a2:cc:68:ad:83:02:ef:ce:40:31:3f:6a:c4:a0:
01:d1:b2:e8:08:a8:a2:93:5f:35:76:56:80:47:3a:
4e:65:b3:86:3d:7c:b6:a0:50:66:ca:52:15:7f:f0:
4b:41:8e:4d:77:b0:45:ca:f7:ed:ae:c9:a8:26:4e:
3d:76:7a:70:f3:ca:ab:2f:89:4c:e3:bb:22:be:24:
93:c5:4f:19:c4:a5:3d:99:14:2b:8b:9d:97:57:51:
24:c5:d8:88:75:98:fb:d7:35:f7:2c:ab:41:a6:88:
40:14:46:c1:2b:88:f7:0c:68:85:97:a8:ad:bb:56:
4d:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:46:4D:C7:B6:3A:3F:62:3B:87:D5:C4:75:10:18:07:FC:45:5D:9A
X509v3 Authority Key Identifier:
keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
Signature Algorithm: sha1WithRSAEncryption
aa:03:f3:dc:bc:20:88:ba:bc:3d:16:06:17:c5:25:a7:87:c8:
18:96:a8:e0:33:9e:21:3f:ce:a0:54:c8:fd:13:c3:9c:3a:c7:
1d:d7:0d:b3:8d:a9:64:9f:bf:32:50:59:26:2a:2d:9c:a6:fa:
f7:67:87:ec:1e:f3:ac:0e:9f:b5:48:47:56:af:93:a5:b7:86:
bf:9c:63:f7:ab:25:73:d1:8e:55:79:2a:7a:23:16:21:77:28:
93:ad:a8:64:eb:bc:07:e7:a0:eb:14:69:61:b5:52:a9:2a:47:
ef:84:9d:c6:5b:1d:c8:bd:8b:b4:61:64:14:88:91:45:68:4f:
17:61:b1:33:f7:9c:3d:91:a9:31:33:54:ed:9b:7b:13:35:22:
36:1b:52:23:fe:20:f4:3b:33:74:6f:71:fb:e5:ed:76:28:92:
00:69:d6:12:03:44:a6:c8:02:ed:72:c1:7e:57:57:0c:58:a2:
95:a3:db:1c:57:89:b6:92:64:64:4e:f2:2d:d2:8f:95:35:91:
1b:4c:cd:89:87:44:01:68:2c:91:c9:af:79:69:0b:b1:a2:75:
a3:15:2f:35:02:a3:26:08:5d:01:6f:6b:8e:d0:f3:36:f7:4f:
c2:26:d2:a0:7f:ce:cc:36:b1:5a:2a:fb:fb:26:f6:93:c9:87:
1b:59:fe:c4
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIJAICOt5qn7fdwMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UECgwLRXhhbXBsZS5jb20xFDASBgNV
BAMMC0V4YW1wbGUuRURVMB4XDTE0MDkxNTE2NDM0NVoXDTE1MDkxNTE2NDM0NVow
ZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNp
c2NvMRAwDgYDVQQKDAdFeGFtcGxlMR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxk
b21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCIOgrw1wNkMyt
gTw0CPw20MpqDAaMRk/DTx/vt7FQQqdDXYhzL9I+Ck7+UK4PZSYXpCTMTx9bcoFh
/Owyjg/lw46J2oenJbGy4SnbfhfBoNHfgPFUlC0w76ufYaxwJClBfqExn9RBTtsj
LnVJtMXlkrJf2Uu94xMP50tWoL9wm2Hn4cwu6uaizGitgwLvzkAxP2rEoAHRsugI
qKKTXzV2VoBHOk5ls4Y9fLagUGbKUhV/8EtBjk13sEXK9+2uyagmTj12enDzyqsv
iUzjuyK+JJPFTxnEpT2ZFCuLnZdXUSTF2Ih1mPvXNfcsq0GmiEAURsEriPcMaIWX
qK27Vk2RAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSDRk3Htjo/YjuH1cR1
EBgH/EVdmjAfBgNVHSMEGDAWgBQQRdKhny08aY2GrUjNlzyXE7KhqjANBgkqhkiG
9w0BAQUFAAOCAQEAqgPz3LwgiLq8PRYGF8Ulp4fIGJao4DOeIT/OoFTI/RPDnDrH
HdcNs42pZJ+/MlBZJiotnKb692eH7B7zrA6ftUhHVq+TpbeGv5xj96slc9GOVXkq
eiMWIXcok62oZOu8B+eg6xRpYbVSqSpH74SdxlsdyL2LtGFkFIiRRWhPF2GxM/ec
PZGpMTNU7Zt7EzUiNhtSI/4g9DszdG9x++XtdiiSAGnWEgNEpsgC7XLBfldXDFii
laPbHFeJtpJkZE7yLdKPlTWRG0zNiYdEAWgskcmveWkLsaJ1oxUvNQKjJghdAW9r
jtDzNvdPwibSoH/OzDaxWir7+yb2k8mHG1n+xA==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
1.7 Renaming the Certicates
This step is optional. For naming convention we are renaming the certs.mv newcert.pem servercert.pem
mv newreq.pem serverkey.pem
1.8 Copy the Certifcates from ssl to /etc/openldap/certs/
cp exampleca.pem /etc/openldap/certs/
cp server* /etc/openldap/certs/
1.9 Change the OwnerChip from root to ldap
chown ldap:ldap /etc/openldap/certs/exampleca.pem
chown ldap:ldap /etc/openldap/certs/server*
chown ldap:ldap /etc/openldap/certs/server*
1.10 Include the Server Certificate and Server Key in the cn=Config Object
ldapmodify -D cn=config -H ldap://localhost.localdomain -W
Enter Password:
Enter Password:
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/servercert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/serverkey.pem
1.11 Modifying the ldap.conf file in the /etc/openldap/
Add the following parameters into the ldap.conf file to enable the TLS.
SSL ON
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT Allow
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT Allow
1.12 Restart the OpenLdap Server
/etc/init.d/slapd stop
/etc/init.d/slapd start
/etc/init.d/slapd start
1.3 Testing the TLS
ldapsearch -H ldap://localhost.localdomain -D cn=Manager,dc=example,dc=edu -b dc=example,dc=edu -s base -W -ZZ
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=edu> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# example.edu
dn: dc=example,dc=edu
objectClass: dcObject
objectClass: organization
o: Example
dc: example
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=edu> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# example.edu
dn: dc=example,dc=edu
objectClass: dcObject
objectClass: organization
o: Example
dc: example
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
In the above command i have used -ZZ parameter because to start the TLS Session and also it mandatory to start the TLS Session.
2. Configuring the SSL open Ldap
2.1 Modify the /etc/sysconfig/ldap file
Modify the following parameters in the /etc/sysconfig/ldap file to enable the ssl
SLAPD_LDAPS=yes
SLAPD_LDAPS=yes
2.2 Restart the OpenLdap Server
Restart the Open Ldap Server and Take effect the changes.
/etc/init.d/slapd stop
/etc/init.d/slapd start
/etc/init.d/slapd start
2.3 Testing the SSL Configuration
ldapsearch -H ldaps://localhost.localdomain -D cn=Manager,dc=example,dc=edu -b dc=example,dc=edu -s base -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=edu> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# example.edu
dn: dc=example,dc=edu
objectClass: dcObject
objectClass: organization
o: Example
dc: example
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
#
# LDAPv3
# base <dc=example,dc=edu> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# example.edu
dn: dc=example,dc=edu
objectClass: dcObject
objectClass: organization
o: Example
dc: example
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1