I wanted to install ssl/tls certificates on my openldap installation that I had running on localhost as a demo, but the information I found on the Web was mostly out of date. Another approach is to use letsencrypt, but that is for registered domain names and won't work with localhost, so I will be using self-signed certificates in this post.
Requirements
You will need to have installed openldap and openssl. If you haven't then do so now:
sudo apt install openssl slapd
Create a certificate authority (CA) to sign your certificates
There is a script in openssl for doing this. Nowadays it is called CA.pl. I found it in /usr/lib/ssl/misc/, but it might be somewhere else on your machine. You can find it with:
sudo find / -name CA.pl
Once you have the path to it, create a directory to hold the CA. I created one in /var/myca:
sudo mkdir -p /var/myca
cd /var/myca
Now invoke the script:
sudo /usr/lib/ssl/misc/CA.pl -newca
When it prompts for a certifcate filename just hit return. It will ask you some certificate type questions, including a passphrase. Give it something simple so you can remember it. (Remember this is just for testing. On production you'll need a secure passphrase.) It will create a directory called demoCA inside /var/myca.
Create a certificate for openldap using the CA
sudo openssl req -new -nodes -keyout newreq.pem -out newreq.pem
Again, you have to answer all the tedious certificate questions. When it has finished you should have newreq.pem
in the /var/myca directory. Now sign the request:
sudo /usr/lib/ssl/misc/CA.pl -sign
This creates newcert.pem
Copy the certificates and key to where openldap can find them
Create a directory to hold them for openldap. I chose /etc/openldap/certs. Create it if it is not there:
sudo mkdir -p /etc/openldap/certs
Now copy the certificates over:
cd /etc/openldap/certs
sudo cp /var/myca/demoCA/cacert.pem .
sudo mv /var/myca/newcert.pem servercrt.pem
sudo mv /var/myca/newreq.pem serverkey.pem
sudo chmod 600 serverkey.pem
sudo chown openldap:openldap *
ls -l
This produces:
-rw-r--r-- 1 openldap openldap 4730 May 25 11:49 cacert.pem
-rw-r--r-- 1 openldap openldap 4751 May 25 11:50 servercrt.pem
-rw------- 1 openldap openldap 2843 May 25 10:22 serverkey.pem
Allow Openldap to read this directory
Nowadays Openldap is controlled by apparmor, which restricts which directories openldap, aka slapd, can access. So we have to tell it about this new directory of certificates we just created. In /etc/apparmor.d you should find a file called usr.sbin.slapd
, which is divided into sections, one of which is called "# ldap files". After that are a couple of lines. Add this line in bold using your favourite editor to tell it about all the files in /etc/openldap/certs:
# ldap files
/etc/ldap/** kr,
/etc/ldap/slapd.d/** rw,
/etc/openldap/certs/* r,
Now restart slapd to get it to see the directory:
sudo systemctl restart slapd
Update the openldap config to point to the certificates and key
Create a file add_ssl.ldif
using nano or vi, with this content:
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/serverkey.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/servercrt.pem
Now load it:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f add_ssl.ldif -W
It will respond with:
[sudo] password for username:
Enter LDAP Password:
modifying entry "cn=config"
If it says:
ldap_modify: Other (e.g., implementation specific) error (80)
check in the last lines of syslog (tail /var/log/syslog
) to see if apparmor is denying access. If so, check your steps in "Allow Openldap to read this directory" above.
Tell Openldap where the CA certificate is
Edit /etc/ldap/ldap.conf and set the variable TLS_CACERT to /etc/openldap/certs/cacert.pem, then restart slapd:
sudo systemctl restart slapd
Your Openldap installation should now be ready to use SSL!