Configuring SSL for OpenLDAP

Setting up an OpenLDAP server on Ubuntu is quite complicated, and getting SSL connection security to work may be the hardest part of it. Here I describe what worked for me.

There is lots of good advice on how to configure OpenLDAP on Ubuntu to use SSL certificates; I found one blog post by Roger Mofatt particularly helpful. In this post, the author describes the usage of the certtool utility that is part of the gnutls-bin package. OpenLDAP is compiled against the GNU TLS library, so it is reasonable to use the same library to generate SSL certificates for an OpenLDAP server.

In my workflow however, I use OpenSSL rather than GNU TLS to generate certificates. I have my own root certificate that I install on the client computers – for my environment (a family server), this is the most cost-effective way to go.

In order to make OpenLDAP’s slapd use my certificates for SSL connections, I found it was paramount to add an “Extended Key Usage” extension for “SSL/TLS Web Server Authentication” to the certificate:

[ ca ]
default_ca = CA_default  # The default ca section

[ CA_default ]
# ...
x509_extensions        = usr_cert  # The extentions to add to the cert
# ...

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType             = $cert_type
nsComment              = "OpenSSL Generated Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
# Need extended key usage 'serverAuth' to make it work with OpenLDAP!
extendedKeyUsage       = serverAuth

# ...

The line extendedKeyUsage = serverAuth causes OpenSSL to generate certificates with the appropriate X.509 extension.

The certificate files created by OpenSSL consist of leading human-readable information, followed by hexadecimal transcripts, like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 40 (0x28)
    Signature Algorithm: sha256WithRSAEncryption
[...]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server, S/MIME
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F3:EF:D4:73:56:0E:7A:31:D0:71:A2:46:7A:43:5D:9F:53:7C:26:8C
            X509v3 Authority Key Identifier: 
                keyid:E8:10:AD:9F:D0:C7:6B:68:24:78:E6:61:2B:1E:32:2A:5A:B1:C8:68

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
[...]
-----BEGIN CERTIFICATE-----
MIIDHzCCAoigAwIBAgIBKDANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCREUx
[...]
1KumsMN8LJ4b8gUmEn8qcec39vwLBfa4WpFI09YO0myMy7Q=
-----END CERTIFICATE-----

I have read that the human-readable part (above the line -----BEGIN CERTIFICATE-----) must be removed in order for OpenLDAP to be able to use the certificate. However, in my experience, this is not the case. What really is required though is the X509v3 Extended Key Usage information.

Create a public certificate and a private key in the usual OpenSSL way (I won’t go into details here).

Telling slapd to use the certificate

Using on-line configuration (OLC), use the following directives:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -c <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/openldap.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/openldap.key

dn: cn=config
changetype: modify
replace: olcTLSVerifyClient
olcTLSVerifyClient: never
EOF

It is not necessary to set the olcTLSCACertificateFile attribute (i.e. the one for the root certificate). I have not tried to omit the olcTLSVerifyClient attribute.

File permissions

OpenLDAP needs to be able to read both the public certificate and the private key file. By default, in Ubuntu, the public certificate is stored in /etc/ssl/certs, and the private key belongs into /etc/ssl/private. Because slapd does not run as root by default, permissions need to be adjusted.

The file /etc/default/slapd defines openldap as the user and group that the OpenLDAP daemon runs with. I have followed published advice to add the openldap user to the group ssl-cert, and setting the group membership of the public certificate and private key files to ssl-cert, with appropriate group read permissions.

sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/certs/openldap.pem /etc/ssl/private/openldap.key
sudo chmod 440 /etc/ssl/certs/openldap.pem /etc/ssl/private/openldap.key

If you don’t have the correct permissions on the files, you will see the ominous one-line error message

main: TLS init def ctx failed: -1

in /var/log/syslog.

Make slapd listen on port 636

The final step is to enable the standard ‘LDAPS’ port 636. Revisit the file /etc/default/slapd, and amend the line starting with SLAPD_SERVICES to read

SLAPD_SERVICES="ldaps://:636 ldap:/// ldapi:///"

This is the original line from the file on my own server, and it is required to get LDAP SSL to work.

I hope this helps anyone out there who struggles with OpenLDAP configuratoin as much as I did (and do).