Setting up an OpenLDAP server on Ubuntu is quite complicated, and getting SSL connection security to work may be the hardest part of it. Here I describe what worked for me.
There is lots of good advice on how to configure OpenLDAP on Ubuntu to use
SSL certificates; I found one blog post by Roger Mofatt
particularly helpful. In this post, the author describes the usage of the
certtool utility that is part of the
gnutls-bin package. OpenLDAP is
compiled against the GNU TLS library, so it is reasonable to use the same
library to generate SSL certificates for an OpenLDAP server.
In my workflow however, I use OpenSSL rather than GNU TLS to generate certificates. I have my own root certificate that I install on the client computers – for my environment (a family server), this is the most cost-effective way to go.
In order to make OpenLDAP’s
slapd use my certificates for SSL
connections, I found it was paramount to add an “Extended Key
Usage” extension for “SSL/TLS Web Server Authentication” to the
[ ca ] default_ca = CA_default # The default ca section [ CA_default ] # ... x509_extensions = usr_cert # The extentions to add to the cert # ... [ usr_cert ] basicConstraints=CA:FALSE nsCertType = $cert_type nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer # Need extended key usage 'serverAuth' to make it work with OpenLDAP! extendedKeyUsage = serverAuth # ...
extendedKeyUsage = serverAuth causes OpenSSL to generate
certificates with the appropriate X.509 extension.
The certificate files created by OpenSSL consist of leading human-readable information, followed by hexadecimal transcripts, like this:
Certificate: Data: Version: 3 (0x2) Serial Number: 40 (0x28) Signature Algorithm: sha256WithRSAEncryption [...] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server, S/MIME Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F3:EF:D4:73:56:0E:7A:31:D0:71:A2:46:7A:43:5D:9F:53:7C:26:8C X509v3 Authority Key Identifier: keyid:E8:10:AD:9F:D0:C7:6B:68:24:78:E6:61:2B:1E:32:2A:5A:B1:C8:68 X509v3 Extended Key Usage: TLS Web Server Authentication [...] -----BEGIN CERTIFICATE----- MIIDHzCCAoigAwIBAgIBKDANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCREUx [...] 1KumsMN8LJ4b8gUmEn8qcec39vwLBfa4WpFI09YO0myMy7Q= -----END CERTIFICATE-----
I have read that the human-readable part (above the line
CERTIFICATE-----) must be removed in order for OpenLDAP to be able to use
the certificate. However, in my experience, this is not the case. What
really is required though is the X509v3 Extended Key Usage information.
Create a public certificate and a private key in the usual OpenSSL way (I won’t go into details here).
Telling slapd to use the certificate
Using on-line configuration (OLC), use the following directives:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -c <<EOF dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/openldap.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/openldap.key dn: cn=config changetype: modify replace: olcTLSVerifyClient olcTLSVerifyClient: never EOF
It is not necessary to set the
olcTLSCACertificateFile attribute (i.e.
the one for the root certificate). I have not tried to omit the
OpenLDAP needs to be able to read both the public certificate and the
private key file. By default, in Ubuntu, the public certificate is stored
/etc/ssl/certs, and the private key belongs into
slapd does not run as root by default, permissions need to be
openldap as the user and group
that the OpenLDAP daemon runs with. I have followed published advice to
openldap user to the group
ssl-cert, and setting the group
membership of the public certificate and private key files to
with appropriate group read permissions.
sudo adduser openldap ssl-cert sudo chgrp ssl-cert /etc/ssl/certs/openldap.pem /etc/ssl/private/openldap.key sudo chmod 440 /etc/ssl/certs/openldap.pem /etc/ssl/private/openldap.key
If you don’t have the correct permissions on the files, you will see the ominous one-line error message
main: TLS init def ctx failed: -1
Make slapd listen on port 636
The final step is to enable the standard ‘LDAPS’ port 636. Revisit the
/etc/default/slapd, and amend the line starting with
SLAPD_SERVICES to read
SLAPD_SERVICES="ldaps://:636 ldap:/// ldapi:///"
This is the original line from the file on my own server, and it is required to get LDAP SSL to work.
I hope this helps anyone out there who struggles with OpenLDAP configuratoin as much as I did (and do).