OpenLDAP and TLS-SSL

karlochacon · 01-25-2011, 07:34 PM

hi guys

I configured my openldap but now I want to implement SSL-TLS

This is my basic slapd.conf configuration

Code:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database        bdb
suffix          "dc=training,dc=com"
rootdn          "cn=manager,dc=training,dc=com"
rootpw          --Removed--
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
access to attrs=userPassword,shadowLastChange
 by self write
 by anonymous auth
 by dn="cn=manager,dc=training,dc=com" write
 by * none
access to *
 by self write
 by dn="cn=manager,dc=training,dc=com" write
 by * read

And I created this script (simple I know) to create this TLS/SSL Config but it won't work users cannot login

path when I am moving certs /etc/openldap/cacerts

Code:

service ldap stop
cd /etc/openldap/
openssl genrsa -out server_key.pem 2048
chmod 440 server_key.pem
chown root.ldap server_key.pem
openssl req -new -key server_key.pem -x509 -days 3650 -out clients_cert.pem

chmod 444 clients_cert.pem
mv server_key.pem cacerts/
mv clients_cert.pem cacerts/

echo "TLSCertificateFile /.../clients_cert.pem" >> /.../slapd.conf

echo "TLSCertificateKeyFile /.../server_key.pem" >> /.../slapd.conf

echo "TLSCipherSuite HIGH" >> /...p/slapd.conf

echo "security ssf=128" >>  /.../slapd.conf
service ldap start
echo "Copying Files to LDAP Client Centos2"
rsync -av ./cacerts/clients_cert.pem centos2:/.../cacerts

As you see I create the key and certificate, assign permissions, add stuff to slapd.conf and finally copy thecer to a client PC

On client side
I use authconfig-tui
[x] Use LDAP
[x] Use LDAP Authentication
[x] Use TLS
Server: ldap://192.168.x.x
Base DN: dc=training,dc=com/

My enviroment is Centos 5.5

what is wrong on my config?
any idea? Something I am missing?
thanks a lot

Blue_Ice · 01-26-2011, 10:07 AM

You have to add the following lines to slapd.conf

Code:

TLSCACertificateFile server.pem 
TLSCertificateFile server.pem 
TLSCertificateKeyFile server.pem

Of course, you have to replace server.pem with the certifcate that you have.

On the client side you also need to setup the certifcate, if I remember well.

Edit: Sorry missed the echo part in your script. I am not sure, but I think you add these lines at the wrong place in the file. Some things in slapd.conf have a different meaning when they are located at a different place. The best place to put these lines is before the database parameter.

Edit2: in ldap.conf (be aware there are 2 and each has a different meaning, so linking will not work) of the client you need to add to the correct parameter the certificate file.

karlochacon · 02-02-2011, 07:29 AM

I am including a new configuration in a PDF
so you can take a look (attached)
thanks a lot

Blue_Ice · 02-02-2011, 04:56 PM

It looks okay, but it is easy to test by setting up the ldap client tools.

karlochacon · 02-02-2011, 06:00 PM

Quote:

Originally Posted by Blue_Ice

It looks okay, but it is easy to test by setting up the ldap client tools.

that's what I am tying to do but but as you see when I enable [x]TLS using authconfig-tui in Centos 5.5 Clients they do not connect like I said I never get the password prompt

Blue_Ice · 02-03-2011, 01:01 AM

Quote:

Originally Posted by karlochacon

that's what I am tying to do but but as you see when I enable [x]TLS using authconfig-tui in Centos 5.5 Clients they do not connect like I said I never get the password prompt

Did you try ldapsearch on the command line?

Code:

ldapsearch -x -ZZ -W -d 'dn-of-your-user'

For this /etc/ldap/ldap.conf should be set up correctly.
The file you configure with authconfig-tui is /etc/ldap.conf. Be aware that these files are NOT the same.
You probably have to setup /etc/ldap/ldap.conf manually.