=== TLS and LDAP over SSL (ldaps) === === Modifying /etc/openldap/ldap.conf === Modify / append the TLS-settings: #--- SSL/TLS setting ---# TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLS_CACERT /etc/ssl/certs/ca_cert.pem TLS_CERT /etc/ssl/certs/station7_cert.pem TLS_KEY /etc/ssl/private/station7_key.pem TLS_REQCERT demand \\ === Modifying /etc/openldap/slapd.conf === Modify / append the TLS-settings: #--- SSL/TLS setting ---# TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSCertificateFile /etc/ssl/certs/station7_cert.pem TLSCertificateKeyFile /etc/ssl/private/station7_key.pem TLSCACertificateFile /etc/ssl/certs/ca_cert.pem TLSVerifyClient never \\ === SSL for OpenLDAP - ldaps === Open /etc/init.d/ldap and search for the line SLAPD_URLS SLAPD_URLS="ldap:///" \\ Add "ldaps" \\ # 2007-06-28, chhaas: # SLAPD_URLS="ldap:///" # 2007-06-28, chhaas: SLAPD_URLS="ldap:/// ldaps:///" \\ **After all the above modifications to the OpenLDAP-configuration, restart the ldap daemon and watch carefully the output in /var/log/messages !** \\ \\ === Testing === == ldaps == Use a portscanner like "nmap": station7:/ # nmap localhost | grep ldap 389/tcp open ldap 636/tcp open ldapssl \\ **-> ldaps is running at port 636** \\ openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/ssl/certs/ca_cert.pem station7:/ # openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/ssl/certs/ca_cert.pem CONNECTED(00000004) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com verify return:1 depth=0 /C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com i:/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com -----BEGIN CERTIFICATE----- [... snipped out ...] -----END CERTIFICATE----- --- Server certificate subject=/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com issuer=/C=DE/ST=BW/L=Stuttgart/O=UExample Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com --- No client certificate CA names sent --- SSL handshake has read 1193 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 98D61CE93C7A72E40E977BD5BD1CCC3E83D72AF2EDB8D82B24BA27E51903C161 Session-ID-ctx: Master-Key: D42BCC6BC82A0C2DC163CE07B190C1F145D238B8764A10201B63918D9CADD49447611030C96E68EAA109EE1B8AEBEF05 Key-Arg : None Start Time: 1184081560 Timeout : 300 (sec) Verify return code: 0 (ok) --- The command will hang after the final return code output. This is normal. "Control-c" will end the command.\\ The line "No client certificate CA names sent" is indicative of a server side SSL set up. If client authentication had been configured, the OpenSSL command and output would resemble this: OpenSSL Output Using Client Authentication \\ ldaps is a SSL-encrypted LDAP-connection. Try ZZ here to force TLS: station7:/etc/init.d # ldapsearch -H ldaps://station7.example.com -x -ZZ ldap_start_tls: Operations error (1) additional info: TLS already started \\ This tells you, that the connection is already encrypted. Now execute the command without the "ZZ": station7:/etc/init.d # ldapsearch -H ldaps://station7.example.com -x **If it executes successfully the ldaps is working!** \\ More information can be found at: [[http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html]] \\ and: [[http://www.openldap.org/faq/data/cache/185.html]]\\ \\ \\ <- [[commserv:index|index]]