TLS and LDAP over SSL (ldaps)
Modifying /etc/openldap/ldap.conf
Modify / append the TLS-settings:
#--- SSL/TLS setting ---# TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLS_CACERT /etc/ssl/certs/ca_cert.pem TLS_CERT /etc/ssl/certs/station7_cert.pem TLS_KEY /etc/ssl/private/station7_key.pem TLS_REQCERT demand
Modifying /etc/openldap/slapd.conf
Modify / append the TLS-settings:
#--- SSL/TLS setting ---#
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
TLSCertificateFile /etc/ssl/certs/station7_cert.pem
TLSCertificateKeyFile /etc/ssl/private/station7_key.pem
TLSCACertificateFile /etc/ssl/certs/ca_cert.pem
TLSVerifyClient never
SSL for OpenLDAP - ldaps
Open /etc/init.d/ldap and search for the line SLAPD_URLS
SLAPD_URLS="ldap:///"
Add „ldaps“
# 2007-06-28, chhaas: # SLAPD_URLS="ldap:///" # 2007-06-28, chhaas: SLAPD_URLS="ldap:/// ldaps:///"
After all the above modifications to the OpenLDAP-configuration, restart the ldap daemon and watch carefully the output in /var/log/messages !
Testing
ldaps
Use a portscanner like „nmap“:
station7:/ # nmap localhost | grep ldap 389/tcp open ldap 636/tcp open ldapssl
→ ldaps is running at port 636
openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/ssl/certs/ca_cert.pem station7:/ # openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/ssl/certs/ca_cert.pem CONNECTED(00000004) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com verify return:1 depth=0 /C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com i:/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com -----BEGIN CERTIFICATE----- [... snipped out ...] -----END CERTIFICATE----- --- Server certificate subject=/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com issuer=/C=DE/ST=BW/L=Stuttgart/O=UExample Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com --- No client certificate CA names sent --- SSL handshake has read 1193 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 98D61CE93C7A72E40E977BD5BD1CCC3E83D72AF2EDB8D82B24BA27E51903C161 Session-ID-ctx: Master-Key: D42BCC6BC82A0C2DC163CE07B190C1F145D238B8764A10201B63918D9CADD49447611030C96E68EAA109EE1B8AEBEF05 Key-Arg : None Start Time: 1184081560 Timeout : 300 (sec) Verify return code: 0 (ok) ---
The command will hang after the final return code output. This is normal. „Control-c“ will end the command.
The line „No client certificate CA names sent“ is indicative of a server side SSL set up. If client authentication had been configured, the OpenSSL command and output would resemble this:
OpenSSL Output Using Client Authentication
ldaps is a SSL-encrypted LDAP-connection. Try ZZ here to force TLS:
station7:/etc/init.d # ldapsearch -H ldaps://station7.example.com -x -ZZ
ldap_start_tls: Operations error (1)
additional info: TLS already started
This tells you, that the connection is already encrypted. Now execute the command without the „ZZ“:
station7:/etc/init.d # ldapsearch -H ldaps://station7.example.com -x
If it executes successfully the ldaps is working!
More information can be found at: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
and: http://www.openldap.org/faq/data/cache/185.html
← index