TLS and LDAP over SSL (ldaps)
Modifying /etc/openldap/ldap.conf
Modify / append the TLS-settings:
#--- SSL/TLS setting ---# TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLS_CACERT /etc/ssl/certs/ca_cert.pem TLS_CERT /etc/ssl/certs/station7_cert.pem TLS_KEY /etc/ssl/private/station7_key.pem TLS_REQCERT demand
Modifying /etc/openldap/slapd.conf
Modify / append the TLS-settings:
#--- SSL/TLS setting ---# TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSCertificateFile /etc/ssl/certs/station7_cert.pem TLSCertificateKeyFile /etc/ssl/private/station7_key.pem TLSCACertificateFile /etc/ssl/certs/ca_cert.pem TLSVerifyClient never
SSL for OpenLDAP - ldaps
Open /etc/init.d/ldap and search for the line SLAPD_URLS
SLAPD_URLS="ldap:///"
Add „ldaps“
# 2007-06-28, chhaas: # SLAPD_URLS="ldap:///" # 2007-06-28, chhaas: SLAPD_URLS="ldap:/// ldaps:///"
After all the above modifications to the OpenLDAP-configuration, restart the ldap daemon and watch carefully the output in /var/log/messages !
Testing
ldaps
Use a portscanner like „nmap“:
station7:/ # nmap localhost | grep ldap 389/tcp open ldap 636/tcp open ldapssl
→ ldaps is running at port 636
openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/ssl/certs/ca_cert.pem
station7:/ # openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/ssl/certs/ca_cert.pem
CONNECTED(00000004)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com
verify return:1
depth=0 /C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com
i:/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com
-----BEGIN CERTIFICATE-----
[... snipped out ...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com
issuer=/C=DE/ST=BW/L=Stuttgart/O=UExample Inc./OU=IuK/CN=station7.example.com/emailAddress=hostmaster@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1193 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 98D61CE93C7A72E40E977BD5BD1CCC3E83D72AF2EDB8D82B24BA27E51903C161
Session-ID-ctx:
Master-Key: D42BCC6BC82A0C2DC163CE07B190C1F145D238B8764A10201B63918D9CADD49447611030C96E68EAA109EE1B8AEBEF05
Key-Arg : None
Start Time: 1184081560
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
The command will hang after the final return code output. This is normal. „Control-c“ will end the command.
The line „No client certificate CA names sent“ is indicative of a server side SSL set up. If client authentication had been configured, the OpenSSL command and output would resemble this:
OpenSSL Output Using Client Authentication
ldaps is a SSL-encrypted LDAP-connection. Try ZZ here to force TLS:
station7:/etc/init.d # ldapsearch -H ldaps://station7.example.com -x -ZZ
ldap_start_tls: Operations error (1)
additional info: TLS already started
This tells you, that the connection is already encrypted. Now execute the command without the „ZZ“:
station7:/etc/init.d # ldapsearch -H ldaps://station7.example.com -x
If it executes successfully the ldaps is working!
More information can be found at: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
and: http://www.openldap.org/faq/data/cache/185.html
← index