OpenLDAP with SSL/TLS

This post shows 2 options:

  • Self Signed Certificate without CA
  • Self Signed Certificate with CA (Certificate Authority)

Also it shows how to configure LDAP Sync Replication (syncrepl) and clients to use SSL/TLS.
Examples below on Centos 7.4, OpenLDAP 2.4.44

Option 1. Self Signed Certificate without CA

On LDAP master

Create server's self signed certificate.

openssl req -newkey rsa:1024 -x509 -nodes -out /etc/openldap/server.pem -keyout /etc/openldap/server.pem -days 365
chown ldap:ldap /etc/openldap/server.pem

Update your /etc/openldap/slapd.conf

. . .
TLSCACertificateFile  /etc/openldap/server.pem
TLSCertificateFile  /etc/openldap/server.pem
TLSCertificateKeyFile  /etc/openldap/server.pem
. . .

Update your /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/server.pem
SASL_NOCANON on
TLS_REQCERT allow

On LDAP slave

Download the same certificate from ldap-master to the same location /etc/openldap/server.pem.

Update your /etc/openldap/slapd.conf

. . .
TLSCACertificateFile  /etc/openldap/server.pem
TLSCertificateFile  /etc/openldap/server.pem
TLSCertificateKeyFile  /etc/openldap/server.pem
. . .
syncrepl rid=001
        provider=ldaps://ldap-master.example.com:636
        type=refreshAndPersist
        interval=00:00:05:00
        searchbase="dc=example,dc=com"
        scope=sub
        schemachecking=off
        bindmethod=simple
        binddn="cn=manager,dc=example,dc=com"
        credentials=ManagerPasswordHere
        retry="30 5 300 3"
. . .

Update your /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/server.pem
SASL_NOCANON on
TLS_REQCERT allow

On Client

Download /etc/openldap/server.pem from ldap-master.

Update your /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/server.pem
SASL_NOCANON on
TLS_REQCERT allow

Option 2. Self Signed Certificate with CA

There is script that can hide long commands from you /etc/pki/tls/misc/CA.
But in example below long commands without CA script.

On LDAP master

Create CA certificate

openssl req -new -keyout /etc/openldap/cakey.pem -out /etc/openldap/careq.pem
openssl ca -create_serial -out /etc/openldap/cacert.pem -days 18800 -batch -keyfile /etc/openldap/cakey.pem -selfsign -extensions v3_ca -infiles /etc/openldap/careq.pem

For ldap-master create and sign server certificate. You should use server FQDN that can be resolved.

openssl req -new -nodes -keyout /etc/openldap/ldapmasterreq.pem -out /etc/openldap/ldapmasterreq.pem 
openssl ca -policy policy_anything -keyfile /etc/openldap/cakey.pem  -cert /etc/openldap/cacert.pem  -out /etc/openldap/ldapmastercert.pem -infiles /etc/openldap/ldapmasterreq.pem 
chown ldap:ldap /etc/openldap/cacert.pem
chown ldap:ldap /etc/openldap/ldapmastercert.pem
chown ldap:ldap /etc/openldap/ldapmasterreq.pem
chmod 400 /etc/openldap/ldapmasterreq.pem

For ldap-slave create and sign server certificate. You should use server FQDN that can be resolved.

openssl req -new -nodes -keyout /etc/openldap/ldapslavereq.pem -out /etc/openldap/ldapslavereq.pem 
openssl ca -policy policy_anything -keyfile /etc/openldap/cakey.pem  -cert /etc/openldap/cacert.pem  -out /etc/openldap/ldapslavecert.pem -infiles /etc/openldap/ldapslavereq.pem 

Update your /etc/openldap/slapd.conf

TLSCACertificateFile  /etc/openldap/cacert.pem
TLSCertificateFile  /etc/openldap/ldapmastercert.pem
TLSCertificateKeyFile  /etc/openldap/ldapmasterreq.pem

Update your /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/cacert.pem
SASL_NOCANON on
TLS_REQCERT allow

On LDAP slave

Download certificates from ldap-master and change permissions:

chown ldap:ldap /etc/openldap/ldapslavecert.pem
chown ldap:ldap /etc/openldap/ldapslavereq.pem
chmod 400 /etc/openldap/ldapslavereq.pem

Update your /etc/openldap/slapd.conf

. . .
TLSCACertificateFile  /etc/openldap/cacert.pem
TLSCertificateFile  /etc/openldap/ldapslavecert.pem
TLSCertificateKeyFile  /etc/openldap/ldapslavereq.pem
. . .
syncrepl rid=001
        provider=ldaps://ldap-master.example.com:636
        type=refreshAndPersist
        interval=00:00:05:00
        searchbase="dc=example,dc=com"
        scope=sub
        schemachecking=off
        bindmethod=simple
        binddn="cn=manager,dc=example,dc=com"
        credentials=ManagerPasswordHere
        retry="30 5 300 3"
. . .

Update your /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/server.pem
SASL_NOCANON on
TLS_REQCERT allow

On Client

Download /etc/openldap/cacert.pem from ldap-master.
Update your /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/cacert.pem
SASL_NOCANON on
TLS_REQCERT allow