Wednesday, November 12, 2014

Enable SSL in OpenLDAP

In my previous article under Install OpenLDAP on Ubuntu 14.04  topic I have explained the procedure for setting up basic LDAP server. ( Now lets enable SSL which provides the secure communication channel for LDAP clients.

Since I haven't mention the client configurations for LDAP in previous article , here I will demonstrate how to configure Ubuntu server with LDAP authentication.

Configure Ubuntu Server for LDAP Authentication

On the server install following package which provides LDAP integration.
$ sudo apt-get install libnss-ldap 
At the installation time provide the information related to the LDAP server installation correctly when prompt. If you miss something you can run below command to reconfigure it  or simply change the settings on /etc/ldap.conf file.
$ sudo dpkg-reconfigure ldap-auth-config
After that update /etc/nsswitch.conf file to inform to use LDAP for authentication.
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
Below configuration is enough for LDAP client authentication. But if you required Linux home directory to be created if not exist on initial login, you need to add below configurations at the bottom of /etc/pam.d/common-session  file.

session required skel=/etc/skel umask=0022

Enable SSL in OpenLDAP Server

Using encrypted sessions we can secure LDAP communication.  Transport Layer Security (TLS) is used for this purpose. Recent releases of  slapd  in Ubuntu is compiled with support for GnuTLS instead of OpenSSL, there for we need to install following packages now.
$sudo apt-get install gnutls-bin
After that we need to create certificate authority(CA) for this purpose.
#certtool --generate-privkey > /etc/ssl/private/cakey.pem
After that create a template file(/etc/ssl/ to assist the creation of self-sign CA.
cn = Example Company
Now sign the generated CA.
#certtool --generate-self-signed \
--load-privkey /etc/ssl/private/cakey.pem \ 
--template /etc/ssl/ \
--outfile /etc/ssl/certs/cacert.pem

Now create the key for slapd and sign it using generated CA.

#certtool --generate-privkey \
--outfile /etc/ssl/private/slapd01_key.pem
Create a template file.(/etc/ssl/
organization = Example
cn =
expiration_days = 3650
Create a certificate and sign it with previously created CA.
#certtool --generate-certificate \
--load-privkey /etc/ssl/private/slapd01_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template /etc/ssl/ \
--outfile /etc/ssl/certs/slapd01.pem

Once the certificate is generated , now we need to tell LDAP about the created SSL certificate, for that we  need to create a LDIF file as below. (/etc/ssl/certinfo.ldif)
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/slapd01.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/slapd01_key.pem
Now add it to the LDAP.
$sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif
Also make sure to grant read access to openldap user to each of below files and locations.
$chown openldap:openldap /etc/ssl/private/cakey.pem \
/etc/ssl/private/slapd01_key.pem  /etc/ssl/certs/cacert.pem   /etc/ssl/certs/slapd01.pem 
$chown -R openldap:openldap /etc/ssl/private 
Now enable SSL in /etc/default/slapd as below and restart the slapd daemon.(add ldaps:/// entry additionally.)
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
/etc/init.d/slapd  restart

Now lets see how to access the secured LDAP server.

Configure DHCP server to access secured LDAP

In  post I have already configured ISC DHCP to communicate with OpenLDAP server, therefor in here I will only show the extra steps required to communicate with secured OpenLDAP server.

In the DHCP server configuration file, change as below and restart the DHCP server.
ldap-server                 "localhost";
ldap-port 636;
ldap-ssl ldaps;
ldap-tls-reqcert never; #Telling Not to verify certificates as we have used self sign certs
ldap-base-dn                "ou=dhcp,dc=example,dc=com";
ldap-method                 static;
ldap-debug-file             "/var/log/dhcp-ldap-startup.log";
ldap-dhcp-server-cn         "server"

Configure Ubuntu Server to Authenticate with Secured LDAP

As I have explained the procedure above I will only show you the extra configurations needed. As I have used self sign certificates in here also I will disable certificate checks.


uri ldaps://IpAddressOfLDAPServer:636/
ssl on
tls_checkpeer no
If you want to use ldapsearch  tool  for browsing , you have to follow below steps.
vim /etc/ldap/ldap.conf
TLS_REQCERT allow #Which tells not to validate self sign certs

$ldapsearch -x  -H ldaps:// -b dc=example,dc=com



Anonymous said...

Could not restart slapd

Saqib Ali said...


We are working on to configure our Linux servers to use LDAP for Authentication using PAM_LDAP + SSSD. Our LDAP Usernames are based on staff numbers (all numeric starting at 1). This will cause a conflicts with daemon, bin, sys... system accounts. What is the best option for us given our Username pattern?