Configuring LDAP and StartTLS.

January 11, 2017

Introduction

This post serves as a point of demarcation between completed steps and steps in progress. If you’re following along, installing OpenLDAP is step 4 as delineated here. Everything up to this point was a challenge for me but certainly not insurmountbale. OpenLDAP, on the other hand, has been the most obtuse thing I’ve tackled so far. With some time, however, I was able to establish some steps that produced reliable results while setting OpenLDAP. It should be mentioned that this process uses self-signed certificates.

Starting with a fresh VM with a CentOS 6 minimal image, install all of the packages necessary for running OpenLDAP:

$ sudo yum install openldap-clients pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-servers openldap openldap-devel

Next, move /etc/openldap/certs and create a new certificate directory:

$ sudo mv /etc/openldap/certs{,_bak} && sudo mkdir /etc/openldap/certs

This directory will serve as the moznss certificate database for OpenLDAP. certutil is used to manage this directory; its analogues would be openssl and GnuTLS tools such as certtool. moznss’s effectiveness for OpenLDAP certificate management seems to be debatable. When browsing OpenLDAP lists while troubleshooting, I noticed many instances of OpenLDAP developers disparaging this method as buggy and inconsistent. Unfortunately for me, I decided to do it the Red Hat way and used the version available via Red Hat repositories.

Prepare the directory for certutil:

$ echo "<password>" > password
$ echo "<type randomly>" >> noise.txt

The database needs a password; this database stores private keys, so “password” is probably not the best choice. Move the password file to the certs directory and associate it with the database:

$ sudo mv password /etc/openldap/certs/
$ sudo certutil -N -d /etc/openldap/certs -f /etc/openldap/certs/password

Generate a new key pair for the root certificate:

$ sudo certutil -G -d /etc/openldap/certs -z noise.txt -f /etc/openldap/certs/password

Generate the root certificate:

$ sudo certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d /etc/openldap/certs -z noise.txt -f /etc/openldap/certs/password

Use the newly created root certificate to sign and generate a certificate for the LDAP server:

$ sudo certutil -S -n "OpenLDAP Server" -s "cn=ldap1.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d /etc/openldap/certs -z noise.txt -f /etc/openldap/certs/password

Export the root certificate so that it can be used later:

$ sudo pk12util -d /etc/openldap/certs -o cacert.p12 -n "CA certificate"

Keep in mind that this is the root certificate; keep it secure and use a good password to encrypt it. Export the CA certificate for use by LDAP clients:

$ sudo certutil -L -d /etc/openldap/certs -n "CA certificate" -a > cacert.pem
$ sudo mkdir /etc/openldap/cacerts && sudo cp /etc/openldap/certs/cacert.pem /etc/openldap/cacerts/

Make all files readable in the certificate database directory:

$ sudo chmod 644 /etc/openldap/certs/*

Enable ldaps:// by editing /etc/sysconfig/ldap with your favorite text editor:

<snip>
SLAPD_LDAPS=yes
</snip>

Next, set up the LDAP database using the default configuration:

$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ sudo chown -Rf ldap:ldap /var/lib/ldap

With the basics now set up and configured, start the slapd service (OpenLDAP’s daemon) and enable it on startup:

$ sudo service slapd start
$ sudo chkconfig enable slapd

With server-side configuration complete, configure client settings by running authconfig-tui. (The documentation for authconfig-tui reports that it is deprecated):

[*] Use LDAP
[*] Use LDAP Authentication
<Next>
[*] Use TLS
Server: ldap://ldapserver.localdomain/
Base DN: dc=localdomain,dc=com

Be sure to alter the above to reflect the actual domain name and domain components (dc=).

OpenLDAP uses a client configuration file, /etc/openldap/ldap.conf. The default configuration file may work, however it may be necessary to add an additional configuration parameter (TLS_REQCERT) to enable StartTLS using a self-signed cert. Open up the client config file and append the following:

TLS_REQCERT allow

Now the server is ready to be tested. First, try an unencrypted search:

$ ldapsearch -H ldap:// -x -s base -b "" -LLL "configContext"

If successful, expect the following:

dn:
configContext: cn=config

Once it’s verified that unencrypted searches are functioning properly, append the -ZZ option, forcing StartTLS. If the search fails, expect an error; if this is the case, append -d -1 for debug output. In some cases, I found it necessary to regenerate the certs and cert database.

Conclusion

The next post will cover setting up N-Way Multimaster replication.