OpenLDAP SSL configuration – Part 2

If you are here through  CA root and ldapserver certificates creation mentioned earlier, please find the following name conventions used here,

cacert.pem      –   CA root certificate
newcert.pem   –   ldapserver certificate
newreq.pem   –   ldapserver key

Enabling SSL for Openldap:

The certificates can be moved to the desired certificate repository and renamed. Here I’ll be moving it to /usr/local/var/openldap-data

#cd /usr/local/var/openldap-data
#cp /opt/myca/demoCA/cacert.pem .
#mv /opt/myca/newcert.pem servercrt.pem
#mv /opt/myca/newreq.pem serverkey.pem

Add the following lines to slapd.conf:

*** Caution: Take a backup of the existing slapd.conf ***

#cd /usr/local/etc/openldap
#vi slapd.conf

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/var/openldap-data/cacert.pem
TLSCertificateFile /usr/local/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/local/var/openldap-data/serverkey.pem
# Client verification not required
TLSVerifyClient never

Start the openldap server by using the following command

# cd /usr/local/libexec
# ./slapd -h “ldap://ldapserver.com:389 ldaps://ldapserver.com:636”

Enter PEM pass phrase:< password >

Check to see the processes are listening in the configured ports

# netstat -an | egrep '389|636'
10.12.185.15.389 *.* 0 0 49152 0 LISTEN
10.12.185.15.636 *.* 0 0 49152 0 LISTEN

Use any external ldap-browser to connect to the both the URLs and check.

Advertisements

One Response to OpenLDAP SSL configuration – Part 2

  1. Hugo Ferreira says:

    Hi!
    I’m facing some problems on doing this tutorial.
    My slapd command isn’t located at /usr/local/libexec/, instead it’s location is /usr/sbin/.
    I completed all the 4 steps and when I use this command: "./slapd -h “ldap://ldapserver.com:389 ldaps://ldapserver.com:636”" no password is asked to me and when I use the netstat command, it only appears 389 port listenning:
    tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
    tcp 0 0 :::389 :::* LISTEN
    I’m using Centos 5.
    Have you any idea of what’s wrong?
    Thanks in advance,
    Hugo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: