Secure Linux OpenLDAP environment
To setup a secure Linux OpenLDAP environment, SSL certificates must be installed on the LDAP Server (Linux OpenLDAP) and the LDAP Client (UMRA software).
The OpenLDAP configuration file slapd.conf must be updated with the SSL configuration settings. The following parameters must be specified:
Parameter
|
Description
|
TLSCipherSuite
|
Specification of ciphers accepted by the LDAP Server. Examples:
RC4:DES:EXPORTS40
HIGH:MEDIUM
3DES:SHA1:+SSL2
See the ciphers(1) manpage distributed with OpenSSL for more information.
|
TLSCertificateFile
|
The name of the file that contains the certificate to be used by the LDAP Server
|
TLSCertificateKeyFile
|
The name of the file that contains the associated private key of the certificate.
|
Regarding the certificate, two file names are specified, one for the certificate itself and one for the associated private key. To generate these files, the following procedure can be used.
The certificates are first generated on the Linux computer using the CA.pl script, part of the OpenSSL installation.
t4elnx:/ldap-ssl# /usr/lib/ssl/misc/CA.pl -newcert
Generating a 1024 bit RSA private key
.............++++++
......................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:nl
State or Province Name (full name) [Some-State]:utrecht
Locality Name (eg, city) []:baarn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tools4ever
Organizational Unit Name (eg, section) []:development
Common Name (eg, YOUR name) []:t4elnx.tools4ever.local2
Email Address []:
Certificate (and private key) is in newreq.pem
The above listing shows how to create the certificate with the command
CA.pl -newcert
The certificate is self signed and no Certification Authority is required. The contents specified for the fields does not really matter, except for the following fields:
Common Name: Specify the dns name of the computer that runs the Linux OpenLDAP.
Email Address: Leave this field blank.
When ready, the file newreq.pem contains both the private key and the certificate. The private key is password protected. The total file looks like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D704DED67B9622AB
1aUi3gvkxF+kfnpuc0BH7lTU+du4TgoPu/QDMGVUnhuEBN3EXu+m0bIfEWrljqzw
fujUUNIemHGO3fKbUaJa7Q5EhWAMWLv7nE/U+ud4Smul6zjXj0Snv6aM6jOvAH/9
MHRFO8jB0O1zfmzA6h6wq0v+0GknS1sSH+bLlm1Hb9wlGilRZTopPZUfd1FhTdOF
odNWfhVIL2CoIlnT/+0qHKl1YqF5PCdkKxGLbMC9IM30mZuOZSbDeDQMiOtRPQnD
WMgJuWChtHWTcVfriRbEPEimPQ7zOhq5PFsSZXwB8TjXCL8m42knL9h/csBZLjWl
Eq4fgCy4odSoQA6bVsRdXHMWYzKLTArUKXkh9yCKimx2EeDVWgl80hm3htus5VrR
VCbflBmuA3gghgEFjsrYps5jSsYCIVbesOelyT/K6uafKnax1JsfdKfYKzbMwfOa
Qcq13Mv1EFMlyFROUMMvFiVMjUQnfsaDCMglJxj+XuDFmOWHUUG6CJp0f+XH2Sbg
xuACcyMomKlWHzBIGCk6W0p5Xeavnboj8ZiYPcAvQ0vUEGt5owXwJVbyblafuRdp
JoHOpyin+q+2pK4oZpfZO0yuTfFP+sLF6iIuG77b5QRZS2kLy6mK+8R0qfVjI7Uv
VAItadLhyKKAzeTQLOgoArmNe6iAXiJ03cJnVR+qkoW6bmBSuz7fhYD2k8Xyh/hk
9Uh35ALf+GSZ8c5kYVGgLcrr0d7m82bKfGP2fmx3CxWL7wIwSAMP8ZZxNof3vJAf
crr96ju7/0MMjVskyh6XeIXClDUzbWke+9MVwGsUGnTaxoCN/s1kag==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDXDCCAsWgAwIBAgIJALbVQcGOAzn4MA0GCSqGSIb3DQEBBAUAMH0xCzAJBgNV
BAYTAm5sMRAwDgYDVQQIEwd1dHJlY2h0MQ4wDAYDVQQHEwViYWFybjETMBEGA1UE
ChMKdG9vbHM0ZXZlcjEUMBIGA1UECxMLZGV2ZWxvcG1lbnQxITAfBgNVBAMTGHQ0
ZWxueC50b29sczRldmVyLmxvY2FsMjAeFw0wNTEyMDIxMTA4NTRaFw0wNjEyMDIx
MTA4NTRaMH0xCzAJBgNVBAYTAm5sMRAwDgYDVQQIEwd1dHJlY2h0MQ4wDAYDVQQH
EwViYWFybjETMBEGA1UEChMKdG9vbHM0ZXZlcjEUMBIGA1UECxMLZGV2ZWxvcG1l
bnQxITAfBgNVBAMTGHQ0ZWxueC50b29sczRldmVyLmxvY2FsMjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAq6flBA9IsTX3dUwN5pNIGM3RTE4Ctnc5HgyLmoNM
LyDLrNLIijSlf717aNCae1RzpLZnezHiug7dRZKIcqBjGp1wmTohoIbSiHJSOdKp
B5YK4nT2oRyrGnFM/XtftagosOQnWOYCEk3iA5Iyk28i4wMZpl6Ad//oZEDBg47C
WHMCAwEAAaOB4zCB4DAdBgNVHQ4EFgQUOYKI1q4QzlHlLBVLWpCikwIvhWAwgbAG
A1UdIwSBqDCBpYAUOYKI1q4QzlHlLBVLWpCikwIvhWChgYGkfzB9MQswCQYDVQQG
EwJubDEQMA4GA1UECBMHdXRyZWNodDEOMAwGA1UEBxMFYmFhcm4xEzARBgNVBAoT
CnRvb2xzNGV2ZXIxFDASBgNVBAsTC2RldmVsb3BtZW50MSEwHwYDVQQDExh0NGVs
bngudG9vbHM0ZXZlci5sb2NhbDKCCQC21UHBjgM5+DAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBAUAA4GBAGqhYqMj6p1h6zoF/uTlXUho9alKYeFmggwr7mm4PXJV
4KDYWD/XPNIHEJxOj0Y9zOJmsTIN+/pYBLm6xYri5Lbm9NWS3AmM0Gpn63LDb8MB
O1CqEFOMWOt4GSBHGkkJF/9WOkQHCfunS3t7bYQyhcM1QdfsWl52Z77FAcYjrGHe
-----END CERTIFICATE-----
To remove the password protection from the private key and to export the private key that is used by the LDAP Server, enter the following command:
openssl rsa -in newreq.pem slapd-key.pem
On output, the file slapd-key.pem contains the private key with no password protection.
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCrp+UED0ixNfd1TA3mk0gYzdFMTgK2dzkeDIuag0wvIMus0siK
NKV/vXto0Jp7VHOktmd7MeK6Dt1FkohyoGManXCZOiGghtKIclI50qkHlgridPah
HKsacUz9e1+1qCiw5CdY5gISTeIDkjKTbyLjAxmmXoB3/+hkQMGDjsJYcwIDAQAB
AoGBAJ/lQg/5CLaB1aM+mAg7E0J/ncGdPSuofNz/xJ7GRRX1T6QJqGIMzkjiQO2O
uwe80AgTHOuFuXOk2vqul0lnG0gt561TgpYn8NA987MGYMsj5Vw/wV+bl+tZW/9p
ZoFJlRrdIxtfrOsejGlpxCGs+TWdzzuecoqIY7nhZSr9CTiRAkEA047LiBn0mEym
leQv6a3UXw23VvxGwkdAD9OQM9YZWl7lycXdKQPL3VYbYMUq0v9MEGJk+zGr4eYu
EQS7iT3TGQJBAM+3PifZwz7No/hmkfjELNNB23C3kwQCpNy9knHWbrMEeJQOFucK
SC+1b2/D+RZ55+2zeJnLC9zdqg1WiLc8pWsCQDlFuRf5Xtw0NAz0H3x1kL7C6dVk
qotB2rfuIGXIGkj6096R8FOAMZqUCwlhlzxT3PW6jXfrdIrNU79LtrFqyVECQQDI
J0vWfKj+KIv7PWMlcmu7OfepWstojt+r8WRfG4DaMdG64QTCpw6+Ijf6W733IYsS
auEoWRbaQiKt7ZeZ8e93AkBLRx6O3ez3Jj/5hDL57jXFeg/THV59qCEBOkcKjPA7
BAnnjPnQGK5h32g4IfU5Mf0jQTapxu1icNhstFhwFAIq
-----END RSA PRIVATE KEY-----
In a real environment, this file should be highly protected since it contains the main secret: the private key (You should never publish the contents of this file in a document). From the other file, newreq.pem, you need to create a file that contains the certificate only. In this example description, the certificate from the file is stored in a new file slapd-cert.pem.
This file should contains something like this:
-----BEGIN CERTIFICATE-----
MIIDXDCCAsWgAwIBAgIJALbVQcGOAzn4MA0GCSqGSIb3DQEBBAUAMH0xCzAJBgNV
BAYTAm5sMRAwDgYDVQQIEwd1dHJlY2h0MQ4wDAYDVQQHEwViYWFybjETMBEGA1UE
ChMKdG9vbHM0ZXZlcjEUMBIGA1UECxMLZGV2ZWxvcG1lbnQxITAfBgNVBAMTGHQ0
ZWxueC50b29sczRldmVyLmxvY2FsMjAeFw0wNTEyMDIxMTA4NTRaFw0wNjEyMDIx
MTA4NTRaMH0xCzAJBgNVBAYTAm5sMRAwDgYDVQQIEwd1dHJlY2h0MQ4wDAYDVQQH
EwViYWFybjETMBEGA1UEChMKdG9vbHM0ZXZlcjEUMBIGA1UECxMLZGV2ZWxvcG1l
bnQxITAfBgNVBAMTGHQ0ZWxueC50b29sczRldmVyLmxvY2FsMjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAq6flBA9IsTX3dUwN5pNIGM3RTE4Ctnc5HgyLmoNM
LyDLrNLIijSlf717aNCae1RzpLZnezHiug7dRZKIcqBjGp1wmTohoIbSiHJSOdKp
B5YK4nT2oRyrGnFM/XtftagosOQnWOYCEk3iA5Iyk28i4wMZpl6Ad//oZEDBg47C
WHMCAwEAAaOB4zCB4DAdBgNVHQ4EFgQUOYKI1q4QzlHlLBVLWpCikwIvhWAwgbAG
A1UdIwSBqDCBpYAUOYKI1q4QzlHlLBVLWpCikwIvhWChgYGkfzB9MQswCQYDVQQG
EwJubDEQMA4GA1UECBMHdXRyZWNodDEOMAwGA1UEBxMFYmFhcm4xEzARBgNVBAoT
CnRvb2xzNGV2ZXIxFDASBgNVBAsTC2RldmVsb3BtZW50MSEwHwYDVQQDExh0NGVs
bngudG9vbHM0ZXZlci5sb2NhbDKCCQC21UHBjgM5+DAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBAUAA4GBAGqhYqMj6p1h6zoF/uTlXUho9alKYeFmggwr7mm4PXJV
4KDYWD/XPNIHEJxOj0Y9zOJmsTIN+/pYBLm6xYri5Lbm9NWS3AmM0Gpn63LDb8MB
O1CqEFOMWOt4GSBHGkkJF/9WOkQHCfunS3t7bYQyhcM1QdfsWl52Z77FAcYjrGHe
-----END CERTIFICATE-----
Now, update OpenLDAP configuration file, so that it contains the following lines to enable SSL:
TLSCipherSuite HIGH:MEDIUM
TLSCertificateFile /ldap-ssl/slapd-cert.pem
TLSCertificateKeyFile /ldap-ssl/slapd-key.pem
The file names should point to the locations of the files with the certificate and the associated private key. Finally, restart the LDAP Server:
/etc/init.d/slapd restart
The LDAP Server is now able to communicate using SSL. Now, the certificate must be imported on the computer that runs the UMRA software: Copy the file slapd-cert.pem to the computer that runs the UMRA software and follow the instructions as described in section: Import the certificate on the UMRA computer on page 1.
When ready, the test with LDP.EXE, part of the Windows Support Tools, should show a result as in the following figure:
By default, you can then bind with the admin account:
cn=admin,dc=tools4ever,dc=local2
to authenticate the user account.
| 
