RHEL 6.3 – LDAP Series – Part 3 : LDAP Configuration With Encrypted Communication using TLS/SSL

RHEL 6.3 - LDAP encrypted communication with TLS

 

 

LDAP server authentication without encrypted communication is not recommendable for any organization.  In this Post,  I will be discussing the procedure to configure LDAP server and client to use encrypted authentication and communication. This is third  Post  in LDAP implementation Series.

Previous posts for your reference

 

 

 

 

Before proceeding to actual configuration, I want to explain few details about the procedures to modify the  LDAP configurations.

  

 How To Modify Existing LDAP Configuration

 

LDAP Supports both offline modification on online dynamic modifications to it’s configuration.  And below  is the way to modify LDAP

LDAP Offline Modification :

To Modify LDAP Configuration offline we need to stop the services first and then edit the configuration files available in /etc/openldap/slap.d/

for Example:

[root@gurkulrhel1 ~]# service slapd stop
Stopping slapd:                                            [OK]

 Below is the example to modify the LDAP Configuration related to Config Database

[root@gurkulrhel1 ~] vi  /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif

              … make modifications to the parameters and then start the service

[root@gurkulrhel1 ~]# service slapd start
Starting slapd:                                            [OK]

 

LDAP Online Modification :

Enable the LDAPI module to allow the modifications to the dynamic configuration using ldap tools like ldapadd, ldapmodify …etc

Prerequisites to allow dynamic modifications:

>> Make sure ldap user has read & write permission under /etc/openldap/slapd.d and /var/lib/ldap directory.

[root@gurkulrhel1 ~]# chown -R ldap:ldap /etc/openldap/slapd.d
[root@gurkulrhel1 ~]# chmod -R u+rwX /etc/openldap/slapd.d
[root@gurkulrhel1 ~]# chown -R ldap.ldap /var/lib/ldap

>> Make sure slapi support enabled in /etc/sysconfig/ldap file

[root@gurkulrhel1 ~]# grep LDAPI /etc/sysconfig/ldap
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to ‘yes’!
SLAPD_LDAPI=yes

>> Start the slapd server

[root@gurkulrhel1 ~]# service slapd start
Starting slapd: [ OK ]

 

>> Modify the Dynamic Configuration Either by creating  ldif  format files 

Sample file : /root/ldap_user_add.ldif

——————————————————————-

dn: uid=gurkuluser,ou=People,dc=gurkulindia,dc=com
givenName: ldap
sn: user1
loginShell: /bin/bash
uidNumber: 1250
gidNumber: 1500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: gurkuluser
cn: ldap user1
homeDirectory: /home/gurkuluser
userPassword: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q

dn: cn=redhat,ou=Groups,dc=gurkulindia,dc=com
objectClass: posixGroup
objectClass: top
cn: redhat
gidNumber: 1500

——————————————————————-

[root@gurkulrhel1 ]# ldapadd -x -h localhost -D cn=Manager,dc=gurkulindia,dc=com -f /root/ldap_user_add.ldif -W
Enter LDAP Password: <- enter the password we set for bdb databse
adding new entry “uid=gurkuluser,ou=People,dc=gurkulindia,dc=com”
adding new entry “cn=redhat,ou=Groups,dc=gurkulindia,dc=com”

>> Modify the Dynamic configuration directly using ldapmodify

[root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q 

                                                 <– Enter Twice, to apply modifications  

modifying entry “olcDatabase={0}config,cn=config”

                         <– press ^D to exit 

 

Enable Encrypted LDAP Communication for LDAP Server ( gurkulrhel1)

 

Note  :  openldap from rhel 6.3 restricts us using self signed certificates, and that is the reason we are using CA signed certificates for this demonstration. And the procedure to create CA signed certificates described in the post “RHEL 6.3 – LDAP Series – Part 2 : Configuration of Certification Authority for LDAP encryption.

 

Note 1: when the parameter “FORCELEGACY=yes” from “/etc/sysconfig/authconfig” file , the ldap will use no encryption for the ldap connection. In this case the URI parameter from “ldap.conf” will appear like “ldap://<ldapserver>”.

Note 1: when the parameter “FORCELEGACY=no” from “/etc/sysconfig/authconfig” file, the ldap will use encryption for the ldap connection. In this case the URI parameter from “ldap.conf” will appear like “ldaps://<ldapserver>.

Step 1 :  Check that the ldap configured to use only encrypted connections

[root@gurkulrhel2 tmp]# grep FORCELEGACY /etc/sysconfig/authconfig
FORCELEGACY=no

Step 2 :  Stop the LDAP service

 
[root@gurkulrhel1 ~]# service slapd stop
Stopping slapd:                                            [OK]
 

Step 3 : set SLAPD_LDAPI=yes to enable dynamic modifications to the ldap configuration

 
[root@gurkulrhel1 ~]# grep SLAPD /etc/sysconfig/ldap|grep -v ‘^#’
SLAPD_LDAP=no
SLAPD_LDAPI=yes  <== this should be yes to enable dynamic modifications to the ldap configuration
SLAPD_LDAPS=yes
[root@gurkulrhel1 ~]#
 

Step 4 :  Edit the file /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif to make below modifications

 
Comment below line which specifies about olcAccess
 
     olcAccess: {0}to *  by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage  by * none
 
and add below line to the end 
 
    olcAccess: {0}to * by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by * break
 
 

Step 5:  test the configuration

 
[root@gurkulrhel1 ~]# slaptest -u
config file testing succeeded
[root@gurkulrhel1 ~]#
 
 

Step 6:  Start the Service

 
[root@gurkulrhel1 ~]# service slapd start
Starting slapd:                                            [  OK  ]
[root@gurkulrhel1 ~]#
 

Step 7 :  Now check the slapd service status

 
[root@gurkulrhel1 ~]# service slapd status
slapd (pid  9158) is running…
[root@gurkulrhel1 ~]#
 
 

Step 8 :  Test that ldap accepting connection by querying ldap “config” tree information

  
[root@gurkulrhel1 ~]# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}corba,cn=schema,cn=config
dn: cn={1}core,cn=schema,cn=config
dn: cn={2}cosine,cn=schema,cn=config
dn: cn={3}duaconf,cn=schema,cn=config
dn: cn={4}dyngroup,cn=schema,cn=config
dn: cn={5}inetorgperson,cn=schema,cn=config
dn: cn={6}java,cn=schema,cn=config
dn: cn={7}misc,cn=schema,cn=config
dn: cn={8}nis,cn=schema,cn=config
dn: cn={9}openldap,cn=schema,cn=config
dn: cn={10}ppolicy,cn=schema,cn=config
dn: cn={11}collective,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}bdb,cn=config
[root@gurkulrhel1 ~]#
 
 

Step 9 : Get the LDAP Server Key and CA Signed Certificate to /etc/pki/tls/certs directory and name them as slapdkey.pem and slaprdcert.pem respectively.

 
 
  •  ldap certificate key available as  /etc/pki/tls/private/gurkulrhel1.gurkulindia.com.key )
  • CA signed Certificate for ldap server  available at   /etc/pki/CA/certs/gurkulrhel1.gurkulindia.com.crt in “gurkulrhelca:” server 
 
[root@gurkulrhel1 ~]# cp /etc/pki/tls/private/gurkulrhel1.gurkulindia.com.key /etc/pki/tls/certs/slapdkey.pem
[root@gurkulrhel1 ~]# scp gurkulrhelca:/etc/pki/CA/certs/gurkulrhel1.gurkulindia.com.crt /etc/pki/tls/certs/slapdcert.pem
root@gurkulrhelca’s password:
gurkulrhel1.gurkulindia.com.crt        100% 4726     4.6KB/s   00:00
[root@gurkulrhel1 ~]# ls -l /etc/pki/tls/certs/slapdkey.pem /etc/pki/tls/certs/slapdcert.pem
-rw-r–r– 1 root root 4726 Mar 29 21:30 /etc/pki/tls/certs/slapdcert.pem
-rw-r–r– 1 root root 1704 Mar 29 21:29 /etc/pki/tls/certs/slapdkey.pem
 
 
[root@gurkulrhel1 ~]# chown -Rf ldap:ldap /etc/pki/tls/certs/slapdcert.pem  /etc/pki/tls/certs/slapdkey.pem
[root@gurkulrhel1 ~]# chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem
 

Step 10 :  Make sure that .pem keys having corresponding hashed link files in the directory where certificates stored. you can create hashed file two ways

 
 

way 1 : create Hashed file for each .pem as below . e.g. cacert.pem

[root@gurkulrhel1# HASH=$( openssl x509 -noout -hash -in /etc/pki/tls/certs/cacert.pem )
[root@gurkulrhel1# ln -s /etc/pki/tls/certs/cacert.pem /etc/pki/tls/certs/${HASH}.0

way 2 : Create hashed file for all the .pem files from the directory using the tool “cacertdir_rehash”

[root@gurkulrhel1 certs]# cacertdir_rehash /etc/pki/tls/certs
[root@gurkulrhel1 certs]# ls -l /etc/pki/tls/certs
total 1232
lrwxrwxrwx 1 root root 13 Mar 30 16:28 381ce4dd.0 -> ca-bundle.crt
lrwxrwxrwx 1 root root 19 Mar 30 16:28 381ce4dd.1 -> ca-bundle.trust.crt
lrwxrwxrwx 1 root root 10 Mar 30 16:28 539a37f4.0 -> cacert.pem
lrwxrwxrwx 1 root root 10 Mar 30 16:28 8e89bed9.0 -> client.pem
lrwxrwxrwx 1 root root 13 Mar 30 16:28 8e89bed9.1 -> slapdcert.pem
-rw-r–r–. 1 ldap ldap 571410 Sep 2 2011 ca-bundle.crt
-rw-r–r–. 1 root root 651043 Sep 2 2011 ca-bundle.trust.crt
-rw-r–r– 1 ldap ldap 1505 Mar 29 20:00 cacert.pem
-rw-r–r– 1 ldap ldap 1517 Mar 30 01:57 client.pem
lrwxrwxrwx 1 root root 13 Mar 30 16:28 da4d55fe.0 -> localhost.crt
-rw——-. 1 ldap ldap 1188 Sep 27 2012 localhost.crt
-rwxr-xr-x 1 root root 610 Mar 5 06:12 make-dummy-cert
-rw-r–r– 1 root root 2242 Mar 5 06:12 Makefile
-rw-r–r– 1 ldap ldap 4726 Mar 29 21:30 slapdcert.pem
-rw-r–r– 1 ldap ldap 1704 Mar 29 21:29 slapdkey.pem
[root@gurkulrhel1 certs]#

 

Step 10 :  Now modify the ldap configuration by adding TLS certificate and key file information, using ldif file format.

 
 
[root@gurkulrhel1 ~]# cat     >  /tmp/tls_info.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/cacert.pem

 –

add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
[root@gurkulrhel1 ~]#
 
          Note : Just incase if you type the entries wrongly and you want to modify the existing entries use the “replace” keyword in place of “add” in the above .ldif file
  
          >> Now the add the attributes to ldap dynamic configuration using below ldapmodify command
 
[root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f  /tmp/tls_info.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”
 
[root@gurkulrhel1 ~]#
 
 
        >> you can check the applied configuration by looking at the file “/etc/openldap/slapd.d/cn=config.ldif”

[root@gurkulrhel1 slapd.d]# cat /etc/openldap/slapd.d/cn=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /root/slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
structuralObjectClass: olcGlobal
entryUUID: 7310266a-28cd-1032-9cc3-75d105377527
creatorsName: cn=config
createTimestamp: 20130324125237Z
olcTLSCACertificateFile: /etc/pki/tls/certs/cacert.pem
olcTLSCACertificatePath: /etc/pki/tls/certs
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
entryCSN: 20130329134608.284865Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20130329134608Z
[root@gurkulrhel1 slapd.d]#

 

Step 11 :  Configure LDAP server to use ldaps:// URI scheme exclusively 

 
>> stop the service first
 
[root@gurkulrhel1 ~]# service slapd stop
Stopping slapd:                                            [  OK  ]
[root@gurkulrhel1 ~]#
 
>>>  Change /etc/sysconfig/ldap file to enable SLAPD_LDAPS and disable SLAPD_LDAP flags, liek below
 
 [root@gurkulrhel1 ~]# grep ^SLAPD /etc/sysconfig/ldap
SLAPD_LDAP=no  <= disabled 
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes  <== enabled
[root@gurkulrhel1 ~]#
 

Step 12 :  Make Fire wall rules to accept incoming connection at port 636. ( LDAP encrypted communication used port 636, where as un-encrypted goes through port 389)

 

>>ADD BELOW IP TABLE RULES FOR PORT 636 . in /etc/sysconfig/iptables

-A INPUT -m state –state NEW -m udp -p udp –dport 636 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 636 -j ACCEPT

 

 

Configure LDAP Server host ( i.e. gurkulrhel1) as Self Client to itself 

 

Step1 :  Configre ldap client configuration file, with the parameters “TLS_CACERTDIR , URI and BASE “, as shown below

[root@gurkulrhel2 tmp]# cat /etc/openldap/ldap.conf

TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://gurkulrhel1
BASE dc=gurkulindia,dc=com

 

Step 2: Copy both “CA Signed LDAP certificate and CA certificate” to local directory mentioned as “TLS_CACERTDIR” in 

 

[root@gurkulrhel2]#scp gurkulrhel1:/etc/pki/tls/certs/slapdcert.pem  /etc/openldap/cacerts/client.pem

[root@gurkulrhel2]#scp gurkulrhel1:/etc/pki/tls/certs/cacert.pem  /etc/openldap/cacerts/cacert.pem

 

Step 3:  Make sure  hashed file for  CA server Certificate and CA Signed Client certificate available at the path mentioned by  “TLS_CACERTDIR”   in  “/etc/openldap/ldap.conf”

[root@gurkulrhel2 tmp]# ls -l /etc/openldap/cacerts
total 8
lrwxrwxrwx 1 root root 10 Mar 30 20:20 539a37f4.0 -> cacert.pem
lrwxrwxrwx 1 root root 10 Mar 30 20:20 8e89bed9.0 -> client.pem
-rw-r–r– 1 root root 1505 Mar 30 20:20 cacert.pem
-rw-r–r– 1 root root 1517 Mar 30 20:13 client.pem
[root@gurkulrhel2 tmp]#

 

>> If hashed files missing just run the command,

[root@gurkulrhel2 cacerts]# cacertdir_rehash /etc/openldap/cacerts

 

Step 4:   Configure Openssl to use TLS/SSL encryption for the ldap connections.

 [root@gurkulrhel2 tmp]# cat /etc/nslcd.conf
 
 :::: SNIP OTHER DEFAULT SETTINGS, ONLY BELOW are RELEVANT FOR OUR SETUP :::::
 
 # This comment prevents repeated auto-migration of settings.
 uri ldaps://gurkulrhel1
 base dc=gurkulindia,dc=com
 ssl start_tls
 tls_reqcert allow
 

Step 5:  Make sure hostnames resolving to proper IP addresses

 
[root@gurkulrhel2 tmp]# cat /etc/hosts
127.0.0.1   localhost localhost4
::1         localhost localhost6
192.168.1.31 gurkulrhel1 ldapserver.gurkulindia.com ldapserver
192.168.1.32 gurkulrhel2 ldapclient.gurkulindia.com
192.168.1.33 gurkulrhelca  gurkulrhelca.gurkulindia.com
[root@gurkulrhel2 tmp]#
 

Step 6 :  Restart the NSLCD service

 
[root@gurkulrhel2]# service nslcd restart
 
 

Step 7 :  Finally check the Test the connection is happening

 
 
[root@gurkulrhel2 tmp]# ldapsearch -x   -b ‘dc=gurkulindia,dc=com’
# extended LDIF
#
# LDAPv3
# base <dc=gurkulindia,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# gurkulindia.com
dn: dc=gurkulindia,dc=com
objectClass: top
objectClass: domain
dc: gurkulindia
 
# Groups, gurkulindia.com
dn: ou=Groups,dc=gurkulindia,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
 
# People, gurkulindia.com
dn: ou=People,dc=gurkulindia,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
 
# gurkuluser, People, gurkulindia.com
dn: uid=gurkuluser,ou=People,dc=gurkulindia,dc=com
givenName: ldap
sn: user1
loginShell: /bin/bash
uidNumber: 1250
gidNumber: 1500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: gurkuluser
cn: ldap user1
homeDirectory: /home/gurkuluser
userPassword:: e1NTSEF9NWtPL0sxS0J6SjB3RWFLQkFHaklEWTZNRzZUR3pnOVE=
 
# redhat, Groups, gurkulindia.com
dn: cn=redhat,ou=Groups,dc=gurkulindia,dc=com
objectClass: posixGroup
objectClass: top
cn: redhat
gidNumber: 1500
 
# search result
search: 2
result: 0 Success
 
# numResponses: 6
# numEntries: 5
[root@gurkulrhel2 tmp]#
 
 
 

 

 We will discuss about  Little bit of Troubleshooting stuff that I have done during this Configuration, in the next post.

 

How to Stay Connected to Us ?

You can simply subscribe for our free email posts from here

 

You can always stay close to us by connecting in  Facebook,  LinkedIn twitter and Google + social networks.   And We have very active Facebook’s just-UNIX-no-noise group and   Linked in  Enterprise UNIX administration group, for active discussions.

We always love to hear your comments and feedback. 

 

 

 

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

6 Responses

  1. jaswant says:

    Hi Sir

    Used above method and setup LDAp server on RHEL 6.4.
    When i use nslcd on client i am able to see LDAP users but when i used sssd i dont see any LDAP user.Created certificated and placed them as per plan mentioned.
    Testing this with strace…just to make sure if i am missing out something.

  2. jaswant says:

    just to explain my setup

    i am using my ldap server as CA server.
    so i am using
    server1 :- as LDAp and CA server
    server2 :- as LDAp client.

    in this blog you asked to edit nslcd.conf file and restart service….but if i want 2 use sssd with certificates….bit confused.

  3. jaswant says:

    it started working…..
    how can i check and confirm if there is handshaking going on with certificates…..dont see anything in messages file.
    checked in /var/log/sssd nothing there…..
    not using nslcd.conf but sssd.conf file only.Able to login with ldap user.

    Thanks for plan :-)

  4. jaswant says:

    Hi Ram

    i used blog to configure LDAP with CA…it’s working fine.Able to ass new users and i am able to login using LDAp authntication.
    Tried reseting password for one of the LDAP user using LDAPPASSWD it ask for LDAP password but gives error.

    [root~]# ldappasswd -x -D “uid=user1,cn=Manager,dc=domain,dc=com” -W
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)
    [root~]#

  5. saran says:

    Hi Ram,

    kindly help to configure same ldap with SASL bind authentication.It is very helpful for me when you will give some idea on this task.

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us