RHEL 6.3 – LDAP Series – Part 3 : LDAP Configuration With Encrypted Communication using TLS/SSL
LDAP server authentication without encrypted communication is not recommendable for any organization. In this Post, I will be discussing the procedure to configure LDAP server and client to use encrypted authentication and communication. This is third Post in LDAP implementation Series.
Previous posts for your reference
- RHEL 6.3 – LDAP Series – Part 1 : Implementation of LDAP Authentication
- RHEL 6.3 – LDAP Series – Part 2 : Configuration of Certification Authority for LDAP encryption.
Before proceeding to actual configuration, I want to explain few details about the procedures to modify the LDAP configurations.
How To Modify Existing LDAP Configuration
LDAP Supports both offline modification on online dynamic modifications to it’s configuration. And below is the way to modify LDAP
LDAP Offline Modification :
To Modify LDAP Configuration offline we need to stop the services first and then edit the configuration files available in /etc/openldap/slap.d/
for Example:
[root@gurkulrhel1 ~]# service slapd stopStopping slapd: [OK]Below is the example to modify the LDAP Configuration related to Config Database
[root@gurkulrhel1 ~] vi /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
… make modifications to the parameters and then start the service
[root@gurkulrhel1 ~]# service slapd startStarting slapd: [OK]
LDAP Online Modification :
Enable the LDAPI module to allow the modifications to the dynamic configuration using ldap tools like ldapadd, ldapmodify …etc
Prerequisites to allow dynamic modifications:
>> Make sure ldap user has read & write permission under /etc/openldap/slapd.d and /var/lib/ldap directory.
[root@gurkulrhel1 ~]# chown -R ldap:ldap /etc/openldap/slapd.d
[root@gurkulrhel1 ~]# chmod -R u+rwX /etc/openldap/slapd.d
[root@gurkulrhel1 ~]# chown -R ldap.ldap /var/lib/ldap
>> Make sure slapi support enabled in /etc/sysconfig/ldap file
[root@gurkulrhel1 ~]# grep LDAPI /etc/sysconfig/ldap
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to ‘yes’!
SLAPD_LDAPI=yes
>> Start the slapd server
[root@gurkulrhel1 ~]# service slapd start
Starting slapd: [ OK ]
>> Modify the Dynamic Configuration Either by creating ldif format files
Sample file : /root/ldap_user_add.ldif
——————————————————————-
dn: uid=gurkuluser,ou=People,dc=gurkulindia,dc=com
givenName: ldap
sn: user1
loginShell: /bin/bash
uidNumber: 1250
gidNumber: 1500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: gurkuluser
cn: ldap user1
homeDirectory: /home/gurkuluser
userPassword: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Qdn: cn=redhat,ou=Groups,dc=gurkulindia,dc=com
objectClass: posixGroup
objectClass: top
cn: redhat
gidNumber: 1500——————————————————————-
[root@gurkulrhel1 ]# ldapadd -x -h localhost -D cn=Manager,dc=gurkulindia,dc=com -f /root/ldap_user_add.ldif -W
Enter LDAP Password: <- enter the password we set for bdb databse
adding new entry “uid=gurkuluser,ou=People,dc=gurkulindia,dc=com”
adding new entry “cn=redhat,ou=Groups,dc=gurkulindia,dc=com”
>> Modify the Dynamic configuration directly using ldapmodify
[root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q<– Enter Twice, to apply modifications
modifying entry “olcDatabase={0}config,cn=config”
<– press ^D to exit
Enable Encrypted LDAP Communication for LDAP Server ( gurkulrhel1)
Note : openldap from rhel 6.3 restricts us using self signed certificates, and that is the reason we are using CA signed certificates for this demonstration. And the procedure to create CA signed certificates described in the post “RHEL 6.3 – LDAP Series – Part 2 : Configuration of Certification Authority for LDAP encryption.“
Note 1: when the parameter “FORCELEGACY=yes” from “/etc/sysconfig/authconfig” file , the ldap will use no encryption for the ldap connection. In this case the URI parameter from “ldap.conf” will appear like “ldap://<ldapserver>”.
Note 1: when the parameter “FORCELEGACY=no” from “/etc/sysconfig/authconfig” file, the ldap will use encryption for the ldap connection. In this case the URI parameter from “ldap.conf” will appear like “ldaps://<ldapserver>.
Step 1 : Check that the ldap configured to use only encrypted connections
[root@gurkulrhel2 tmp]# grep FORCELEGACY /etc/sysconfig/authconfig
FORCELEGACY=no
Step 2 : Stop the LDAP service
[root@gurkulrhel1 ~]# service slapd stopStopping slapd: [OK]
Step 3 : set SLAPD_LDAPI=yes to enable dynamic modifications to the ldap configuration
[root@gurkulrhel1 ~]# grep SLAPD /etc/sysconfig/ldap|grep -v ‘^#’SLAPD_LDAP=noSLAPD_LDAPI=yes <== this should be yes to enable dynamic modifications to the ldap configurationSLAPD_LDAPS=yes[root@gurkulrhel1 ~]#
Step 4 : Edit the file /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif to make below modifications
Comment below line which specifies about olcAccessolcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by * noneand add below line to the endolcAccess: {0}to * by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage by * break
Step 5: test the configuration
[root@gurkulrhel1 ~]# slaptest -uconfig file testing succeeded[root@gurkulrhel1 ~]#
Step 6: Start the Service
[root@gurkulrhel1 ~]# service slapd startStarting slapd: [ OK ][root@gurkulrhel1 ~]#
Step 7 : Now check the slapd service status
[root@gurkulrhel1 ~]# service slapd statusslapd (pid 9158) is running…[root@gurkulrhel1 ~]#
Step 8 : Test that ldap accepting connection by querying ldap “config” tree information
[root@gurkulrhel1 ~]# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}corba,cn=schema,cn=config
dn: cn={1}core,cn=schema,cn=config
dn: cn={2}cosine,cn=schema,cn=config
dn: cn={3}duaconf,cn=schema,cn=config
dn: cn={4}dyngroup,cn=schema,cn=config
dn: cn={5}inetorgperson,cn=schema,cn=config
dn: cn={6}java,cn=schema,cn=config
dn: cn={7}misc,cn=schema,cn=config
dn: cn={8}nis,cn=schema,cn=config
dn: cn={9}openldap,cn=schema,cn=config
dn: cn={10}ppolicy,cn=schema,cn=config
dn: cn={11}collective,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}bdb,cn=config
[root@gurkulrhel1 ~]#
Step 9 : Get the LDAP Server Key and CA Signed Certificate to /etc/pki/tls/certs directory and name them as slapdkey.pem and slaprdcert.pem respectively.
- ldap certificate key available as /etc/pki/tls/private/gurkulrhel1.gurkulindia.com.key )
- CA signed Certificate for ldap server available at /etc/pki/CA/certs/gurkulrhel1.gurkulindia.com.crt in “gurkulrhelca:” server
[root@gurkulrhel1 ~]# cp /etc/pki/tls/private/gurkulrhel1.gurkulindia.com.key /etc/pki/tls/certs/slapdkey.pem[root@gurkulrhel1 ~]# scp gurkulrhelca:/etc/pki/CA/certs/gurkulrhel1.gurkulindia.com.crt /etc/pki/tls/certs/slapdcert.pemroot@gurkulrhelca’s password:gurkulrhel1.gurkulindia.com.crt 100% 4726 4.6KB/s 00:00[root@gurkulrhel1 ~]# ls -l /etc/pki/tls/certs/slapdkey.pem /etc/pki/tls/certs/slapdcert.pem-rw-r–r– 1 root root 4726 Mar 29 21:30 /etc/pki/tls/certs/slapdcert.pem-rw-r–r– 1 root root 1704 Mar 29 21:29 /etc/pki/tls/certs/slapdkey.pem[root@gurkulrhel1 ~]# chown -Rf ldap:ldap /etc/pki/tls/certs/slapdcert.pem /etc/pki/tls/certs/slapdkey.pem[root@gurkulrhel1 ~]# chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem
Step 10 : Make sure that .pem keys having corresponding hashed link files in the directory where certificates stored. you can create hashed file two ways
way 1 : create Hashed file for each .pem as below . e.g. cacert.pem
[root@gurkulrhel1# HASH=$( openssl x509 -noout -hash -in /etc/pki/tls/certs/cacert.pem )
[root@gurkulrhel1# ln -s /etc/pki/tls/certs/cacert.pem /etc/pki/tls/certs/${HASH}.0
way 2 : Create hashed file for all the .pem files from the directory using the tool “cacertdir_rehash”
[root@gurkulrhel1 certs]# cacertdir_rehash /etc/pki/tls/certs
[root@gurkulrhel1 certs]# ls -l /etc/pki/tls/certs
total 1232
lrwxrwxrwx 1 root root 13 Mar 30 16:28 381ce4dd.0 -> ca-bundle.crt
lrwxrwxrwx 1 root root 19 Mar 30 16:28 381ce4dd.1 -> ca-bundle.trust.crt
lrwxrwxrwx 1 root root 10 Mar 30 16:28 539a37f4.0 -> cacert.pem
lrwxrwxrwx 1 root root 10 Mar 30 16:28 8e89bed9.0 -> client.pem
lrwxrwxrwx 1 root root 13 Mar 30 16:28 8e89bed9.1 -> slapdcert.pem
-rw-r–r–. 1 ldap ldap 571410 Sep 2 2011 ca-bundle.crt
-rw-r–r–. 1 root root 651043 Sep 2 2011 ca-bundle.trust.crt
-rw-r–r– 1 ldap ldap 1505 Mar 29 20:00 cacert.pem
-rw-r–r– 1 ldap ldap 1517 Mar 30 01:57 client.pem
lrwxrwxrwx 1 root root 13 Mar 30 16:28 da4d55fe.0 -> localhost.crt
-rw——-. 1 ldap ldap 1188 Sep 27 2012 localhost.crt
-rwxr-xr-x 1 root root 610 Mar 5 06:12 make-dummy-cert
-rw-r–r– 1 root root 2242 Mar 5 06:12 Makefile
-rw-r–r– 1 ldap ldap 4726 Mar 29 21:30 slapdcert.pem
-rw-r–r– 1 ldap ldap 1704 Mar 29 21:29 slapdkey.pem
[root@gurkulrhel1 certs]#
Step 10 : Now modify the ldap configuration by adding TLS certificate and key file information, using ldif file format.
[root@gurkulrhel1 ~]# cat > /tmp/tls_info.ldifdn: cn=configchangetype: modifyadd: olcTLSCACertificateFileolcTLSCertificateFile: /etc/pki/tls/certs/cacert.pem–
add: olcTLSCertificateFileolcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem–add: olcTLSCertificateKeyFileolcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem–[root@gurkulrhel1 ~]#
[root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/tls_info.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry “cn=config”[root@gurkulrhel1 ~]#
[root@gurkulrhel1 slapd.d]# cat /etc/openldap/slapd.d/cn=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /root/slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
structuralObjectClass: olcGlobal
entryUUID: 7310266a-28cd-1032-9cc3-75d105377527
creatorsName: cn=config
createTimestamp: 20130324125237Z
olcTLSCACertificateFile: /etc/pki/tls/certs/cacert.pem
olcTLSCACertificatePath: /etc/pki/tls/certs
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
entryCSN: 20130329134608.284865Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20130329134608Z
[root@gurkulrhel1 slapd.d]#
Step 11 : Configure LDAP server to use ldaps:// URI scheme exclusively
[root@gurkulrhel1 ~]# service slapd stopStopping slapd: [ OK ][root@gurkulrhel1 ~]#
[root@gurkulrhel1 ~]# grep ^SLAPD /etc/sysconfig/ldapSLAPD_LDAP=no <= disabledSLAPD_LDAPI=yesSLAPD_LDAPS=yes <== enabled[root@gurkulrhel1 ~]#
Step 12 : Make Fire wall rules to accept incoming connection at port 636. ( LDAP encrypted communication used port 636, where as un-encrypted goes through port 389)
>>ADD BELOW IP TABLE RULES FOR PORT 636 . in /etc/sysconfig/iptables
-A INPUT -m state –state NEW -m udp -p udp –dport 636 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 636 -j ACCEPT
Configure LDAP Server host ( i.e. gurkulrhel1) as Self Client to itself
Step1 : Configre ldap client configuration file, with the parameters “TLS_CACERTDIR , URI and BASE “, as shown below
[root@gurkulrhel2 tmp]# cat /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://gurkulrhel1
BASE dc=gurkulindia,dc=com
Step 2: Copy both “CA Signed LDAP certificate and CA certificate” to local directory mentioned as “TLS_CACERTDIR” in
[root@gurkulrhel2]#scp gurkulrhel1:/etc/pki/tls/certs/slapdcert.pem /etc/openldap/cacerts/client.pem
[root@gurkulrhel2]#scp gurkulrhel1:/etc/pki/tls/certs/cacert.pem /etc/openldap/cacerts/cacert.pem
Step 3: Make sure hashed file for CA server Certificate and CA Signed Client certificate available at the path mentioned by “TLS_CACERTDIR” in “/etc/openldap/ldap.conf”
[root@gurkulrhel2 tmp]# ls -l /etc/openldap/cacerts
total 8
lrwxrwxrwx 1 root root 10 Mar 30 20:20 539a37f4.0 -> cacert.pem
lrwxrwxrwx 1 root root 10 Mar 30 20:20 8e89bed9.0 -> client.pem
-rw-r–r– 1 root root 1505 Mar 30 20:20 cacert.pem
-rw-r–r– 1 root root 1517 Mar 30 20:13 client.pem
[root@gurkulrhel2 tmp]#
>> If hashed files missing just run the command,
[root@gurkulrhel2 cacerts]# cacertdir_rehash /etc/openldap/cacerts
Step 4: Configure Openssl to use TLS/SSL encryption for the ldap connections.
[root@gurkulrhel2 tmp]# cat /etc/nslcd.conf:::: SNIP OTHER DEFAULT SETTINGS, ONLY BELOW are RELEVANT FOR OUR SETUP :::::# This comment prevents repeated auto-migration of settings.uri ldaps://gurkulrhel1base dc=gurkulindia,dc=comssl start_tlstls_reqcert allow
Step 5: Make sure hostnames resolving to proper IP addresses
[root@gurkulrhel2 tmp]# cat /etc/hosts127.0.0.1 localhost localhost4::1 localhost localhost6192.168.1.31 gurkulrhel1 ldapserver.gurkulindia.com ldapserver192.168.1.32 gurkulrhel2 ldapclient.gurkulindia.com192.168.1.33 gurkulrhelca gurkulrhelca.gurkulindia.com[root@gurkulrhel2 tmp]#
Step 6 : Restart the NSLCD service
[root@gurkulrhel2]# service nslcd restart
Step 7 : Finally check the Test the connection is happening
[root@gurkulrhel2 tmp]# ldapsearch -x -b ‘dc=gurkulindia,dc=com’# extended LDIF## LDAPv3# base <dc=gurkulindia,dc=com> with scope subtree# filter: (objectclass=*)# requesting: ALL## gurkulindia.comdn: dc=gurkulindia,dc=comobjectClass: topobjectClass: domaindc: gurkulindia# Groups, gurkulindia.comdn: ou=Groups,dc=gurkulindia,dc=comobjectClass: topobjectClass: organizationalUnitou: Groups# People, gurkulindia.comdn: ou=People,dc=gurkulindia,dc=comobjectClass: topobjectClass: organizationalUnitou: People# gurkuluser, People, gurkulindia.comdn: uid=gurkuluser,ou=People,dc=gurkulindia,dc=comgivenName: ldapsn: user1loginShell: /bin/bashuidNumber: 1250gidNumber: 1500objectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountuid: gurkulusercn: ldap user1homeDirectory: /home/gurkuluseruserPassword:: e1NTSEF9NWtPL0sxS0J6SjB3RWFLQkFHaklEWTZNRzZUR3pnOVE=# redhat, Groups, gurkulindia.comdn: cn=redhat,ou=Groups,dc=gurkulindia,dc=comobjectClass: posixGroupobjectClass: topcn: redhatgidNumber: 1500# search resultsearch: 2result: 0 Success# numResponses: 6# numEntries: 5[root@gurkulrhel2 tmp]#
We will discuss about Little bit of Troubleshooting stuff that I have done during this Configuration, in the next post.
How to Stay Connected to Us ?
You can simply subscribe for our free email posts from here
You can always stay close to us by connecting in Facebook, LinkedIn , twitter and Google + social networks. And We have very active Facebook’s just-UNIX-no-noise group and Linked in Enterprise UNIX administration group, for active discussions.
We always love to hear your comments and feedback.
Hi Sir
Used above method and setup LDAp server on RHEL 6.4.
When i use nslcd on client i am able to see LDAP users but when i used sssd i dont see any LDAP user.Created certificated and placed them as per plan mentioned.
Testing this with strace…just to make sure if i am missing out something.
just to explain my setup
i am using my ldap server as CA server.
so i am using
server1 :- as LDAp and CA server
server2 :- as LDAp client.
in this blog you asked to edit nslcd.conf file and restart service….but if i want 2 use sssd with certificates….bit confused.
it started working…..
how can i check and confirm if there is handshaking going on with certificates…..dont see anything in messages file.
checked in /var/log/sssd nothing there…..
not using nslcd.conf but sssd.conf file only.Able to login with ldap user.
Thanks for plan :-)
Hi Ram
i used blog to configure LDAP with CA…it’s working fine.Able to ass new users and i am able to login using LDAp authntication.
Tried reseting password for one of the LDAP user using LDAPPASSWD it ask for LDAP password but gives error.
[root~]# ldappasswd -x -D “uid=user1,cn=Manager,dc=domain,dc=com” -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root~]#
Jaswant, is that user directly able to change his own password with “ldappasswd” command ( not from root account)?
Hi Ram,
kindly help to configure same ldap with SASL bind authentication.It is very helpful for me when you will give some idea on this task.