Saturday, December 23, 2006

LDAP with TLS

LDAP + SSL = port 636
LDAP + TLS = port 389 (no change)

Server:
(1) Create a cert for LDAP server
Note that the field of cn inside MUST match hostname

(2) Remove the DES3 password on private key
openssl rsa -in private.des3 -out slapd.pem

(3) add an empty line in the end of slapd.pem
echo >> slapd.pem

(4) append server's cert in the end of slapd.pem
cat newcert.pem >> slapd.pem

(5) cp slapd.pem /etc/openldap/cacerts/
chown root.ldap /etc/openldap/cacerts/slapd.pem
chmod 644 /etc/openldap/cacerts/slapd.pem

(6) cp cacert.pem /etc/openldap/cacerts/

(7) Modify slapd.conf
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/slapd.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slapd.pem

(8) service ldap restart

(9) netstat -ntlp
Then, we can see both port 636 and 389 are being listen

Client:
(1) vi /etc/openldap/ldap.conf
TLS_REQCERT never

(2) search
TLS: ldapsearch -x -ZZ -b "dc=osa,dc=com" -h linux.kirka.idv.tw
SSL: ldapsearch -x -b "dc=osa,dc=com" -H ldaps://linux.kirika.idv.tw
No encrypt: ldapsearch -x -b "dc=osa,dc=com" -h linux.kirika.idv.tw

Linux:
Call authconfig, check "use TLS" in LDAP options
This will change /etc/ldap.conf
We can also change from TLS to SSL by changing
ssl start_tls
to
ssl on

No comments: