3

I'm trying to enable SSL connections on an OpenLDAP 2.4.23 server, but all the instructions I find only discuss the old slapd.conf configuration. Can anyone point to some instructions for setting it up under cn=config?

Brad Mace
  • 1,024
  • 3
  • 17
  • 32

3 Answers3

2

Here's whats working so far, though I could still use a guide to tuning the security settings under cn=config:

Follow the instructions here to create the certificate, added the tls attributes to cn=config (last two were set by default)

olcTLSCertificateFile /certs/ldapscert.pem
olcTLSCertificateKeyFile /certs/keys/ldapskey.pem
olcTLSCipherSuite TLSV1+RSA:!NULL
olcTLSCRLCheck none
olcTLSVerifyClient never

start server using /usr/local/libexec/slapd -F slapd.d -h ldaps:///

This lets me connect from Apache Directory Studio using ldaps, but isn't working for linux logins.

Brad Mace
  • 1,024
  • 3
  • 17
  • 32
  • 1
    Had to generate a certificate with alt-subject-names for both ldap servers and the meta-server name and distribute the certs to all the other linux servers to get linux logins working securely. – Brad Mace Feb 07 '11 at 21:00
2

If, like me, you found this answer but were looking for the dynamic config (cn=config) option, use the following ldif.

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /path/to/host.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /path/to/host.crt
-
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/ssl/cert

To add the ldif use:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f nameOfLdif.ldif
Andrew Meyer
  • 253
  • 1
  • 4
  • 1
    When I use what @Andrew Meyer suggested in my HA setup I get the following error: ldap_modify: Other (e.g., implementation specific) error (80) – Digital Human May 07 '19 at 09:22
  • I get that too, in other places they say it may be permission issues on the cert files. they need to be readable by the openldap user.. often they add him to the ssl-cert group and make sure the group can read the files... but that hasn't worked for me yet. – fei0x Apr 09 '21 at 17:56
  • I saw some issues implementing this in an HA setup when using syncrepl. since the child nodes sync their config, it is locally read only. My work around was to manually edit the necessary files and regenerate the CRC checksums. I wouldn't recommend that in production though – Andrew Meyer Sep 01 '21 at 15:33
0

So it seems that in HA setup you can not use NSS db if you need to update your TLS certificate name. Its not possible to update the name through LDIF with ldapmodify.

Digital Human
  • 801
  • 6
  • 6