An LDAP server is often used in business, it contains a lot of personal information (phone numbers, for example) and should be secure. To encrypt the connection between the LDAP server and clients (computers, smartphones, tablets and other mobile devices), we will configure our server to allow access to the server via SSL. The connection is encrypted, hackers can not (or hardly) intercept our data through the network.

Because we use SSL to encrypt the connection, we will need to generate an SSL certificate for our server. However, we will use the utility "certtool" instead of "openssl" as the LDAP server "slapd" is now compiled with the library "gnutls".

1. Certificate creation
2. LDAP server configuration

1. Certificate creation

Start by installing the library "gnutls" and the "ssl-cert" package.

Bash

sudo apt-get install gnutls-bin ssl-cert

Then create the private key for our CA.

Bash

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"

Then, create a model for this authority and provide the name of your company in line "cn".

Bash

vi /etc/ssl/ca.info

Bash

cn = InformatiWeb Computer
ca
cert_signing_key

Create self-signed certificate from our CA.

Bash

sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem

Then, create the private key for your LDAP server.

Bash

sudo certtool --generate-privkey --bits 1024 --outfile /etc/ssl/private/ldap_slapd_key.pem

Then create the template for creating the server certificate.
Notes :
- Enter the name of your company : organization
- And the field that points to the IP address of your LDAP server : cn
- The certificate generated by this model will be valid for 10 years (expiration_days = 3650).

Bash

vi /etc/ssl/ldap.info

Bash

organization = InformatiWeb Computer
cn = ldap.informatiweblan.net
tls_www_server
encryption_key
signing_key
expiration_days = 3650

Now create the server certificate.

Bash

sudo certtool --generate-certificate --load-privkey /etc/ssl/private/ldap_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ldap.info --outfile /etc/ssl/certs/ldap_slapd_cert.pem

2. LDAP server configuration

To specify the LDAP server where the certificates, we will create a "ldif" file that we will import our server.

Bash

vi /etc/ssl/certinfo.ldif

Bash

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_slapd_key.pem

Then import this file into the LDAP server to apply the changes.

Bash

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif

And finally, to allow your server to run over SSL (by the ldaps:/// protocol), you can simply edit the file "/etc/default/slapd" and add the protocol in the list "SLAPD_SERVICES".
Note : If you want your server only works with secure connections, simply put only the "ldaps:///" protocol in the list and delete the others.

Bash

vi /etc/default/slapd

Bash

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

You can now connect to your LDAP server securely.