An LDAP server is often used in business, it contains a lot of personal information (phone numbers, for example) and should be secure. To encrypt the connection between the LDAP server and clients (computers, smartphones, tablets and other mobile devices), we will configure our server to allow access to the server via SSL. The connection is encrypted, hackers can not (or hardly) intercept our data through the network.
Because we use SSL to encrypt the connection, we will need to generate an SSL certificate for our server. However, we will use the utility "certtool" instead of "openssl" as the LDAP server "slapd" is now compiled with the library "gnutls".
Start by installing the library "gnutls" and the "ssl-cert" package.
Bash
sudo apt-get install gnutls-bin ssl-cert
Then create the private key for our CA.
Bash
sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
Then, create a model for this authority and provide the name of your company in line "cn".
Bash
vi /etc/ssl/ca.info
Bash
cn = InformatiWeb Computer ca cert_signing_key
Create self-signed certificate from our CA.
Bash
sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem
Then, create the private key for your LDAP server.
Bash
sudo certtool --generate-privkey --bits 1024 --outfile /etc/ssl/private/ldap_slapd_key.pem
Then create the template for creating the server certificate.
Notes :
- Enter the name of your company : organization
- And the field that points to the IP address of your LDAP server : cn
- The certificate generated by this model will be valid for 10 years (expiration_days = 3650).
Bash
vi /etc/ssl/ldap.info
Bash
organization = InformatiWeb Computer cn = ldap.informatiweblan.net tls_www_server encryption_key signing_key expiration_days = 3650
Now create the server certificate.
Bash
sudo certtool --generate-certificate --load-privkey /etc/ssl/private/ldap_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ldap.info --outfile /etc/ssl/certs/ldap_slapd_cert.pem
To specify the LDAP server where the certificates, we will create a "ldif" file that we will import our server.
Bash
vi /etc/ssl/certinfo.ldif
Bash
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap_slapd_key.pem
Then import this file into the LDAP server to apply the changes.
Bash
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif
And finally, to allow your server to run over SSL (by the ldaps:/// protocol), you can simply edit the file "/etc/default/slapd" and add the protocol in the list "SLAPD_SERVICES".
Note : If you want your server only works with secure connections, simply put only the "ldaps:///" protocol in the list and delete the others.
Bash
vi /etc/default/slapd
Bash
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
You can now connect to your LDAP server securely.
Linux 7/7/2015
Linux 9/12/2015
Linux 9/18/2016
Linux 1/31/2014
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment