An LDAP server is often used in business, it contains a lot of personal information (phone numbers, for example) and should be secure. To encrypt the connection between the LDAP server and clients (computers, smartphones, tablets and other mobile devices), we will configure our server to allow access to the server via SSL. The connection is encrypted, hackers can not (or hardly) intercept our data through the network.
Because we use SSL to encrypt the connection, we will need to generate an SSL certificate for our server. However, we will use the utility "certtool" instead of "openssl" as the LDAP server "slapd" is now compiled with the library "gnutls".
Start by installing the library "gnutls" and the "ssl-cert" package.
sudo apt-get install gnutls-bin ssl-cert
Then create the private key for our CA.
sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
Then, create a model for this authority and provide the name of your company in line "cn".
cn = InformatiWeb Computer ca cert_signing_key
Create self-signed certificate from our CA.
sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem
Then, create the private key for your LDAP server.
sudo certtool --generate-privkey --bits 1024 --outfile /etc/ssl/private/ldap_slapd_key.pem
Then create the template for creating the server certificate.
- Enter the name of your company : organization
- And the field that points to the IP address of your LDAP server : cn
- The certificate generated by this model will be valid for 10 years (expiration_days = 3650).
organization = InformatiWeb Computer cn = ldap.informatiweblan.net tls_www_server encryption_key signing_key expiration_days = 3650
Now create the server certificate.
sudo certtool --generate-certificate --load-privkey /etc/ssl/private/ldap_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ldap.info --outfile /etc/ssl/certs/ldap_slapd_cert.pem
To specify the LDAP server where the certificates, we will create a "ldif" file that we will import our server.
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap_slapd_key.pem
Then import this file into the LDAP server to apply the changes.
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif
And finally, to allow your server to run over SSL (by the ldaps:/// protocol), you can simply edit the file "/etc/default/slapd" and add the protocol in the list "SLAPD_SERVICES".
Note : If you want your server only works with secure connections, simply put only the "ldaps:///" protocol in the list and delete the others.
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
You can now connect to your LDAP server securely.
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment