By default, OpenLDAP does not encrypt traffic. This produces a security risk, as sensitivie user information, such as user names can be captured. In this example, Wireshark captures unencrypted LDAP traffic, and my username is easily spotted.


OpenLDAP Server Setup

Create a public certificate and private key using OpenSSL. Ensure the CN of the certificate matches the hostname of your OpenLDAP server, such as

Copy the root certificate authority, public certificate, and private key into the /etc/openldap/certs directory.

~]# cp /etc/pki/tls/certs/rootCA.pem /etc/openldap/certs
~]# cp /etc/pki/tls/certs/example.crt /etc/openldap/certs
~]# cp /etc/pki/tls/private/example.key /etc/openldap/certs


Change the owner and group owner to ldap.

~]# chown ldap:ldap /etc/openldap/certs/rootCA.pem
~]# chown ldap:ldap /etc/openldap/certs/example.crt
~]# chown ldap:ldap /etc/openldap/certs/example.key


Create a flle named tls_modify.ldif.

~]# touch /etc/openldap/slapd.d/tls_modify.ldif


Add the following content to the file. After the TLS public certificate and private key has been added, to modify the public certificate and private key, replace "add" with "replace".

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/rootCA.pem

add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/example.crt

add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/example.key


Run the following command to add the public certificate and private key to your LDAP configuration.

~]# ldapmodify -H ldapi:// -Y EXTERNAL -f tls_modify.ldif


Add ldaps:/// to /etc/sysconfig/slapd.

SLAPD_URLS="ldapi:/// ldap:///"


The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to restart slapd.

systemctl restart slapd


If your system is using init, use the service command to restart slapd.

service slapd restart


OpenLDAP Client Setup

Copy the rootCA.pem file from the OpenLDAP server to the /etc/ldap directory on the client.

~]# scp root@openldap:/etc/openldap/certs/rootCA.pem /etc/openldap/cacerts/


Enable LDAP authentication via TLS.

~]# authconfig --enableldaptls --update


Ensure the changes have been properly set.

~]# authconfig --test | grep -i ldap
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = ""
 LDAP base DN = "dc=example,dc=com"


Ensure LDAP port 389 is open in iptables or firewalld

Use the ldapwhoami command with the -ZZ (force STARTTLS) option to make a TLS encrypted connection to the OpenLDAP server. If "anonymous" is displayed, the connection was successful.

~]# ldapwhoami -H ldap:// -x -ZZ


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter b16fc in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |