Encrypt OpenLDAP traffic via SSL TLS

Home > Search
  by

By default, OpenLDAP does not encrypt traffic. This produces a security risk, as sensitivie user information, such as user names can be captured. In this example, Wireshark captures unencrypted LDAP traffic, and my username is easily spotted.

 


OpenLDAP Server Setup

Create a public certificate and private key using OpenSSL. Ensure the CN of the certificate matches the hostname of your OpenLDAP server, such as ldap.example.com.

Copy the root certificate authority, public certificate, and private key into the /etc/openldap/certs directory.

~]# cp /etc/pki/tls/certs/rootCA.pem /etc/openldap/certs
~]# cp /etc/pki/tls/certs/example.crt /etc/openldap/certs
~]# cp /etc/pki/tls/private/example.key /etc/openldap/certs

 

Change the owner and group owner to ldap.

~]# chown ldap:ldap /etc/openldap/certs/rootCA.pem
~]# chown ldap:ldap /etc/openldap/certs/example.crt
~]# chown ldap:ldap /etc/openldap/certs/example.key

 

Create a flle named tls_modify.ldif.

~]# touch /etc/openldap/slapd.d/tls_modify.ldif

 

Add the following content to the file. After the TLS public certificate and private key has been added, to modify the public certificate and private key, replace "add" with "replace".

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/rootCA.pem

add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/example.crt

add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/example.key

 

Run the following command to add the public certificate and private key to your LDAP configuration.

~]# ldapmodify -H ldapi:// -Y EXTERNAL -f tls_modify.ldif

 

Add ldaps:/// to /etc/sysconfig/slapd.

SLAPD_URLS="ldapi:/// ldap:///"

 

Restart OpenLDAP.

~]# systemctl restart slapd

 


OpenLDAP Client Setup

Copy the rootCA.pem file from the OpenLDAP server to the /etc/ldap directory on the client.

~]# scp root@openldap:/etc/openldap/certs/rootCA.pem /etc/openldap/cacerts/

 

Enable LDAP authentication via TLS.

~]# authconfig --enableldaptls --update

 

Ensure the changes have been properly set.

~]# authconfig --test | grep -i ldap
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap.example.com"
 LDAP base DN = "dc=example,dc=com"

 

Ensure LDAP port 389 is open in iptables or firewalld

Use the ldapwhoami command with the -ZZ (force STARTTLS) option to make a TLS encrypted connection to the OpenLDAP server. If "anonymous" is displayed, the connection was successful.

~]# ldapwhoami -H ldap://ldap.example.com -x -ZZ
anonymous

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments