Friday, May 8, 2009

Debian Lenny: secure OpenLDAP traffic with SSL

I consider that you already have a database running. First of all enable ldaps in /etc/default/slapd:
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:///"

The following creates a self-signed certificate valid for 10 years:
$ mkdir /etc/ldap/ssl
$ openssl req -new -x509 -nodes -out \
> /etc/ssl/ldap-cert.pem -keyout \
> /etc/ldap/ssl/ldap-key.pem -days 3650

Under /etc/ldap/slapd.conf (server configuration) add (somewhere between include entries and database entries):
TLSCertificateFile /etc/ssl/ldap-cert.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem
TLSCACertificateFile /etc/ssl/ldap-cert.pem

In order to configure a client, under /etc/ldap/ldap.conf add at the end of the file:
URI ldaps://ldap.your.domain:636/
BASE dc=your,dc=domain
TLS_CACERTDIR /etc/ldap/ssl/

Don't forget to restart OpenLDAP:
$ /etc/init.d/slapd restart

Thanks to Sébastien Wains for his excellent article about CentOS.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)