1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�46.�LDAP and Transport Layer Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part�VI.�Reference Section"><link rel="prev" href="speed.html" title="Chapter�45.�Samba Performance Tuning"><link rel="next" href="ch47.html" title="Chapter�47.�Samba Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�46.�LDAP and Transport Layer Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a>�</td><th width="60%" align="center">Part�VI.�Reference Section</th><td width="20%" align="right">�<a accesskey="n" href="ch47.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch-ldap-tls"></a>Chapter�46.�LDAP and Transport Layer Security</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gavin</span> <span class="orgname">Suretec Systems Limited, UK</span> <span class="surname">Henry</span></h3><div class="affiliation"><span class="orgname">Suretec Systems Limited, UK<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:ghenry@suretecsystems.com">ghenry@suretecsystems.com</a>></code></p></div></div></div></div><div><p class="pubdate">July 8, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-intro-ldap-tls"></a>Introduction</h2></div></div></div><p>
2
<a class="indexterm" name="id2691426"></a>
3
<a class="indexterm" name="id2691435"></a>
4
Up until now, we have discussed the straightforward configuration of <span class="trademark">OpenLDAP</span>™,
5
with some advanced features such as ACLs. This does not however, deal with the fact that the network
6
transmissions are still in plain text. This is where <em class="firstterm">Transport Layer Security (TLS)</em>
9
<a class="indexterm" name="id2691459"></a>
10
<span class="trademark">OpenLDAP</span>™ clients and servers are capable of using the Transport Layer Security (TLS)
11
framework to provide integrity and confidentiality protections in accordance with <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC 2830</a>; <span class="emphasis"><em>Lightweight Directory Access Protocol (v3):
12
Extension for Transport Layer Security.</em></span>
14
<a class="indexterm" name="id2691489"></a>
15
TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates
16
are optional. We will only be discussing server certificates.
17
</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
18
<a class="indexterm" name="id2691503"></a>
19
<a class="indexterm" name="id2691509"></a>
20
<a class="indexterm" name="id2691516"></a>
21
The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the
22
server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the
23
<code class="option">subjectAltName</code> certificate extension. More details on server certificate names are in <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC2830</a>.
25
We will discuss this more in the next sections.
26
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-config-ldap-tls"></a>Configuring</h2></div></div></div><p>
27
<a class="indexterm" name="id2691556"></a>
28
Now on to the good bit.
29
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-certs"></a>Generating the Certificate Authority</h3></div></div></div><p>
30
<a class="indexterm" name="id2691579"></a>
31
In order to create the relevant certificates, we need to become our own Certificate Authority (CA).
32
<sup>[<a name="id2691590" href="#ftn.id2691590" class="footnote">8</a>]</sup> This is necessary, so we can sign the server certificate.
34
<a class="indexterm" name="id2691619"></a>
35
We will be using the <a class="ulink" href="http://www.openssl.org" target="_top">OpenSSL</a> <sup>[<a name="id2691632" href="#ftn.id2691632" class="footnote">9</a>]</sup> software for this, which is included with every great <span class="trademark">Linux</span>� distribution.
37
TLS is used for many types of servers, but the instructions<sup>[<a name="id2691651" href="#ftn.id2691651" class="footnote">10</a>]</sup> presented here, are tailored for <span class="application">OpenLDAP</span>.
38
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
39
The <span class="emphasis"><em>Common Name (CN)</em></span>, in the following example, <span class="emphasis"><em>MUST</em></span> be
40
the fully qualified domain name (FQDN) of your ldap server.
42
First we need to generate the CA:
43
</p><pre class="screen">
44
<code class="computeroutput">
45
<code class="prompt">root# </code> mkdir myCA
48
Move into that directory:
49
</p><pre class="screen">
50
<code class="computeroutput">
51
<code class="prompt">root# </code> cd myCA
54
Now generate the CA:<sup>[<a name="id2691727" href="#ftn.id2691727" class="footnote">11</a>]</sup>
55
</p><pre class="screen">
56
<code class="computeroutput">
57
<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -newca
58
CA certificate filename (or enter to create)
60
Making CA certificate ...
61
Generating a 1024 bit RSA private key
62
.......................++++++
63
.............................++++++
64
writing new private key to './demoCA/private/cakey.pem'
65
Enter PEM pass phrase:
66
Verifying - Enter PEM pass phrase:
68
You are about to be asked to enter information that will be incorporated
69
into your certificate request.
70
What you are about to enter is what is called a Distinguished Name or a DN.
71
There are quite a few fields but you can leave some blank
72
For some fields there will be a default value,
73
If you enter '.', the field will be left blank.
75
Country Name (2 letter code) [AU]:AU
76
State or Province Name (full name) [Some-State]:NSW
77
Locality Name (eg, city) []:Sydney
78
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas
79
Organizational Unit Name (eg, section) []:IT
80
Common Name (eg, YOUR name) []:ldap.abmas.biz
81
Email Address []:support@abmas.biz
85
There are some things to note here.
86
</p><div class="orderedlist"><ol type="1"><li><p>
87
You <span class="emphasis"><em>MUST</em></span> remember the password, as we will need
88
it to sign the server certificate..
90
The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be the
91
fully qualified domain name (FQDN) of your ldap server.
92
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-server"></a>Generating the Server Certificate</h3></div></div></div><p>
93
Now we need to generate the server certificate:
94
</p><pre class="screen">
95
<code class="computeroutput">
96
<code class="prompt">root# </code> openssl req -new -nodes -keyout newreq.pem -out newreq.pem
97
Generating a 1024 bit RSA private key
99
........................................................++++++
100
writing new private key to 'newreq.pem'
102
You are about to be asked to enter information that will be incorporated
103
into your certificate request.
104
What you are about to enter is what is called a Distinguished Name or a DN.
105
There are quite a few fields but you can leave some blank
106
For some fields there will be a default value,
107
If you enter '.', the field will be left blank.
109
Country Name (2 letter code) [AU]:AU
110
State or Province Name (full name) [Some-State]:NSW
111
Locality Name (eg, city) []:Sydney
112
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas
113
Organizational Unit Name (eg, section) []:IT
114
Common Name (eg, YOUR name) []:ldap.abmas.biz
115
Email Address []:support@abmas.biz
117
Please enter the following 'extra' attributes
118
to be sent with your certificate request
119
A challenge password []:
120
An optional company name []:
124
Again, there are some things to note here.
125
</p><div class="orderedlist"><ol type="1"><li><p>
126
You should <span class="emphasis"><em>NOT</em></span> enter a password.
128
The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be
129
the fully qualified domain name (FQDN) of your ldap server.
130
</p></li></ol></div><p>
131
Now we sign the certificate with the new CA:
132
</p><pre class="screen">
133
<code class="computeroutput">
134
<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -sign
135
Using configuration from /etc/ssl/openssl.cnf
136
Enter pass phrase for ./demoCA/private/cakey.pem:
137
Check that the request matches the signature
140
Serial Number: 1 (0x1)
142
Not Before: Mar 6 18:22:26 2005 EDT
143
Not After : Mar 6 18:22:26 2006 EDT
146
stateOrProvinceName = NSW
147
localityName = Sydney
148
organizationName = Abmas
149
organizationalUnitName = IT
150
commonName = ldap.abmas.biz
151
emailAddress = support@abmas.biz
153
X509v3 Basic Constraints:
156
OpenSSL Generated Certificate
157
X509v3 Subject Key Identifier:
158
F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE
159
X509v3 Authority Key Identifier:
160
keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC
161
DirName:/C=AU/ST=NSW/L=Sydney/O=Abmas/OU=IT/
162
CN=ldap.abmas.biz/emailAddress=support@abmas.biz
165
Certificate is to be certified until Mar 6 18:22:26 2006 EDT (365 days)
166
Sign the certificate? [y/n]:y
169
1 out of 1 certificate requests certified, commit? [y/n]y
170
Write out database with 1 new entries
172
Signed certificate is in newcert.pem
176
That completes the server certificate generation.
177
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-install"></a>Installing the Certificates</h3></div></div></div><p>
178
Now we need to copy the certificates to the right configuration directories,
179
rename them at the same time (for convenience), change the ownership and
180
finally the permissions:
181
</p><pre class="screen">
182
<code class="computeroutput">
183
<code class="prompt">root# </code> cp demoCA/cacert.pem /etc/openldap/
184
<code class="prompt">root# </code> cp newcert.pem /etc/openldap/servercrt.pem
185
<code class="prompt">root# </code> cp newreq.pem /etc/openldap/serverkey.pem
186
<code class="prompt">root# </code> chown ldap.ldap /etc/openldap/*.pem
187
<code class="prompt">root# </code> chmod 640 /etc/openldap/cacert.pem;
188
<code class="prompt">root# </code> chmod 600 /etc/openldap/serverkey.pem
192
Now we just need to add these locations to <code class="filename">slapd.conf</code>,
193
anywhere before the <code class="option">database</code> declaration as shown here:
194
</p><pre class="screen">
195
<code class="computeroutput">
196
TLSCertificateFile /etc/openldap/servercrt.pem
197
TLSCertificateKeyFile /etc/openldap/serverkey.pem
198
TLSCACertificateFile /etc/openldap/cacert.pem
202
Here is the declaration and <code class="filename">ldap.conf</code>:
203
<code class="filename">ldap.conf</code>
204
</p><pre class="screen">
205
<code class="computeroutput">
206
TLS_CACERT /etc/openldap/cacert.pem
210
That's all there is to it. Now on to <a class="xref" href="ch-ldap-tls.html#s1-test-ldap-tls" title="Testing">the section called “Testing”</a>
211
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-test-ldap-tls"></a>Testing</h2></div></div></div><p>
212
<a class="indexterm" name="id2692135"></a>
213
This is the easy part. Restart the server:
214
</p><pre class="screen">
215
<code class="computeroutput">
216
<code class="prompt">root# </code> /etc/init.d/ldap restart
217
Stopping slapd: [ OK ]
218
Checking configuration files for slapd: config file testing succeeded
219
Starting slapd: [ OK ]
222
Then, using <code class="literal">ldapsearch</code>, test an anonymous search with the
223
<code class="option">-ZZ</code><sup>[<a name="id2692177" href="#ftn.id2692177" class="footnote">12</a>]</sup> option:
224
</p><pre class="screen">
225
<code class="computeroutput">
226
<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \
227
-H 'ldap://ldap.abmas.biz:389' -ZZ
230
Your results should be the same as before you restarted the server, for example:
231
</p><pre class="screen">
232
<code class="computeroutput">
233
<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \
234
-H 'ldap://ldap.abmas.biz:389' -ZZ
239
# base <> with scope sub
240
# filter: (objectclass=*)
245
dn: dc=ldap,dc=abmas,dc=biz
246
objectClass: dcObject
247
objectClass: organization
251
# Manager, ldap.abmas.biz
252
dn: cn=Manager,dc=ldap,dc=abmas,dc=biz
253
objectClass: organizationalRole
257
dn: sambaDomainName=ABMAS,dc=ldap,dc=abmas,dc=biz
258
sambaDomainName: ABMAS
259
sambaSID: S-1-5-21-238355452-1056757430-1592208922
260
sambaAlgorithmicRidBase: 1000
261
objectClass: sambaDomain
262
sambaNextUserRid: 67109862
263
sambaNextGroupRid: 67109863
266
If you have any problems, please read <a class="xref" href="ch-ldap-tls.html#s1-int-ldap-tls" title="Troubleshooting">the section called “Troubleshooting”</a>
267
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-int-ldap-tls"></a>Troubleshooting</h2></div></div></div><p>
268
<a class="indexterm" name="id2692275"></a>
269
The most common error when configuring TLS, as I have already mentioned numerous times, is that the
270
<span class="emphasis"><em>Common Name (CN)</em></span> you entered in <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-server" title="Generating the Server Certificate">the section called “Generating the Server Certificate”</a> is
271
<span class="emphasis"><em>NOT</em></span> the Fully Qualified Domain Name (FQDN) of your ldap server.
273
Other errors could be that you have a typo somewhere in your <code class="literal">ldapsearch</code> command, or that
274
your have the wrong permissions on the <code class="filename">servercrt.pem</code> and <code class="filename">cacert.pem</code>
275
files. They should be set with <code class="literal">chmod 640</code>, as per <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-install" title="Installing the Certificates">the section called “Installing the Certificates”</a>.
277
For anything else, it's best to read through your ldap logfile or join the <span class="application">OpenLDAP</span> mailing list.
278
</p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2691590" href="#id2691590" class="para">8</a>] </sup>We could however, get our generated server certificate signed by proper CAs, like <a class="ulink" href="http://www.thawte.com/" target="_top">Thawte</a> and <a class="ulink" href="http://www.verisign.com/" target="_top">VeriSign</a>, which
279
you pay for, or the free ones, via <a class="ulink" href="http://www.cacert.org/" target="_top">CAcert</a>
280
</p></div><div class="footnote"><p><sup>[<a name="ftn.id2691632" href="#id2691632" class="para">9</a>] </sup>The downside to
281
making our own CA, is that the certificate is not automatically recognized by clients, like the commercial
282
ones are.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2691651" href="#id2691651" class="para">10</a>] </sup>For information straight from the
283
horse's mouth, please visit <a class="ulink" href="http://www.openssl.org/docs/HOWTO/" target="_top">http://www.openssl.org/docs/HOWTO/</a>; the main OpenSSL
284
site.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2691727" href="#id2691727" class="para">11</a>] </sup>Your <code class="filename">CA.pl</code> or <code class="filename">CA.sh</code> might not be
285
in the same location as mine is, you can find it by using the <code class="literal">locate</code> command, i.e.,
286
<code class="literal">locate CA.pl</code>. If the command complains about the database being too old, run
287
<code class="literal">updatedb</code> as <span class="emphasis"><em>root</em></span> to update it.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2692177" href="#id2692177" class="para">12</a>] </sup>See <code class="literal">man ldapsearch</code></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="ch47.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�45.�Samba Performance Tuning�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�47.�Samba Support</td></tr></table></div></body></html>