~zulcss/samba/server-dailies-3.4

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�46.�LDAP and Transport Layer Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part�VI.�Reference Section"><link rel="prev" href="speed.html" title="Chapter�45.�Samba Performance Tuning"><link rel="next" href="ch47.html" title="Chapter�47.�Samba Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�46.�LDAP and Transport Layer Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a>�</td><th width="60%" align="center">Part�VI.�Reference Section</th><td width="20%" align="right">�<a accesskey="n" href="ch47.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch-ldap-tls"></a>Chapter�46.�LDAP and Transport Layer Security</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gavin</span> <span class="orgname">Suretec Systems Limited, UK</span> <span class="surname">Henry</span></h3><div class="affiliation"><span class="orgname">Suretec Systems Limited, UK<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:ghenry@suretecsystems.com">ghenry@suretecsystems.com</a>></code></p></div></div></div></div><div><p class="pubdate">July 8, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-intro-ldap-tls"></a>Introduction</h2></div></div></div><p>

Up until now, we have discussed the straightforward configuration of <span class="trademark">OpenLDAP</span>™,

with some advanced features such as ACLs. This does not however, deal with the fact that the network

transmissions are still in plain text. This is where <em class="firstterm">Transport Layer Security (TLS)</em>

comes in.

</p><p>

<span class="trademark">OpenLDAP</span>™ clients and servers are capable of using the Transport Layer Security (TLS)

framework to provide integrity and confidentiality protections in accordance with <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC 2830</a>; <span class="emphasis"><em>Lightweight Directory Access Protocol (v3):

Extension for Transport Layer Security.</em></span>

</p><p>

TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates

are optional. We will only be discussing server certificates.

</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>

The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the

server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the

<code class="option">subjectAltName</code> certificate extension. More details on server certificate names are in <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC2830</a>.

</p></div><p>

We will discuss this more in the next sections.

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-config-ldap-tls"></a>Configuring</h2></div></div></div><p>

Now on to the good bit.

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-certs"></a>Generating the Certificate Authority</h3></div></div></div><p>

In order to create the relevant certificates, we need to become our own Certificate Authority (CA).

<sup>[<a name="id2691590" href="#ftn.id2691590" class="footnote">8</a>]</sup> This is necessary, so we can sign the server certificate.

</p><p>

We will be using the <a class="ulink" href="http://www.openssl.org" target="_top">OpenSSL</a> <sup>[<a name="id2691632" href="#ftn.id2691632" class="footnote">9</a>]</sup> software for this, which is included with every great <span class="trademark">Linux</span>� distribution.

</p><p>

TLS is used for many types of servers, but the instructions<sup>[<a name="id2691651" href="#ftn.id2691651" class="footnote">10</a>]</sup> presented here, are tailored for <span class="application">OpenLDAP</span>.

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

The <span class="emphasis"><em>Common Name (CN)</em></span>, in the following example, <span class="emphasis"><em>MUST</em></span> be

the fully qualified domain name (FQDN) of your ldap server.

</p></div><p>

First we need to generate the CA:

</p><pre class="screen">

<code class="prompt">root# </code> mkdir myCA

</code>

</pre><p>

Move into that directory:

</p><pre class="screen">

<code class="prompt">root# </code> cd myCA

</code>

</pre><p>

Now generate the CA:<sup>[<a name="id2691727" href="#ftn.id2691727" class="footnote">11</a>]</sup>

</p><pre class="screen">

<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -newca

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 1024 bit RSA private key

.......................++++++

.............................++++++

writing new private key to './demoCA/private/cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:AU

State or Province Name (full name) [Some-State]:NSW

Locality Name (eg, city) []:Sydney

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas

Organizational Unit Name (eg, section) []:IT

Common Name (eg, YOUR name) []:ldap.abmas.biz

Email Address []:support@abmas.biz

</code>

</pre><p>

</p><p>

There are some things to note here.

</p><div class="orderedlist"><ol type="1"><li><p>

You <span class="emphasis"><em>MUST</em></span> remember the password, as we will need

it to sign the server certificate..

</p></li><li><p>

The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be the

fully qualified domain name (FQDN) of your ldap server.

</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-server"></a>Generating the Server Certificate</h3></div></div></div><p>

Now we need to generate the server certificate:

</p><pre class="screen">

<code class="prompt">root# </code> openssl req -new -nodes -keyout newreq.pem -out newreq.pem

Generating a 1024 bit RSA private key

.............++++++

........................................................++++++

100

writing new private key to 'newreq.pem'

101

-----

102

You are about to be asked to enter information that will be incorporated

103

into your certificate request.

104

What you are about to enter is what is called a Distinguished Name or a DN.

105

There are quite a few fields but you can leave some blank

106

For some fields there will be a default value,

107

If you enter '.', the field will be left blank.

108

-----

109

Country Name (2 letter code) [AU]:AU

110

State or Province Name (full name) [Some-State]:NSW

111

Locality Name (eg, city) []:Sydney

112

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas

113

Organizational Unit Name (eg, section) []:IT

114

Common Name (eg, YOUR name) []:ldap.abmas.biz

115

Email Address []:support@abmas.biz

116

117

Please enter the following 'extra' attributes

118

to be sent with your certificate request

119

A challenge password []:

120

An optional company name []:

121

</code>

122

</pre><p>

123

</p><p>

124

Again, there are some things to note here.

125

</p><div class="orderedlist"><ol type="1"><li><p>

126

You should <span class="emphasis"><em>NOT</em></span> enter a password.

127

</p></li><li><p>

128

The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be

129

the fully qualified domain name (FQDN) of your ldap server.

130

</p></li></ol></div><p>

131

Now we sign the certificate with the new CA:

132

</p><pre class="screen">

133

134

<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -sign

135

Using configuration from /etc/ssl/openssl.cnf

136

Enter pass phrase for ./demoCA/private/cakey.pem:

137

Check that the request matches the signature

138

Signature ok

139

Certificate Details:

140

Serial Number: 1 (0x1)

141

Validity

142

Not Before: Mar 6 18:22:26 2005 EDT

143

Not After : Mar 6 18:22:26 2006 EDT

144

Subject:

145

countryName = AU

146

stateOrProvinceName = NSW

147

localityName = Sydney

148

organizationName = Abmas

149

organizationalUnitName = IT

150

commonName = ldap.abmas.biz

151

emailAddress = support@abmas.biz

152

X509v3 extensions:

153

X509v3 Basic Constraints:

154

CA:FALSE

155

Netscape Comment:

156

OpenSSL Generated Certificate

157

X509v3 Subject Key Identifier:

158

F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE

159

X509v3 Authority Key Identifier:

160

keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC

161

DirName:/C=AU/ST=NSW/L=Sydney/O=Abmas/OU=IT/

162

CN=ldap.abmas.biz/emailAddress=support@abmas.biz

163

serial:00

164

165

Certificate is to be certified until Mar 6 18:22:26 2006 EDT (365 days)

166

Sign the certificate? [y/n]:y

167

168

169

1 out of 1 certificate requests certified, commit? [y/n]y

170

Write out database with 1 new entries

171

Data Base Updated

172

Signed certificate is in newcert.pem

173

</code>

174

</pre><p>

175

</p><p>

176

That completes the server certificate generation.

177

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-install"></a>Installing the Certificates</h3></div></div></div><p>

178

Now we need to copy the certificates to the right configuration directories,

179

rename them at the same time (for convenience), change the ownership and

180

finally the permissions:

181

</p><pre class="screen">

182

183

<code class="prompt">root# </code> cp demoCA/cacert.pem /etc/openldap/

184

<code class="prompt">root# </code> cp newcert.pem /etc/openldap/servercrt.pem

185

<code class="prompt">root# </code> cp newreq.pem /etc/openldap/serverkey.pem

186

<code class="prompt">root# </code> chown ldap.ldap /etc/openldap/*.pem

187

<code class="prompt">root# </code> chmod 640 /etc/openldap/cacert.pem;

188

<code class="prompt">root# </code> chmod 600 /etc/openldap/serverkey.pem

189

</code>

190

</pre><p>

191

</p><p>

192

Now we just need to add these locations to <code class="filename">slapd.conf</code>,

193

anywhere before the <code class="option">database</code> declaration as shown here:

194

</p><pre class="screen">

195

196

TLSCertificateFile /etc/openldap/servercrt.pem

197

TLSCertificateKeyFile /etc/openldap/serverkey.pem

198

TLSCACertificateFile /etc/openldap/cacert.pem

199

</code>

200

</pre><p>

201

</p><p>

202

Here is the declaration and <code class="filename">ldap.conf</code>:

203

204

</p><pre class="screen">

205

206

TLS_CACERT /etc/openldap/cacert.pem

207

</code>

208

</pre><p>

209

</p><p>

210

That's all there is to it. Now on to <a class="xref" href="ch-ldap-tls.html#s1-test-ldap-tls" title="Testing">the section called “Testing”</a>

211

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-test-ldap-tls"></a>Testing</h2></div></div></div><p>

212

213

This is the easy part. Restart the server:

214

</p><pre class="screen">

215

216

<code class="prompt">root# </code> /etc/init.d/ldap restart

217

Stopping slapd: [ OK ]

218

Checking configuration files for slapd: config file testing succeeded

219

Starting slapd: [ OK ]

220

</code>

221

</pre><p>

222

Then, using <code class="literal">ldapsearch</code>, test an anonymous search with the

223

<code class="option">-ZZ</code><sup>[<a name="id2692177" href="#ftn.id2692177" class="footnote">12</a>]</sup> option:

224

</p><pre class="screen">

225

226

<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \

227

-H 'ldap://ldap.abmas.biz:389' -ZZ

228

</code>

229

</pre><p>

230

Your results should be the same as before you restarted the server, for example:

231

</p><pre class="screen">

232

233

<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \

234

-H 'ldap://ldap.abmas.biz:389' -ZZ

235

236

# extended LDIF

237

238

# LDAPv3

239

# base <> with scope sub

240

# filter: (objectclass=*)

241

# requesting: ALL

242

243

244

# abmas.biz

245

dn: dc=ldap,dc=abmas,dc=biz

246

objectClass: dcObject

247

objectClass: organization

248

o: Abmas

249

dc: abmas

250

251

# Manager, ldap.abmas.biz

252

dn: cn=Manager,dc=ldap,dc=abmas,dc=biz

253

objectClass: organizationalRole

254

cn: Manager

255

256

# ABMAS, abmas.biz

257

dn: sambaDomainName=ABMAS,dc=ldap,dc=abmas,dc=biz

258

sambaDomainName: ABMAS

259

sambaSID: S-1-5-21-238355452-1056757430-1592208922

260

sambaAlgorithmicRidBase: 1000

261

objectClass: sambaDomain

262

sambaNextUserRid: 67109862

263

sambaNextGroupRid: 67109863

264

</code>

265

</pre><p>

266

If you have any problems, please read <a class="xref" href="ch-ldap-tls.html#s1-int-ldap-tls" title="Troubleshooting">the section called “Troubleshooting”</a>

267

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-int-ldap-tls"></a>Troubleshooting</h2></div></div></div><p>

268

269

The most common error when configuring TLS, as I have already mentioned numerous times, is that the

270

<span class="emphasis"><em>Common Name (CN)</em></span> you entered in <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-server" title="Generating the Server Certificate">the section called “Generating the Server Certificate”</a> is

271

<span class="emphasis"><em>NOT</em></span> the Fully Qualified Domain Name (FQDN) of your ldap server.

272

</p><p>

273

Other errors could be that you have a typo somewhere in your <code class="literal">ldapsearch</code> command, or that

274

your have the wrong permissions on the <code class="filename">servercrt.pem</code> and <code class="filename">cacert.pem</code>

275

files. They should be set with <code class="literal">chmod 640</code>, as per <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-install" title="Installing the Certificates">the section called “Installing the Certificates”</a>.

276

</p><p>

277

For anything else, it's best to read through your ldap logfile or join the <span class="application">OpenLDAP</span> mailing list.

278

</p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2691590" href="#id2691590" class="para">8</a>] </sup>We could however, get our generated server certificate signed by proper CAs, like <a class="ulink" href="http://www.thawte.com/" target="_top">Thawte</a> and <a class="ulink" href="http://www.verisign.com/" target="_top">VeriSign</a>, which

279

you pay for, or the free ones, via <a class="ulink" href="http://www.cacert.org/" target="_top">CAcert</a>

280

</p></div><div class="footnote"><p><sup>[<a name="ftn.id2691632" href="#id2691632" class="para">9</a>] </sup>The downside to

281

making our own CA, is that the certificate is not automatically recognized by clients, like the commercial

282

ones are.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2691651" href="#id2691651" class="para">10</a>] </sup>For information straight from the

283

horse's mouth, please visit <a class="ulink" href="http://www.openssl.org/docs/HOWTO/" target="_top">http://www.openssl.org/docs/HOWTO/</a>; the main OpenSSL

284

site.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2691727" href="#id2691727" class="para">11</a>] </sup>Your <code class="filename">CA.pl</code> or <code class="filename">CA.sh</code> might not be

285

in the same location as mine is, you can find it by using the <code class="literal">locate</code> command, i.e.,

286

<code class="literal">locate CA.pl</code>. If the command complains about the database being too old, run

287

<code class="literal">updatedb</code> as <span class="emphasis"><em>root</em></span> to update it.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2692177" href="#id2692177" class="para">12</a>] </sup>See <code class="literal">man ldapsearch</code></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="ch47.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�45.�Samba Performance Tuning�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�47.�Samba Support</td></tr></table></div></body></html>