How to enable TLS on OpenLDAP

ssl ldap openldap tls

19,253

Most likely you have problem with your CA certificate. You can check TLS connection from the serer using:

$ ldapwhoami -H ldap:// -x -ZZ
anonymous

Check your /etc/ldap/ldap.conf for this line:

TLS_CACERT /etc/ssl/certs/ca_server.pem

Best way how to modify LDAP configuration is creating addcerts.ldif with following content:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key

and apply change:

ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif

Lastly check /etc/default/slapd and make sure services contains ldaps:///:

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Afterwards just reload slapd service and check connection to LDAP using the first command.

19,253

Safari

Updated on September 18, 2022

Comments

Safari over 1 year
I am using CentOS 5.I have a problem enabling TLS (or ssl) on OpenLDAP server. I followed this tutorial. I generated the certificates and I configured the path in slapd.conf as following
```
TLSCertificateFile      /path/to/server-certificate.pem
TLSCertificateKeyFile   /path/to/private-key.pem
TLSCACertificateFile    /path/to/CA-certificates
```
I used the command
```
slapd -h "ldap:/// ldaps:///"
```
to enable listener on port 636.

I can't create a connection to ldaps://myhost:636 (I tried to create a connection with a client and liferay ldap)

I haven't problems if I not use TLS.

Did I miss some steps in configuration here?

Edit

using the command:
```
openssl s_client -connect host:port
```
I obtain
- Tim Lamballais over 10 years
  
  Use the openssl command to see what exactly goes wrong. Like so: openssl s_client -connect host:port.
- vautee over 10 years
  
  Also check using netstat or lsof if your slapd is really listening on 636.
Christopher Schultz about 6 years

I spent some time on this today because I was trying to revise the list of TLS protocols available (specifically, disable everything except for TLSv1.2). I needed to add another attribute with name 'olcTLSCipherSuites' and (because by OpenLDAP server was built against GnuTLS), I used the attribute value SECURE256:SECURE:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-MD5‌:-SHA1:-ARCFOUR-128.
DHW over 4 years

Looks like the ldaps:/// is not in fact required, as per help.ubuntu.com/lts/serverguide/openldap-server.html, at the end of the TLS section: "Contratry to popular belief, you do not need ldaps:// in /etc/default/slapd in order to use encryption."
Per Lundberg about 3 years

ldaps:/// is required if you want your OpenLDAP server to listen on port 636 (ldaps). Without this setting in SLAPD_SERVICES, slapd will only listen on port 389 (ldap). The latter supports StartTLS, i.e. upgrading a connection from unencrypted LDAP to TLS-encrypted LDAP, whereas 636/ldaps will always enforce encrypted connections.