How to enable TLS on OpenLDAP
Most likely you have problem with your CA certificate. You can check TLS connection from the serer using:
$ ldapwhoami -H ldap:// -x -ZZ
anonymous
Check your /etc/ldap/ldap.conf
for this line:
TLS_CACERT /etc/ssl/certs/ca_server.pem
Best way how to modify LDAP configuration is creating addcerts.ldif
with following content:
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key
and apply change:
ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif
Lastly check /etc/default/slapd
and make sure services contains ldaps:///
:
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Afterwards just reload slapd
service and check connection to LDAP using the first command.
Related videos on Youtube
Safari
Updated on September 18, 2022Comments
-
Safari over 1 year
I am using CentOS 5.I have a problem enabling TLS (or ssl) on OpenLDAP server. I followed this tutorial. I generated the certificates and I configured the path in
slapd.conf
as followingTLSCertificateFile /path/to/server-certificate.pem TLSCertificateKeyFile /path/to/private-key.pem TLSCACertificateFile /path/to/CA-certificates
I used the command
slapd -h "ldap:/// ldaps:///"
to enable listener on port 636.
I can't create a connection to
ldaps://myhost:636
(I tried to create a connection with a client and liferay ldap)I haven't problems if I not use TLS.
Did I miss some steps in configuration here?
Edit
using the command:
openssl s_client -connect host:port
I obtain
-
Tim Lamballais over 10 yearsUse the
openssl
command to see what exactly goes wrong. Like so:openssl s_client -connect host:port
. -
vautee over 10 yearsAlso check using
netstat
orlsof
if your slapd is really listening on 636.
-
-
Christopher Schultz about 6 yearsI spent some time on this today because I was trying to revise the list of TLS protocols available (specifically, disable everything except for TLSv1.2). I needed to add another attribute with name 'olcTLSCipherSuites' and (because by OpenLDAP server was built against GnuTLS), I used the attribute value
SECURE256:SECURE:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-MD5:-SHA1:-ARCFOUR-128
. -
DHW over 4 yearsLooks like the
ldaps:///
is not in fact required, as per help.ubuntu.com/lts/serverguide/openldap-server.html, at the end of the TLS section: "Contratry to popular belief, you do not need ldaps:// in /etc/default/slapd in order to use encryption." -
Per Lundberg about 3 years
ldaps:///
is required if you want your OpenLDAP server to listen on port 636 (ldaps
). Without this setting inSLAPD_SERVICES
,slapd
will only listen on port 389 (ldap
). The latter supports StartTLS, i.e. upgrading a connection from unencrypted LDAP to TLS-encrypted LDAP, whereas 636/ldaps will always enforce encrypted connections.