Setting up openldap for ldaps with cn=config

ssl openldap configuration dynamic
6,366

Solution 1

Here's whats working so far, though I could still use a guide to tuning the security settings under cn=config:

Follow the instructions here to create the certificate, added the tls attributes to cn=config (last two were set by default)

olcTLSCertificateFile /certs/ldapscert.pem
olcTLSCertificateKeyFile /certs/keys/ldapskey.pem
olcTLSCipherSuite TLSV1+RSA:!NULL
olcTLSCRLCheck none
olcTLSVerifyClient never

start server using /usr/local/libexec/slapd -F slapd.d -h ldaps:///

This lets me connect from Apache Directory Studio using ldaps, but isn't working for linux logins.

Solution 2

If, like me, you found this answer but were looking for the dynamic config (cn=config) option, use the following ldif.

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /path/to/host.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /path/to/host.crt
-
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/ssl/cert

To add the ldif use:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f nameOfLdif.ldif
Share:
6,366

Related videos on Youtube

Brad Mace
Author by

Brad Mace

Updated on September 17, 2022

Comments

  • Brad Mace
    Brad Mace over 1 year

    I'm trying to enable SSL connections on an OpenLDAP 2.4.23 server, but all the instructions I find only discuss the old slapd.conf configuration. Can anyone point to some instructions for setting it up under cn=config?

  • Brad Mace
    Brad Mace about 13 years
    Had to generate a certificate with alt-subject-names for both ldap servers and the meta-server name and distribute the certs to all the other linux servers to get linux logins working securely.
  • Digital Human
    Digital Human almost 5 years
    When I use what @Andrew Meyer suggested in my HA setup I get the following error: ldap_modify: Other (e.g., implementation specific) error (80)
  • fei0x
    fei0x about 3 years
    I get that too, in other places they say it may be permission issues on the cert files. they need to be readable by the openldap user.. often they add him to the ssl-cert group and make sure the group can read the files... but that hasn't worked for me yet.
  • Andrew Meyer
    Andrew Meyer over 2 years
    I saw some issues implementing this in an HA setup when using syncrepl. since the child nodes sync their config, it is locally read only. My work around was to manually edit the necessary files and regenerate the CRC checksums. I wouldn't recommend that in production though

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Configuring openldap multimaster replication using cn=config
ERROR bad Request-Line - Force ssl - rails
Enable SSL in PHP fsockopen()
OpenLDAP configuration error ldap_bind: Invalid credentials (49)
How do I setup SSL CRT on my Apache2 server?
How to configure AD server for client TLS authentication
ldapsearch reads cert and lies about it, won't connect as a result
Getting CentOS 6 to trust a certificate from AD
https not working with www and DNS redirect isn't helping
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A