With a little side of applesauce...

Sunday, January 28, 2007

Debian - slapd with SSL/TLS

It seems that I had to piece this all together to get it to work…

1. We already have a certificate that has been signed by Geotrust, so I copied the server.key and server.crt to /etc/ldap/

2. I needed to download the appropriate ca cert from:


3. This cert needs to be in pem format, so after flailing for some time, I realized I needed the (DER encoded X.509) CA certification from this page. (A quick check by hitting a page over https in firefox, then opening:

Tools->Page Info->Security->View->General “Issued By: CN…”

showed me which root certificate to download). Just make sure it is the DER encoded X.509 certificate.

4. Next, generate the pem encoded certificate with the following command:

openssl x509 -in MyDownloadedGeotrustDEREncoded.cer -inform DER -out /etc/ldap/cacert.pem -outform PEM

5. Add the following lines to your slapd.conf, and restart OpenLdap:

TLSCertificateFile /etc/ldap/server.crt
TLSCertificateKeyFile /etc/ldap/server.key
TLSCACertificateFile /etc/ldap/cacert.pem
TLSVerifyClient allow
6. Copy the /etc/ldap/cacert.pem file to all of your client computers, AND add the following lines to the client’s /etc/ldap/ldap.conf:

TLS_CACERT /etc/ldap/cacert.pem
7. From a client computer, test the TLS/SSL handshake with the following:

ldapsearch -H ldaps://my.ldaps_server.com -x -D “cn=admin,dc=…” -W -b “dc=…” -s sub “(objectclass=*)”
(-d -1 (minus one), shows all debugging information for the handshake. It is the best way to find out information about what is failing with any of your ldap-utils utils).

Debian Notes:

1. To limit ldap (port 389) connections to localhost, but allow ldaps (port 636) connections from localhost and the world, change your /etc/default/slapd as follows:
SLAPD_SERVICES=”ldap://localhost:389/ ldaps:///”

No comments: