In previous chapter we have made OpenLDAP up and running without encryption.

For SSL certificate we already have cool certificate from letsencrypt, let’s use it and not to use self signed certificate.

Here’s simple steps to do:

  • create tls.ldif
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/letsencrypt/live/domain_name/fullchain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/domain_name/cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/domain_name/privkey.pem
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

Change the domain_name with your domain

  • set Access control list for the certificate file
sudo setfacl -m "u:openldap:r" /etc/letsencrypt/archive/domain_name/{fullchain1,cert1,privkey1}.pem
  • run ldapmodify to modify OpenLDAP setting
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ./tls.ldif
  • restart the OpenLDAP
sudo systemctl restart slapd
  • verify the changes
sudo slapcat -b "cn=config" | grep -E "olcTLS"
Here's the expected output 
olcTLSCipherSuite: NORMAL
olcTLSCRLCheck: none
olcTLSVerifyClient: never
olcTLSCACertificateFile: /etc/letsencrypt/live/ldap.iolib.link/fullchain.pem
olcTLSCertificateFile: /etc/letsencrypt/live/ldap.iolib.link/cert.pem
olcTLSCertificateKeyFile: /etc/letsencrypt/live/ldap.iolib.link/privkey.pem
olcTLSProtocolMin: 3.3


  • now you can connect the client using TLS

In case you want to access OpenLDAP using SSL (port 636)  here’s things you can do

Add line to /etc/apparmor.d/local/usr.sbin.slapd/etc/letsencrypt/** r, service apparmor restart useradd letsencrypt
chown openldap:letsencrypt /etc/letsencrypt/ -R
usermod -a -G letsencrypt openldap # /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" systemctl restart slapd.service
systemctl status slapd.service

Leave a Reply

Your email address will not be published. Required fields are marked *