In previous chapter we have made OpenLDAP up and running without encryption.
For SSL certificate we already have cool certificate from letsencrypt, let’s use it and not to use self signed certificate.
Here’s simple steps to do:
- create tls.ldif
dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: NORMAL - add: olcTLSCRLCheck olcTLSCRLCheck: none - add: olcTLSVerifyClient olcTLSVerifyClient: never - add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/letsencrypt/live/domain_name/fullchain.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/letsencrypt/live/domain_name/cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/letsencrypt/live/domain_name/privkey.pem - add: olcTLSProtocolMin olcTLSProtocolMin: 3.3
Change the domain_name with your domain
- set Access control list for the certificate file
sudo setfacl -m "u:openldap:r" /etc/letsencrypt/archive/domain_name/{fullchain1,cert1,privkey1}.pem- run ldapmodify to modify OpenLDAP setting
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ./tls.ldif
- restart the OpenLDAP
sudo systemctl restart slapd
- verify the changes
sudo slapcat -b "cn=config" | grep -E "olcTLS"
Here's the expected output olcTLSCipherSuite: NORMAL olcTLSCRLCheck: none olcTLSVerifyClient: never olcTLSCACertificateFile: /etc/letsencrypt/live/ldap.iolib.link/fullchain.pem olcTLSCertificateFile: /etc/letsencrypt/live/ldap.iolib.link/cert.pem olcTLSCertificateKeyFile: /etc/letsencrypt/live/ldap.iolib.link/privkey.pem olcTLSProtocolMin: 3.3
- now you can connect the client using TLS
In case you want to access OpenLDAP using SSL (port 636) here’s things you can do
Add line to/etc/apparmor.d/local/usr.sbin.slapd:/etc/letsencrypt/** r,service apparmor restartuseradd letsencrypt chown openldap:letsencrypt /etc/letsencrypt/ -R usermod -a -G letsencrypt openldap# /etc/default/slapd SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"systemctl restart slapd.service systemctl status slapd.service