Configure the OpenLDAP instance to use SSL

Use this to configure the following directives for the OpenLDAP instance.

TLSCACertificateFile Path to PEM-format file containing certificates for the CAs that OpenLDAP will trust (must include the CA that signed the server certificate).
TLSCertificateFile Path to PEM-format file containing the signed server certificate.
TLSCertificateKeyFile Path to file that contains the private key that matches the certificate stored in the TLSCertificateFile.

For more information about these and other directives, see the OpenLDAP Administrator's Guide.

Certificates in a format other than PEM can be converted using OpenSSL. To convert a certificate from for example DER-format to the required PEM-format, use:

# openssl x509 -inform der -in certificate.cer -out certificate.pem

For more information about converting certificates, refer to #man x509.

  1. Log in as root.
  2. Create a directory to hold the certificate files.

    # mkdir /etc/lcm-ldap/certs

  3. Copy the required certificates to the /etc/lcm-ldap/certs directory.

    For the TLSCACertificateFile:

    # cp cacrt.pem /etc/lcm-ldap/certs/cacrt.pem

    For the TLSCertificateFile:

    # cp servercrt.pem /etc/lcm-ldap/certs/servercrt.pem

    For the TLSCertificateKeyFile:

    # cp serverkey.pem /etc/lcm-ldap/certs/serverkey.pem

  4. Make sure the certificates are owned by the ldap user and have the correct permissions:

    # chown -cR ldap:ldap /etc/lcm-ldap/certs

    # chmod 0644 /etc/lcm-ldap/certs/cacrt.pem /etc/lcm-ldap/certs/servercrt.pem

    # chmod 0400 /etc/lcm-ldap/certs/serverkey.pem

    Note: 

    The key should be protected and only have read access by the ldap user running the OpenLDAP process.

  5. To be able to add the three directives pointing to the certificate files, you must enable ldapi for the OpenLDAP instance.

    Add "ldapi:///" to the following parameter in the /etc/rc.d/init.d/lcm-ldap file:

    SLAPD_URLS="ldap://127.0.0.1:389/ ldapi:///.

  6. Restart the service for the changes to take effect:

    # systemctl restart lcm-ldap

  7. Create a temporary ldif file (by running: vi /tmp/tls.ldif), and add the following text:
    dn: cn=config
    changetype: modify
    add: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/lcm-ldap/certs/cacrt.pem
    -
    add: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/lcm-ldap/certs/servercrt.pem
    -
    add: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/lcm-ldap/certs/serverkey.pem
    -
    
  8. Add the new directives by running the command:

    # ldapmodify -v -Y EXTERNAL -H ldapi:/// -f /tmp/tls.ldif

  9. To verify that the directives have been added and are pointing to the certificate files, run:

    # ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=olcGlobal)'

  10. The temporary ldif file is no longer needed and can be deleted:

    # rm /tmp/tls.ldif

  11. Make the OpenLDAP instance start listening on ldaps. Edit the SLAPD_URLS parameter in the /etc/rc.d/init.d/lcm-ldap file:

    SLAPD_URLS="ldaps://127.0.0.1:636/"

  12. Restart the service for the changes to take effect:

    # systemctl restart lcm-ldap