Sameer's Docs: OpenLDAP Installation

Prequisites

Be sure to remove any previous installation of OpenSSL and OpenLDAP from your linux implementation. These existing implementations will only create confusion. If you are using Red Hat Linux, you can remove these using commands

[root@ironclad root]# rpm -qa | grep -i openssl
[root@ironclad root]# rpm -qa | grep -i openldap
[root@ironclad root]# rpm -ev openldap-x.x.xx-x

On a Debian system you would use apt-get to remove package as shown below

[root@ironclad root]# dpkg -l | grep ldap
ii  libldap2       2.1.30-8       OpenLDAP libraries
ii  libldap2-dev   2.1.30-8       OpenLDAP development libraries
ii  ldap-utils     2.2.23-8       OpenLDAP utilities
[root@ironclad root]# apt-get remove ldap-utils
[root@ironclad root]# apt-get remove libldap2-dev
[root@ironclad root]# apt-get remove libldap2

This should return cleanly listing pacakges it removed. There might be some difference in your output and one shown here, depending upon the installations. Also note in following code, whenever we install any compiled package, we do it as root user. Create a new directory named src in your home directory. It is always a good idea to configure, make and make test package sources using account other than root. Also do not delete the source directories from which you installaed software packages. This source code becomes handy at some situations. It is a good practice to have a note of your configure command you used to compile source for future reference. You may also want to take backup of configuration files before you make changes.

This document talks about installing OpenLDAP for use with qmail-ldap only and does not talk about PAM and nss modules with OpenLDAP. For our installation we are going to use Berkeley DB as backend. You can use other database also as backend such as lbdm or mysql.

Installing OpenLDAP
While configuring OpenLDAP you must ensure few things, such as where is your libdb.so or libdb-4.so or libdb-4.4.so.

Install ssl/tls libraries

On Debian systems it is advisable to install package using apt-get as shown below.

[root@ironclad ~]# apt-get install openssl
[root@ironclad ~]# apt-get install libssl-dev

For source install, follow the instructions below

Download the source from openssl.org
We will install shared ssl libraries
Libraries will be installed in /usr/local
We assume you have downloaded the package in ~/src

[hawk@ironclad hawk]$ cd src
[hawk@ironclad src]$ tar xzvf openssl-0.9.8b.tar.gz
[hawk@ironclad src]$ cd openssl-0.9.8b
[hawk@ironclad openssl-0.9.8b]$ ./config shared --openssldir=/usr/local
[hawk@ironclad openssl-0.9.8b]$ make
[root@ironclad openssl-0.9.8b]# make install

Install bdb --< Berkeley DB from sleepycat >--

Download Berkeley DB from sleepycat.com
We need to build it in directory db-4.4.20/build_unix as we are building it for unix like system (Linux in this case)
Follow the instructions carefully as it is a bit different than other source compilations

As of 8th July 2006 there are two patches available. You may also choose to patch the code. I have shown how to patch the code.

[hawk@ironclad hawk]$ cd src
[hawk@ironclad src]$ wget http://www.sleepycat.com/update/4.4.20/patch.4.4.20.1
[hawk@ironclad src]$ wget http://www.sleepycat.com/update/4.4.20/patch.4.4.20.2
[hawk@ironclad src]$ tar xzf db-4.4.20.tar.gz
[hawk@ironclad src]$ cd db-4.4.20
[hawk@ironclad db-4.4.20]$ cd qam
[hawk@ironclad qam]$ patch -p1 <../../patch.4.4.20.1
[hawk@ironclad qam]$ cd ../txn
[hawk@ironclad txn]$ patch -p1 <../../patch.4.4.20.2
[hawk@ironclad txn]$ cd ../build_unix
[hawk@ironclad build_unix]$ ../dist/configure --prefix=/usr/local/
[hawk@ironclad build_unix]$ make
[root@ironclad build_unix]# make install

Installing cyrus-SASL libraries

Download cyrus-SASL libraries from their ftp server
Choose the latest tarball here which has naming convenstion like cyrus-sasl-<version>.tar.gz

$ cd src
[hawk@ironclad hawk]$ cd src
[hawk@ironclad src]$ tar xzvf cyrus-sasl-2.1.21.tar.gz
[hawk@ironclad src]$ cd cyrus-sasl-2.1.21
[hawk@ironclad cyrus-sasl-2.1.21]$ ./configure
[hawk@ironclad cyrus-sasl-2.1.21]$ make
[root@ironclad cyrus-sasl-2.1.21]$ make install
[root@ironclad cyrus-sasl-2.1.21]$ ln -s /usr/local/lib/sasl2 /usr/local/sasl2

Install OpenLDAP

Download latest stable release from OpenLDAP.org
Make sure the path where above libraries reside. Libraries on my system reside in /usr/lib
Find out where your openssl include files reside. Headers on my system reside in /usr/include/openssl/

[hawk@ironclad src]$ tar xzvf openldap-stable-20060606.tgz
[hawk@ironclad src]$ cd openldap-2.3.24
[hawk@ironclad openldap-2.3.24]$ env \
CC=gcc CPPFLAGS="-I/usr/local/include/" \
LDFLAGS="-L/usr/local/lib/" \
./configure --with-ssl --with-tls --enable-wrappers --enable-hdb --enable-ldbm
[hawk@ironclad openldap-2.3.24]$ make depend
[hawk@ironclad openldap-2.3.24]$ make
[hawk@ironclad openldap-2.3.24]$ make test
[root@ironclad openldap-2.3.24]# make install

Please note that you have to install OpenLDAP as root. This will install OpenLDAP at locations shown. Assuming that you have default --prefix which is /usr/local. You will find different files placed/installed according to this installation layout. ( taken from output of ./configure --prefix | less ). Refereing to the INSTALL file that comes with the source would be handy at times.

  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [same as prefix]
  --bindir=DIR            user executables in DIR [EPREFIX/bin]
  --sbindir=DIR           system admin executables in DIR [EPREFIX/sbin]
  --libexecdir=DIR        program executables in DIR [EPREFIX/libexec]
  --datadir=DIR           read-only architecture-independent data in DIR
                          [PREFIX/share]
  --sysconfdir=DIR        read-only single-machine data in DIR [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data in DIR
                          [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data in DIR [PREFIX/var]
  --libdir=DIR            object code libraries in DIR [EPREFIX/lib]
  --includedir=DIR        C header files in DIR [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc in DIR [/usr/include]
  --infodir=DIR           info documentation in DIR [PREFIX/info]
  --mandir=DIR            man documentation in DIR [PREFIX/man]
  --srcdir=DIR            find the sources in DIR [configure dir or ..]

Installation described in this document agrees to the layout shown above. For completeness I am showing specifically this what-where list.

Executable file: /usr/local/bin
System Administrator executalbe files: /usr/local/sbin
Program executable libraries: /usr/local/libexec
Configuration files for the system: /usr/local/etc
Modifiable data: /usr/local/var
Library files(object code): /usr/local/lib
Header files: /usr/local/include
Non-gcc complient header files: /usr/include
Info documentation dir: /usr/local/info
Man documentation dir: /usr/local/man

Errata
Code Breaks :: Possible Reasons

checking for openssl/ssl.h... no
checking for ssl.h... no
configure: error: Could not locate TLS/SSL package

Make sure you have installed libssl development libraries
You have not installed OpenSSL properly
Make sure that you have set your environmental variables correctly
The env settings specified in ./configure command assume that you have installed OpenSSL in /usr/local

checking for db.h... no
configure: error: BDB: BerkeleyDB not available

Either you have not installed BerkerleyDB properly or you did not set your environmental variables correctly.
The settings in configure command below (CPPFLAGS="-I/usr/local/BerkeleyDB.4.3/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.3/lib") assume you have installed BerkeleyDB in /usr/local/BerkeleyDB.4.3.
If your location differs from above, obviously you need to replace path according your BDB installation.
Example:

checking for tcpd.h... no
configure: error: could not find TCP wrappers, select apppropriate options or disable

Make sure you have libwrap development libraries installed.

[hawk@ironclad openldap-2.3.24]$ env \
CPPFLAGS="-I/usr/local/include/openssl/ -I/usr/local/BerkeleyDB.4.3/include" \
LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/BerkeleyDB.4.3/lib" \
./configure --with-ssl --with-tls --enable-wrappers --enable-hdb --enable-ldbm

Code breaks at 'make test' after OpenLDAP compilation

[hawk@ironclad openldap-2.3.24]$ make test
cd tests; make test
make[1]: Entering directory `/home/hawk/src/openldap-2.3.24/tests'
make[2]: Entering directory `/home/hawk/src/openldap-2.3.24/tests'
Initiating LDAP tests for BDB...
Cleaning up test run directory leftover from previous run.
Running ./scripts/all...
>>>>> Executing all LDAP tests for bdb
>>>>> Starting test000-rootdse ...
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
./scripts/test000-rootdse: line 48: kill: (4380) - No such process
../clients/tools/ldapsearch: error while loading shared libraries: libssl.so.0.9.7: cannot open shared object file: No such file or directory
>>>>> Test failed
>>>>> ./scripts/test000-rootdse failed (exit 127)
make[2]: *** [bdb-yes] Error 127
make[2]: Leaving directory `/home/hawk/src/openldap-2.3.24/tests'
make[1]: *** [test] Error 2
make[1]: Leaving directory `/home/hawk/src/openldap-2.3.24/tests'
make: *** [test] Error 2
[hawk@ironclad openldap-2.3.24]$

The line --< error while loading shared libraries: libssl.so.0.9.7 >-- in above code listing tells exact cause of test failure
It is not finding your ssl libraries. So you need to tell it by setting LD_LIBRARY_PATH
you need to execute command export LD_LIBRARY_PATH=/usr/local/lib. Replace the path according to where your libssl resides.But this is temporary solution
Else you can add this line to your /etc/ld.so.conf and save the file
Then run ldconfig as root

crt1.o: No such file: No such file or directory

If you get errors like above, make sure you have installed libc6-dev.

digestmd5.c:812: error: syntax error before "des_key_schedule"
digestmd5.c:812: warning: no semicolon at end of struct or union
digestmd5.c:813: warning: type defaults to `int' in declaration of `ivec'
digestmd5.c:813: warning: data definition has no type or storage class
digestmd5.c:814: error: syntax error before "keysched2"
digestmd5.c:814: warning: type defaults to `int' in declaration of
`keysched2'
digestmd5.c:814: warning: data definition has no type or storage class
digestmd5.c: In function `dec_3des':
digestmd5.c:849: warning: implicit declaration of function
`des_ede2_cbc_encrypt'

The errors like above during ./configure step of compiling cyrus sasl indicate that it is not finding path to ssl libraries. Try specifying path like shown below:

[hawk@ironclad cyrus-sasl-2.1.21]$ env CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local -R/usr/local" ./configure --with-dblib=berkeley

Configuring OpenLDAP
Basic configuration

After you have everything installed in place its now time to configure OpenLDAP server. The configuration directives are set in slapd.conf file. If you have installed OpenLDAP by following steps mentioned above you should find the slapd.conf file at /usr/local/etc/openldap/slapd.conf. The raw slapd.conf file looks like this..

Final slapd.conf file look like this...

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
# include following lines if you have OpenLDAP 1.2.x
 
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
 
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/qmail.schema
 
schemacheck             on
 
# Define global ACLs to disable default read access.
 
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
 
# Added logging parameters
loglevel        296
 
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
 
# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#sasl-secprops  noplain,noanonymous,minssf=56
                                                                                                                             
# Misc security settings
password-hash           {SSHA}
                                                                                                                             
                                                                                                                             
                                                                                                                             
# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
                                                                                                                             
#######################################################################
# BDB database definitions
#######################################################################
# backend               back-bdb
database        bdb
suffix          "dc=ironclad,dc=mil"
rootdn          "cn=Almighty,dc=ironclad,dc=mil"
                                                                                                                             
                                                                                                                             
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.

rootpw          {SSHA}0bN1YHdFmnGJzyKiC2r7N5gxNWVOuEF2

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
#directory      /usr/local/var/openldap-data
directory       /var/ldap/ironclad.mil
mode            0600
                                                                                                                             
                                                                                                                             
# Indices to maintain
index   objectClass     eq
index   cn              pres,eq

# db tuning parameters; cache 2,000 entries in memory
cachesize               2000
                                                                                                                             
# Simple ACL granting read access to the world
access to *
        by * read

Copy necessary schema files in schema directory before you include them in slapd.conf. Adjust the loglevel according to your needs.

Once you have your slapd.conf file ready, you need to create necessary directories such as the database directory /var/ldap/ironclad.mil in our case. If you decide to keep your LDAP data in a different directory, create the directory according to the one you specified in slapd configuration directive directory.

The database directory need to be present before you start slapd process. In case of absence of data directory, slapd will fail to start. In the configuration file shown above contains the configuration directive rootpw. The value passed as parameter is a password hashed generated using Salted SHA-1 algorithm. You can create it using a command line OpenLDAP utility slappasswd as shown below.

[hawk@ironclad ~]$ /usr/local/sbin/slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}0bN1YHdFmnGJzyKiC2r7N5gxNWVOuEF2
[hawk@ironclad ~]$

Enter your password when asked as above. Copy the password as-it-is along with {SSHA} and yank it in your slapd.conf file.

Configuring OpenLDAP with ssl/tls

My setup is different than what is given here ;-). Thats just for the obscurity purpose.. :-). Hope this will make your life a little easy. I have tried these instructions on Red Hat Linux 9.0 and Fedora Core 3 other than Debian.

The main difference is the certificate. By default openssl creates certificates that expire after 1 year. This is particulary annoying when I have to change the certificate after 1 year since it expired.. :-|. I prefer a certificate that will not expire for a long time, My usual expiration is 10 years. Enough for a server's life I guess.

Configure SSL: Authority Creation - Creating the SSL Certificate Authority(CA)
Configure SSL: Certificate Creation - Creating Private Key
Configure SSL: Certificate Creation - Creating Certificate Signing Request (CSR)
Configure SSL: Certificate Creation - Signing Certificate
Configure SSL: Configure OpenLDAP - Configure Openldap to use the certificate and certificate authority
ConfigureSSL: Restarting OpenLDAP - Restarting Openldap to load the new configuration

Configure SSL: Authority Creation - Creating the SSL Certificate Authority(CA)

First, find the copy of CA.pl that came with your distribution of openssl, on Debian it is in /usr/lib/ssl/misc. I edit this file to increase the expiry time from 1 year to 10 years: The original code line looks like this:

system ("$CA -policy policy_anything -out newcert.pem " .

In my copy of CA.pl, the line no is 134 where add an option -days with number of days as parameter to the option:

system ("$CA -policy policy_anything -days 3650 -out newcert.pem " .

There is a DAYS variable at the top of the file, but changing that variable didn't do the job for me. I reccomend making a backup copy of CA.pl before altering it.

Now, generate the the "Certifying Authority" certificate:

[hawk@ironclad ldapcerts]$ locate CA.pl
/usr/lib/ssl/misc/CA.pl
/usr/lib/ssl/misc/CA.pl~
/usr/share/doc/openssl/doc/apps/CA.pl.pod.gz
/usr/share/man/man1/CA.pl.1ssl.gz

[hawk@ironclad ldapcerts]$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
....................++++++
.....++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Maharashtra
Locality Name (eg, city) []:Nagpur
Organization Name (eg, company) [Internet Widgits Pty Ltd]:StrikeOne Inc
Organizational Unit Name (eg, section) []:Internet Security Group
Common Name (eg, YOUR name) []:ldaps.noroot.org
Email Address []:slapadmin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            d5:59:a2:00:fa:78:b4:e5
        Validity
            Not Before: Jul  8 09:10:39 2006 GMT
            Not After : Jul  7 09:10:39 2009 GMT
        Subject:
            countryName               = IN
            stateOrProvinceName       = Maharashtra
            organizationName          = StrikeOne Inc
            organizationalUnitName    = Internet Security Group
            commonName                = ldaps.noroot.org
            emailAddress              = slapadmin@example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                71:9C:52:1D:43:11:22:F0:A8:66:7A:6D:3E:D8:FD:24:FA:17:5B:D3
            X509v3 Authority Key Identifier:
                keyid:71:9C:52:1D:43:11:22:F0:A8:66:7A:6D:3E:D8:FD:24:FA:17:5B:D3

Certificate is to be certified until Jul  7 09:10:39 2009 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

I strongly reccomend that you put in good/valid information and not accept the defaults. Most important is the option "Common Name", this is the "server name" that is signed on the certificate. When you do LDAP/SSL actions the client will attempt to verify the certificate with the name in this field. If it does not match, in my experience the ldap operation WILL FAIL TO CONNECT. If you are going to use Fully Qualified Domain Name in LDAP URI, put the Fully Qualified Domain Name there, if you are going to use IP as LDAP URI, put the IP there. To create the certificates, you should be in the /etc/ldapcerts directory.

The above code will create a directory demoCA in current directory which will contain CA certificate and keys. For reference I am giving the listing of directory demoCA.

[hawk@ironclad ldapcerts]$ ls -lh demoCA
total 20K
-rw-r--r-- 1 hawk users 3.4K 2006-07-08 04:10 cacert.pem
-rw-r--r-- 1 hawk users  745 2006-07-08 04:10 careq.pem
drwxr-xr-x 2 hawk users   48 2006-07-08 04:07 certs
drwxr-xr-x 2 hawk users   48 2006-07-08 04:07 crl
-rw-r--r-- 1 hawk users  157 2006-07-08 04:10 index.txt
-rw-r--r-- 1 hawk users   21 2006-07-08 04:10 index.txt.attr
-rw-r--r-- 1 hawk users    0 2006-07-08 04:07 index.txt.old
drwxr-xr-x 2 hawk users   88 2006-07-08 04:10 newcerts
drwxr-xr-x 2 hawk users   80 2006-07-08 04:07 private
-rw-r--r-- 1 hawk users   17 2006-07-08 04:10 serial

Out of these files we need cacert.pem file which contains CA certificate.

Back to ssl/tls certificate createion

Configure SSL: Certificate Creation - Creating Private Key

Create a RSA private key for your OpenLDAP server (will be Triple-DES encrypted and PEM formatted)

[hawk@ironclad ldapcerts]$ openssl genrsa -des3 -out pwd.enc.server.key 1024
Generating RSA private key, 1024 bit long modulus
.....................................++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for pwd.enc.server.key:
Verifying - Enter pass phrase for pwd.enc.server.key:

The key we have created is pass phrase encrypted. Make sure you have a backup of this key and remember the pass phrase you supplied while creating private key above. You can verify the details of the private key you just created by using following command.

[hawk@ironclad ldapcerts]$ openssl rsa -noout -text -in pwd.enc.server.key
Enter pass phrase for pwd.enc.server.key:
Private-Key: (1024 bit)
modulus:
    00:cb:75:8a:3f:ea:40:e6:eb:3d:bb:1e:bd:c2:0e:
    31:1c:cb:4f:1a:04:40:f0:9f:c7:ca:9d:ea:a9:51:
    c1:51:11:2f:9f:a5:12:e3:9c:0b:b6:27:9f:c0:87:
    30:fe:31:22:78:55:4d:db:35:7d:ef:19:7f:99:59:
    d2:19:35:30:47:ba:71:b1:d2:01:b9:d9:4a:86:fd:
    fd:01:ce:ad:0c:1d:ce:58:53:49:c6:94:b8:d8:34:
    09:a0:49:ce:29:ac:5b:54:7e:06:0c:b5:88:bd:8e:
    54:ef:15:44:e1:ed:56:ae:2c:3f:f3:86:c5:90:07:
    f2:70:5c:c3:37:de:ed:20:0f
publicExponent: 65537 (0x10001)
privateExponent:
    38:01:4a:e4:fd:1e:90:72:00:b4:19:6a:32:98:a5:
    7c:3f:9a:ae:96:ad:29:8f:51:f7:bc:30:74:1b:45:
    13:83:9f:90:5a:68:30:af:2b:aa:20:8e:20:f9:15:
    cb:62:cb:12:44:a9:01:c6:5f:bc:09:50:ce:6d:a3:
    1f:bd:3c:64:83:c9:76:e5:fe:0d:b4:b1:88:93:a5:
    44:d0:f1:51:25:37:cc:37:3f:89:bd:ed:3d:e0:a0:
    33:af:6f:86:d1:13:ec:f2:d3:02:54:14:7b:a0:0f:
    b7:a0:a9:f8:1e:7c:20:16:be:7e:94:25:c9:89:75:
    95:37:e9:e0:82:2a:92:81
prime1:
    00:ff:16:8b:c4:e8:c2:d5:56:c2:29:7f:cb:31:ff:
    f2:de:a2:9e:69:b8:94:73:e7:b1:ee:b0:61:54:08:
    cd:2b:d5:31:d3:c6:59:29:d3:43:50:4d:b6:ee:08:
    49:77:81:52:05:9c:72:3b:0d:eb:e3:7a:22:71:85:
    ca:2e:b9:f7:09
prime2:
    00:cc:2f:be:68:fb:9f:72:c3:8f:2c:29:4f:b9:fe:
    03:3e:5c:dc:c7:3a:ac:e2:9e:93:a0:4f:4e:db:d7:
    6f:ca:f5:30:fc:ab:40:1a:6d:64:9b:a3:a9:72:41:
    20:1d:e7:8b:56:39:d9:ce:e4:10:00:9b:be:3b:2c:
    bb:f6:a7:cc:57
exponent1:
    00:dd:00:df:9f:7e:3a:2f:33:b7:8c:d4:d7:6b:3e:
    61:61:5a:6a:fd:15:9a:28:c1:38:7b:9f:fc:f3:1d:
    9d:04:b8:f5:2e:91:ce:76:5a:3f:1b:b7:f9:21:49:
    b4:bd:01:21:db:12:ac:35:55:de:65:7b:4f:94:23:
    62:04:11:c2:61
exponent2:
    12:fc:85:8a:21:8b:ac:12:3f:27:ee:17:79:c6:02:
    eb:33:9b:5b:f3:3a:cc:3f:ce:9e:63:81:83:b3:be:
    b3:72:a5:41:79:73:16:82:01:8e:ef:62:fc:3a:ce:
    0f:b9:ce:1d:10:78:0e:62:ea:92:03:e9:66:7b:3c:
    67:2d:27:35
coefficient:
    00:cb:5f:09:11:6f:7d:4f:70:ae:89:01:d6:b4:39:
    36:89:50:ca:cb:58:20:66:08:46:94:5a:15:0c:05:
    05:3c:56:52:a1:f5:e0:a7:c4:01:f8:32:e3:b5:37:
    40:16:f5:78:eb:63:b5:0d:8f:a6:22:87:ad:7e:17:
    ef:7b:12:5a:46

In this installation we will use decrypted private key. To create a decrypted private key use following command. If you use encrypted private key, everytime you start/stop/restart ldap server you will be asked by type pass phrase for the key.

[hawk@ironclad ldapcerts]$ openssl rsa -in pwd.enc.server.key -out masterslapd.key
Enter pass phrase for pwd.enc.server.key:
writing RSA key
[hawk@ironclad ldapcerts]$

Supply pass phrase you typed while creating this private key. This created a pass phrase stripped private key in file masterslapd.key.

Back to ssl/tls certificate creation

Configure SSL: Certificate Creation - Creating Certificate Signing Request (CSR)

Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted). Use pass phrase encrypted private key for this purpose. Use following commands to create CSR and verify it.

[hawk@ironclad ldapcerts]$ openssl rsa -in pwd.enc.server.key -out masterslapd.key
Enter pass phrase for pwd.enc.server.key:
writing RSA key
sam@meson:~/ssl$ openssl req -new -key pwd.enc.server.key -out masterslapd.csr
Enter pass phrase for pwd.enc.server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Maharashtra
Locality Name (eg, city) []:Nagpur
Organization Name (eg, company) [Internet Widgits Pty Ltd]:StrikeOne Inc
Organizational Unit Name (eg, section) []:Internet Security Group
Common Name (eg, YOUR name) []:ldaps.noroot.org
Email Address []:slapadmin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[hawk@ironclad ldapcerts]$ openssl req -noout -text -in masterslapd.csr -days 3650
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=IN, ST=Maharashtra, L=Nagpur, O=StrikeOne Inc, OU=Internet Security Group, 
        CN=ldaps.noroot.org/emailAddress=slapadmin@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:cb:75:8a:3f:ea:40:e6:eb:3d:bb:1e:bd:c2:0e:
                    31:1c:cb:4f:1a:04:40:f0:9f:c7:ca:9d:ea:a9:51:
                    c1:51:11:2f:9f:a5:12:e3:9c:0b:b6:27:9f:c0:87:
                    30:fe:31:22:78:55:4d:db:35:7d:ef:19:7f:99:59:
                    d2:19:35:30:47:ba:71:b1:d2:01:b9:d9:4a:86:fd:
                    fd:01:ce:ad:0c:1d:ce:58:53:49:c6:94:b8:d8:34:
                    09:a0:49:ce:29:ac:5b:54:7e:06:0c:b5:88:bd:8e:
                    54:ef:15:44:e1:ed:56:ae:2c:3f:f3:86:c5:90:07:
                    f2:70:5c:c3:37:de:ed:20:0f
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        b5:d0:ff:cd:ec:fd:89:65:ea:3d:0e:5e:64:a7:37:05:8f:25:
        bf:64:b6:f7:ba:7d:0c:10:c5:3d:61:6f:c3:10:b8:e8:94:a0:
        c3:67:6f:eb:48:05:da:bb:ce:2e:dc:ef:ec:c2:b6:99:67:70:
        b6:d8:df:26:d2:18:7d:2d:93:f4:e3:79:24:b9:d2:fd:14:ba:
        f8:37:94:eb:ce:58:43:fc:6b:b4:4e:e7:f5:4f:c8:af:31:40:
        b9:1e:54:33:00:69:5a:de:bf:70:2a:cb:3a:9f:29:81:5a:73:
        fe:81:b1:cc:ff:49:62:98:b2:1c:a4:87:a6:79:a0:f6:c5:52:
        07:2a
[hawk@ironclad ldapcerts]$

Do not enter any 'extra' attributes i.e. challenge password and optional company name. Just hit enter key for these parameters. The first command will create a CSR in file masterslapd.key. Next command verifies the contents of the CSR. Make sure that the Commaon Name you supplied is same as the LDAP URI you intend to run your ldap host as.

While signing a certificate using CA.pl, CA.pl will look for a Certificate Signing Request in file named newreq.pem unless specified explicitely. So we will create a CSR in a file named newreq.pem. In the commands below, note that I have used pass phrase encrypted private key. Also note that in second command I have appended the CSR to file newreq.pem.

[hawk@ironclad ldapcerts]$ cat pwd.enc.server.key > newreq.pem
[hawk@ironclad ldapcerts]$ cat masterslapd.csr >> newreq.pem
[hawk@ironclad ldapcerts]$ cat newreq.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B6BE5A023FD39D29

px1NO5Oi0KG7dSwY3e/h9Ahn+2Z5+5mtXZ4OJUg7Vh/2VGYIU4+uUYLran0SGKOm
O1pmEGDslzFBJvbj9GlYaGMlz3/Kvuut0Sp3FhmsS66sEF4KDFQ3oo8RbRcWz9mj
lLvI54OTzwe3icI0fJFYga9WQ3rBiqpPyDzWefqnCNrLIGVcBAgfQ42m3DeNph/W
NA9QQhjMYcqYDuLb7d1uhAy4TM0RapBfhZbLnyrL4riNmyZ6VuIpQg7ijfd11OGm
sLRbxIjBXkVP3DDXzA8pG6OVh8FyV+ugJJXvBli1O6P3f/mRn3erp6MKWPXCOa+k
hRa2UMSpwBliEDIn0QNKV5nWZguZ8azTzDCiLSH9CdYcXf6kPRASEYmAcik89o6l
CjDZqlbo6CbFu60P4TjNv7pW9KpfbW4EUMu/boEqRqN/P6zAgR3Jw45BDeKtw2+l
HARpq8VQYkjT5g8p/dWISbll2wwTyAopAVR/nLuzHYzH46PsA7mu9bvWxKnlMRtX
tj54pkARJJxRUcJZsmbyMXtkbnnsa00DGOrG+myiifKAtW5mTfOfIRvbg1a5gJGy
evHeoGVPPECLyvin9jK2eEu0bQT78LwlPZVRi86NbRuhWRMNpMVM03e25+ZQTo1H
5jWGKtvJZeFEpANRr4UGif5yB/O+YM3NgFj34dSGKB0QUZfVywodE75VKJGIJnpp
9ciRKYixASXq/0vtEy9H4IjSE6+NK1NmuEzOcenWt20e0kssvRNI3z4EYQRzLnZ7
OpQyd/sjldGPm/4EyMVmkSNCh7mleHkMoOAfiQH1AlzY+OzFowKGfQ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIB8DCCAVkCAQAwga8xCzAJBgNVBAYTAklOMRQwEgYDVQQIEwtNYWhhcmFzaHRy
YTEPMA0GA1UEBxMGTmFncHVyMRYwFAYDVQQKEw1TdHJpa2VPbmUgSW5jMSAwHgYD
VQQLExdJbnRlcm5ldCBTZWN1cml0eSBHcm91cDEZMBcGA1UEAxMQbGRhcHMubm9y
b290Lm9yZzEkMCIGCSqGSIb3DQEJARYVc2xhcGFkbWluQGV4YW1wbGUuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLdYo/6kDm6z27Hr3CDjEcy08aBEDw
n8fKneqpUcFRES+fpRLjnAu2J5/AhzD+MSJ4VU3bNX3vGX+ZWdIZNTBHunGx0gG5
2UqG/f0Bzq0MHc5YU0nGlLjYNAmgSc4prFtUfgYMtYi9jlTvFUTh7VauLD/zhsWQ
B/JwXMM33u0gDwIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAtdD/zez9iWXqPQ5e
ZKc3BY8lv2S297p9DBDFPWFvwxC46JSgw2dv60gF2rvOLtzv7MK2mWdwttjfJtIY
fS2T9ON5JLnS/RS6+DeU685YQ/xrtE7n9U/IrzFAuR5UMwBpWt6/cCrLOp8pgVpz
/oGxzP9JYpiyHKSHpnmg9sVSByo=
-----END CERTIFICATE REQUEST-----

Back to ssl/tls certificate creation

Configure SSL: Certificate Creation - Signing Certificate

To sign the request, you simply need to run the following command. It will ask for the pass phrase for ./demoCA/private/cakey.pem. Enter the same pass phrase you entered while creating Certifying Authority private key.

[hawk@ironclad ldapcerts]$ /usr/lib/ssl/misc/CA.pl -signreq
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            d5:59:a2:00:fa:78:b4:e6
        Validity
            Not Before: Jul  8 14:02:49 2006 GMT
            Not After : Jul  8 14:02:49 2016 GMT
        Subject:
            countryName               = IN
            stateOrProvinceName       = Maharashtra
            localityName              = Nagpur
            organizationName          = StrikeOne Inc
            organizationalUnitName    = Internet Security Group
            commonName                = ldaps.noroot.org
            emailAddress              = slapadmin@example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                76:39:82:8C:3C:04:15:98:86:E0:90:6B:06:00:27:C9:13:0B:F4:59
            X509v3 Authority Key Identifier:
                keyid:71:9C:52:1D:43:11:22:F0:A8:66:7A:6D:3E:D8:FD:24:FA:17:5B:D3

Certificate is to be certified until Jul  8 14:02:49 2016 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
[hawk@ironclad ldapcerts]$ mv newcert.pem masterslapd.cert
[hawk@ironclad ldapcerts]$ cp demoCA/cacert.pem ./
[hawk@ironclad ldapcerts]$

As shown in the above example, simply answer yes to the asked questions and you are done. Newly signed certificate is created in file newcert.pem.

Back to ssl/tls certificate creation

Configure SSL: Configure OpenLDAP - Configure Openldap to use the certificate and certificate authority

Locate the slapd.conf file. It may reside is here /usr/local/etc/openldap/slapd.conf if you have installed OpenLDAP in /usr/local (a standard installation). Make the following modifications to your slapd.conf in the space directly above the directives which specify the database type, shown below:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldapcerts/masterslapd.cert
TLSCertificateKeyFile /etc/ldapcerts/masterslapd.key
TLSCACertificateFile /etc/ldapcerts/cacert.pem
TLSVerifyClient never

# backend back-bdb
database bdb
suffix "dc=ironclad,dc=mil"
rootdn "cn=Manager,dc=ironclad,dc=mil"
DB_CONFIG

set_cachesize 0 104857600 1

# Data Directory
#set_data_dir db

# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
set_lg_dir /var/ldap/ironclad.mil/log

Only put in the TLS stuff, the database and dbcachesize are only there for reference on where to put it in the file. The Tlsverify option tells the LDAP server not to attempt to verify the client. This reduces security somewhat, but for now I reccomend you keep it turned off until your sure everything is working. I have not yet tried to run a LDAP server with this option turned on.

Make sure all the permissions are good for the files, I set them to be owned by user slapd, group slapd, with permissions of 440.

Back to ssl/tls certificate createion

ConfigureSSL: Restarting OpenLDAP - Restarting Openldap to load the new configuration

You need to restart the LDAP server and turn on SSL/TLS before you can use it. So go to the terminal where you have Openldap running in debug mode, and abort it, either kill the process(I reccomend kill -TERM), or hit CTRL-C that should abort it as well, and restart it with the following command line:

First, this is the usual way to start it:

su - slapd
/usr/local/libexec/slapd -h 'ldap://127.0.0.1:3890/ ldaps://127.0.0.1:6360/' -d 255

Your su may support this, you can also try to start it with one command:

su slapd -c "/usr/local/libexec/slapd -h 'ldap://127.0.0.1:3890/ ldaps://127.0.0.1:6360/' -d 255"

If your certificate is valid, and the permissions are correct the ldap server should be running and listening on 127.0.0.1 port 6360 for SSL/TLS connections.

Back to ssl/tls certificate createion

Acknowledgements

OpenLDAP installation on Gnu/Linux (Debian Sarge) Sameer N. Ingole (SNI)	Status: Mainntained
Installation How-to: OpenLDAP step-by-step	Last Updated: 8 July 2006