How To Install and Configure OpenLdap server and Clients with SSL support

Posted: 27th October 2016 by admin in Uncategorized

The OpenLDAP server is in Ubuntu's default repositories under the package "slapd", so we can

install it easily with apt-get. We will also install some additional utilities:

sudo apt-get update
sudo apt-get install slapd ldap-utils

You will be asked to enter and confirm an administrator password for the

administrator LDAP account.

Reconfigure slapd

When the installation is complete, we actually need to reconfigure the LDAP package.

Type the following to bring up the package configuration tool:

sudo dpkg-reconfigure slapd

You will be asked a series of questions about how you'd like to configure the software.

  • Omit OpenLDAP server configuration? No

  • DNS domain name?

    This will create the base structure of your directory path. Read the message to understand how it works.There are no set rules for how to configure this. If you have an actual domain name on this server, you can use that. Otherwise, use whatever you'd like.In this article, we will call it ldap.test

  • Organization name?

    Again, this is up to you.We will use example in this guide. 

  • Administrator password? – Use the password you configured during installation, or choose another one 

  • Database backend to use? HDB

  • Remove the database when slapd is purged? No

  • Move old database? Yes

  • Allow LDAPv2 protocol? No


Create Self Signed SSL

1. Generate a Private Key, after it we will sign all other clients certificates with this key too.

 # openssl genrsa -des3 -out ca.key 2048

2. Create Certificate

# openssl req -new -x509 -days 1825 -utf8 -key ca.key -out ca.cert

Here you need to answer to question SSL generate for you.The most! important question is

Common Name (eg, YOUR name) []: ldap.test(here give your LDAP FQDN name or an IP)

Creation of Self Signed Certificate

Generate private key

# openssl genrsa -out user.key 1024

Generate request for certificate signature

# openssl req -new -key user.key -out user.csr -utf8

And sign the certificate 

# openssl x509 -req -in user.csr -out user.cert \
            -CA ca.cert -CAkey ca.key -CAcreateserial -days 1095

Private key ca.key need to be stored a safely place, and a public ca.cert

we will publish along of LDAP clients.

Lets create on server machine a directory for storing the ceritificates 

# mkdir /usr/local/etc/openldap/ssl

Copy the cetificates to the directory

        # cp user.cert /etc/ldap/ssl/
        # cp user.key /etc/ldap/ssl/
        # cp ca.cert /etc/ldap/ssl/

Setting right permissions

        # chown openldap. * /etc/ldap/ssl/
        # chmod -R 750 /etc/ldap/ssl/

Now we need to change default LDAP conf file from ldap.conf to slapd.conf .

vim  /etc/default/slapd

Define the Path to your slapd.conf # SLAPD_CONF=/etc/ldap/slapd.conf

The slapd conf should be defined for your needs but here is mine , pretty basic – 



include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/
argsfile        /var/run/slapd/slapd.args

#loglevel        none
loglevel        stats sync config conns


#Working With ldap_tls_reqcert = allow(demand)
TLSCertificateFile    /etc/ldap/ssl/ldap_client.cert
TLSCertificateKeyFile /etc/ldap/ssl/ldap_client.key
TLSCACertificateFile  /etc/ldap/ssl/ldap_ca.cert

#TLSCACertificateFile /etc/ssl/certs/ca_server.pem
#TLSCertificateFile /etc/ssl/certs/ldap_server.pem
#TLSCertificateKeyFile /etc/ssl/private/ldap_server.key
#TLS_REQCERT allow #for WebInterface not necessary

password-hash   {MD5}

modulepath      /usr/lib/ldap
moduleload      back_hdb
#moduleload     back_monitor

sizelimit 500
tool-threads 1

backend         hdb

database        hdb

suffix          "dc=ldap,dc=ldap-prod"

rootdn          "cn=admin,dc=ldap,dc=ldap-prod"
rootpw          Thi0kh0nuad
#rootpw                 {SSHA}UcCG********************

directory       "/var/lib/ldap"

dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See for more
# information.

dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index           objectClass eq

overlay         syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

#lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

##Allow to change passwords
access to attrs=userPassword,shadowLastChange
        by self write
        by anonymous auth
        by users none

access to * by * read

access to attrs=shadowLastChange
        by * write
        by * auth

#access to dn.base="" by * read

#access to *
#        by self write
#        by * read

# Monitor Database

#database       monitor

#rootdn          "cn=Monitor"
#rootpw          {MD5}SomeMD5WasAlsoHere

#access to dn.subtree="cn=Monitor"
#        by dn.exact="cn=Monitor" write#
#       by users read#
#       by * read

#database config

#rootdn "cn=admin,cn=config"
#rootpw config



Ok,seems that we finished with Server configuration , lets start the OpenLDAP server

/etc/init.d/slapd start

Cheking it running: netstat -nap --tcp | grep -e 389 -e 636

tcp6       0      0 :::636        :::*          LISTEN      7392/slapd
tcp6       0      0 :::389        :::*          LISTEN      7392/slapd

Great !!

Client side configuration

Lets create on the clients machine a directory for storing a CA cetificate

mkdir /etc/ldap/ssl/

Copy the CA from the server to the client (scp or just copy paste)

Change the configuration file:  vim /etc/ldap/ldap.conf

# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=ldap,dc=test
URI ldaps://ldap.test

timelimit 10
bind_timelimit 15
idle_timelimit 30
bind_policy soft

ssl on
tls_checkpeer yes

TLS_CACERT  /etc/ldap/ssl/ca.cert

pam_password md5

Lets restart NSLCD and NSCD daemons

 sudo /etc/init.d/nslcd restart &&  sudo /etc/init.d/nscd restart

And check if clinet start listennig

ldap# netstat -nap --tcp | grep -e 636 -e 389
tcp        0      0 X.X.X.X:40417      x.x.x.x:636       ESTABLISHED 25104/1
tcp        0      0 x.x.x.x:40419      x.x.x.x:636       ESTABLISHED 25186/-bash
tcp       70      0 x.x.x.x:40089      x.x.x.x:636       CLOSE_WAIT  3939/systemd-logind
tcp        0      0 x.x.x.x:40420      x.x.x.x:636       ESTABLISHED 23697/nscd

So we installed and configured working OpenLdap server with SSL Auth support

For diffirent systems there might be diffirent clinet configuration files:

Redhat: /etc/openldap/ldap.conf | /etc/pam_ldap.conf | /etc/nslcd.conf

Centos: /etc/sssd/sssd.conf

#Allow create HOME DIR from LDAP AUTH

  grep sshd /var/log/audit/audit.log | audit2allow -M mypol
 semodule -i mypol.pp


Add to /etc/pam.d/system-auth:
session    required skel=/etc/skel/ umask=0022

authconfig --enablemkhomedir --update

Get information from the LDAP (on client side)

ldapsearch -LL -H ldaps://ldap.test -b "dc=ldap,dc=test" -W -x -D "cn=admin,dc=ldap,dc=test"

For easy OpenLdap manage you can install PHPldapadmin (will be explaned in next Post)

Cheers, for any question leave a comments!