1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�46.�LDAP and Transport Layer Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part�VI.�Reference Section"><link rel="prev" href="speed.html" title="Chapter�45.�Samba Performance Tuning"><link rel="next" href="ch47.html" title="Chapter�47.�Samba Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�46.�LDAP and Transport Layer Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a>�</td><th width="60%" align="center">Part�VI.�Reference Section</th><td width="20%" align="right">�<a accesskey="n" href="ch47.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch-ldap-tls"></a>Chapter�46.�LDAP and Transport Layer Security</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gavin</span> <span class="orgname">Suretec Systems Limited, UK</span> <span class="surname">Henry</span></h3><div class="affiliation"><span class="orgname">Suretec Systems Limited, UK<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:ghenry@suretecsystems.com">ghenry@suretecsystems.com</a>></code></p></div></div></div></div><div><p class="pubdate">July 8, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-intro-ldap-tls"></a>Introduction</h2></div></div></div><p> 2 <a class="indexterm" name="id2691290"></a> 3<a class="indexterm" name="id2691299"></a> 4 Up until now, we have discussed the straightforward configuration of <span class="trademark">OpenLDAP</span>™, 5 with some advanced features such as ACLs. This does not however, deal with the fact that the network 6 transmissions are still in plain text. This is where <em class="firstterm">Transport Layer Security (TLS)</em> 7 comes in. 8 </p><p> 9<a class="indexterm" name="id2691323"></a> 10 <span class="trademark">OpenLDAP</span>™ clients and servers are capable of using the Transport Layer Security (TLS) 11 framework to provide integrity and confidentiality protections in accordance with <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC 2830</a>; <span class="emphasis"><em>Lightweight Directory Access Protocol (v3): 12 Extension for Transport Layer Security.</em></span> 13 </p><p> 14<a class="indexterm" name="id2691353"></a> 15 TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates 16 are optional. We will only be discussing server certificates. 17 </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> 18<a class="indexterm" name="id2691367"></a> 19<a class="indexterm" name="id2691373"></a> 20<a class="indexterm" name="id2691380"></a> 21 The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the 22 server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the 23 <code class="option">subjectAltName</code> certificate extension. More details on server certificate names are in <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC2830</a>. 24 </p></div><p> 25 We will discuss this more in the next sections. 26 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-config-ldap-tls"></a>Configuring</h2></div></div></div><p> 27 <a class="indexterm" name="id2691420"></a> 28 Now on to the good bit. 29 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-certs"></a>Generating the Certificate Authority</h3></div></div></div><p> 30<a class="indexterm" name="id2691443"></a> 31 In order to create the relevant certificates, we need to become our own Certificate Authority (CA). 32 <sup>[<a name="id2691454" href="#ftn.id2691454" class="footnote">8</a>]</sup> This is necessary, so we can sign the server certificate. 33 </p><p> 34<a class="indexterm" name="id2691483"></a> 35 We will be using the <a class="ulink" href="http://www.openssl.org" target="_top">OpenSSL</a> <sup>[<a name="id2691496" href="#ftn.id2691496" class="footnote">9</a>]</sup> software for this, which is included with every great <span class="trademark">Linux</span>� distribution. 36 </p><p> 37 TLS is used for many types of servers, but the instructions<sup>[<a name="id2691515" href="#ftn.id2691515" class="footnote">10</a>]</sup> presented here, are tailored for <span class="application">OpenLDAP</span>. 38 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 39 The <span class="emphasis"><em>Common Name (CN)</em></span>, in the following example, <span class="emphasis"><em>MUST</em></span> be 40 the fully qualified domain name (FQDN) of your ldap server. 41 </p></div><p> 42 First we need to generate the CA: 43</p><pre class="screen"> 44<code class="computeroutput"> 45<code class="prompt">root# </code> mkdir myCA 46</code> 47</pre><p> 48 Move into that directory: 49</p><pre class="screen"> 50<code class="computeroutput"> 51<code class="prompt">root# </code> cd myCA 52</code> 53</pre><p> 54 Now generate the CA:<sup>[<a name="id2691591" href="#ftn.id2691591" class="footnote">11</a>]</sup> 55</p><pre class="screen"> 56<code class="computeroutput"> 57<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -newca 58CA certificate filename (or enter to create) 59 60Making CA certificate ... 61Generating a 1024 bit RSA private key 62.......................++++++ 63.............................++++++ 64writing new private key to './demoCA/private/cakey.pem' 65Enter PEM pass phrase: 66Verifying - Enter PEM pass phrase: 67----- 68You are about to be asked to enter information that will be incorporated 69into your certificate request. 70What you are about to enter is what is called a Distinguished Name or a DN. 71There are quite a few fields but you can leave some blank 72For some fields there will be a default value, 73If you enter '.', the field will be left blank. 74----- 75Country Name (2 letter code) [AU]:AU 76State or Province Name (full name) [Some-State]:NSW 77Locality Name (eg, city) []:Sydney 78Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas 79Organizational Unit Name (eg, section) []:IT 80Common Name (eg, YOUR name) []:ldap.abmas.biz 81Email Address []:support@abmas.biz 82</code> 83</pre><p> 84 </p><p> 85 There are some things to note here. 86 </p><div class="orderedlist"><ol type="1"><li><p> 87 You <span class="emphasis"><em>MUST</em></span> remember the password, as we will need 88 it to sign the server certificate.. 89 </p></li><li><p> 90 The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be the 91 fully qualified domain name (FQDN) of your ldap server. 92 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-server"></a>Generating the Server Certificate</h3></div></div></div><p> 93 Now we need to generate the server certificate: 94</p><pre class="screen"> 95<code class="computeroutput"> 96<code class="prompt">root# </code> openssl req -new -nodes -keyout newreq.pem -out newreq.pem 97Generating a 1024 bit RSA private key 98.............++++++ 99........................................................++++++ 100writing new private key to 'newreq.pem' 101----- 102You are about to be asked to enter information that will be incorporated 103into your certificate request. 104What you are about to enter is what is called a Distinguished Name or a DN. 105There are quite a few fields but you can leave some blank 106For some fields there will be a default value, 107If you enter '.', the field will be left blank. 108----- 109Country Name (2 letter code) [AU]:AU 110State or Province Name (full name) [Some-State]:NSW 111Locality Name (eg, city) []:Sydney 112Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas 113Organizational Unit Name (eg, section) []:IT 114Common Name (eg, YOUR name) []:ldap.abmas.biz 115Email Address []:support@abmas.biz 116 117Please enter the following 'extra' attributes 118to be sent with your certificate request 119A challenge password []: 120An optional company name []: 121</code> 122</pre><p> 123 </p><p> 124 Again, there are some things to note here. 125 </p><div class="orderedlist"><ol type="1"><li><p> 126 You should <span class="emphasis"><em>NOT</em></span> enter a password. 127 </p></li><li><p> 128 The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be 129 the fully qualified domain name (FQDN) of your ldap server. 130 </p></li></ol></div><p> 131 Now we sign the certificate with the new CA: 132</p><pre class="screen"> 133<code class="computeroutput"> 134<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -sign 135Using configuration from /etc/ssl/openssl.cnf 136Enter pass phrase for ./demoCA/private/cakey.pem: 137Check that the request matches the signature 138Signature ok 139Certificate Details: 140Serial Number: 1 (0x1) 141Validity 142 Not Before: Mar 6 18:22:26 2005 EDT 143 Not After : Mar 6 18:22:26 2006 EDT 144Subject: 145 countryName = AU 146 stateOrProvinceName = NSW 147 localityName = Sydney 148 organizationName = Abmas 149 organizationalUnitName = IT 150 commonName = ldap.abmas.biz 151 emailAddress = support@abmas.biz 152X509v3 extensions: 153 X509v3 Basic Constraints: 154 CA:FALSE 155 Netscape Comment: 156 OpenSSL Generated Certificate 157 X509v3 Subject Key Identifier: 158 F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE 159 X509v3 Authority Key Identifier: 160 keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC 161 DirName:/C=AU/ST=NSW/L=Sydney/O=Abmas/OU=IT/ 162 CN=ldap.abmas.biz/emailAddress=support@abmas.biz 163 serial:00 164 165Certificate is to be certified until Mar 6 18:22:26 2006 EDT (365 days) 166Sign the certificate? [y/n]:y 167 168 1691 out of 1 certificate requests certified, commit? [y/n]y 170Write out database with 1 new entries 171Data Base Updated 172Signed certificate is in newcert.pem 173</code> 174</pre><p> 175 </p><p> 176 That completes the server certificate generation. 177 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-install"></a>Installing the Certificates</h3></div></div></div><p> 178 Now we need to copy the certificates to the right configuration directories, 179 rename them at the same time (for convenience), change the ownership and 180 finally the permissions: 181</p><pre class="screen"> 182<code class="computeroutput"> 183<code class="prompt">root# </code> cp demoCA/cacert.pem /etc/openldap/ 184<code class="prompt">root# </code> cp newcert.pem /etc/openldap/servercrt.pem 185<code class="prompt">root# </code> cp newreq.pem /etc/openldap/serverkey.pem 186<code class="prompt">root# </code> chown ldap.ldap /etc/openldap/*.pem 187<code class="prompt">root# </code> chmod 640 /etc/openldap/cacert.pem; 188<code class="prompt">root# </code> chmod 600 /etc/openldap/serverkey.pem 189</code> 190</pre><p> 191 </p><p> 192 Now we just need to add these locations to <code class="filename">slapd.conf</code>, 193 anywhere before the <code class="option">database</code> declaration as shown here: 194</p><pre class="screen"> 195<code class="computeroutput"> 196TLSCertificateFile /etc/openldap/servercrt.pem 197TLSCertificateKeyFile /etc/openldap/serverkey.pem 198TLSCACertificateFile /etc/openldap/cacert.pem 199</code> 200</pre><p> 201 </p><p> 202 Here is the declaration and <code class="filename">ldap.conf</code>: 203<code class="filename">ldap.conf</code> 204</p><pre class="screen"> 205<code class="computeroutput"> 206TLS_CACERT /etc/openldap/cacert.pem 207</code> 208</pre><p> 209 </p><p> 210 That's all there is to it. Now on to <a class="xref" href="ch-ldap-tls.html#s1-test-ldap-tls" title="Testing">the section called “Testing”</a> 211 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-test-ldap-tls"></a>Testing</h2></div></div></div><p> 212<a class="indexterm" name="id2691999"></a> 213This is the easy part. Restart the server: 214</p><pre class="screen"> 215<code class="computeroutput"> 216<code class="prompt">root# </code> /etc/init.d/ldap restart 217Stopping slapd: [ OK ] 218Checking configuration files for slapd: config file testing succeeded 219Starting slapd: [ OK ] 220</code> 221</pre><p> 222 Then, using <code class="literal">ldapsearch</code>, test an anonymous search with the 223 <code class="option">-ZZ</code><sup>[<a name="id2692041" href="#ftn.id2692041" class="footnote">12</a>]</sup> option: 224</p><pre class="screen"> 225<code class="computeroutput"> 226<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ 227 -H 'ldap://ldap.abmas.biz:389' -ZZ 228</code> 229</pre><p> 230 Your results should be the same as before you restarted the server, for example: 231</p><pre class="screen"> 232<code class="computeroutput"> 233<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ 234 -H 'ldap://ldap.abmas.biz:389' -ZZ 235 236# extended LDIF 237# 238# LDAPv3 239# base <> with scope sub 240# filter: (objectclass=*) 241# requesting: ALL 242# 243 244# abmas.biz 245dn: dc=ldap,dc=abmas,dc=biz 246objectClass: dcObject 247objectClass: organization 248o: Abmas 249dc: abmas 250 251# Manager, ldap.abmas.biz 252dn: cn=Manager,dc=ldap,dc=abmas,dc=biz 253objectClass: organizationalRole 254cn: Manager 255 256# ABMAS, abmas.biz 257dn: sambaDomainName=ABMAS,dc=ldap,dc=abmas,dc=biz 258sambaDomainName: ABMAS 259sambaSID: S-1-5-21-238355452-1056757430-1592208922 260sambaAlgorithmicRidBase: 1000 261objectClass: sambaDomain 262sambaNextUserRid: 67109862 263sambaNextGroupRid: 67109863 264</code> 265</pre><p> 266 If you have any problems, please read <a class="xref" href="ch-ldap-tls.html#s1-int-ldap-tls" title="Troubleshooting">the section called “Troubleshooting”</a> 267</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-int-ldap-tls"></a>Troubleshooting</h2></div></div></div><p> 268<a class="indexterm" name="id2692139"></a> 269The most common error when configuring TLS, as I have already mentioned numerous times, is that the 270<span class="emphasis"><em>Common Name (CN)</em></span> you entered in <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-server" title="Generating the Server Certificate">the section called “Generating the Server Certificate”</a> is 271<span class="emphasis"><em>NOT</em></span> the Fully Qualified Domain Name (FQDN) of your ldap server. 272</p><p> 273Other errors could be that you have a typo somewhere in your <code class="literal">ldapsearch</code> command, or that 274your have the wrong permissions on the <code class="filename">servercrt.pem</code> and <code class="filename">cacert.pem</code> 275files. They should be set with <code class="literal">chmod 640</code>, as per <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-install" title="Installing the Certificates">the section called “Installing the Certificates”</a>. 276</p><p> 277For anything else, it's best to read through your ldap logfile or join the <span class="application">OpenLDAP</span> mailing list. 278</p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2691454" href="#id2691454" class="para">8</a>] </sup>We could however, get our generated server certificate signed by proper CAs, like <a class="ulink" href="http://www.thawte.com/" target="_top">Thawte</a> and <a class="ulink" href="http://www.verisign.com/" target="_top">VeriSign</a>, which 279 you pay for, or the free ones, via <a class="ulink" href="http://www.cacert.org/" target="_top">CAcert</a> 280 </p></div><div class="footnote"><p><sup>[<a name="ftn.id2691496" href="#id2691496" class="para">9</a>] </sup>The downside to 281 making our own CA, is that the certificate is not automatically recognized by clients, like the commercial 282 ones are.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2691515" href="#id2691515" class="para">10</a>] </sup>For information straight from the 283 horse's mouth, please visit <a class="ulink" href="http://www.openssl.org/docs/HOWTO/" target="_top">http://www.openssl.org/docs/HOWTO/</a>; the main OpenSSL 284 site.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2691591" href="#id2691591" class="para">11</a>] </sup>Your <code class="filename">CA.pl</code> or <code class="filename">CA.sh</code> might not be 285 in the same location as mine is, you can find it by using the <code class="literal">locate</code> command, i.e., 286 <code class="literal">locate CA.pl</code>. If the command complains about the database being too old, run 287 <code class="literal">updatedb</code> as <span class="emphasis"><em>root</em></span> to update it.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2692041" href="#id2692041" class="para">12</a>] </sup>See <code class="literal">man ldapsearch</code></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="ch47.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�45.�Samba Performance Tuning�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�47.�Samba Support</td></tr></table></div></body></html> 288