There are many many howto on the net regarding this topic. Here I’ll not give another howto, but just a list of mistakes I’ve done today. I hope this will same some time to others.
openssl certs
With debian we generally use make-ssl-cert to generate self signed certs. This tools works fine also to generate ssl certs for ldap. The only important thing to remember is to specify your FQN as host name while creating the cert. Failing to do that will make the openldap server fail to start. Remember also to change the permissions of the server certificate to allow the openldap user to read it.
self signed certs VS signed certs
If I understand correctly, openldap works just fine with self signed
certs, but this is not optimal. To generate signed certs, you first
need to create a CA cert and then use this to sign you server cert. In
debian you can find scripts to do that in /usr/lib/ssl/misc/
TLS_REQCERT allow
If you use a self signed cert you need to specify TLS_REQCERT
allow in /etc/ldap/ldap.conf and TLSVerifyClient allow in you
/etc/ldap/slapd.conf. The first is necessary to get the ldap clients
working. I’m not sure about the second one in the server configuration file.
pam and nss
cat /etc/libnss-ldap.conf
base dc=cduce,dc=org
uri ldaps://osmium.pps.jussieu.fr
ldap_version 3
ssl on
cat /etc/pam_ldap.conf
base dc=cduce,dc=org
uri ldaps://osmium.pps.jussieu.fr
ssl on
ldap_version 3
pam_password crypt
nss_base_passwd ou=people,dc=cduce,dc=org?one
nss_base_shadow ou=people,dc=cduce,dc=org?one
nss_base_group ou=group,dc=cduce,dc=org?one
nss_base_netgroup ou=netgroup,dc=cduce,dc=org?one
The important bits here are the ssl on to force the client to
use ssl. Of course, remember to specify ldaps in the uri.
Enable ldaps
On debian you need to modify /etc/default/slapd and add this line:
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps://cduce.org:636/"
I decided to keep ldap without ssl on localhost, but only ldaps on the external interface.
More about Kerberos + SASL + OpenLdap soon…