There are many many howto on the net regarding this topic. Here I’ll not give another howto, but just a list of mistakes I’ve done today. I hope this will same some time to others.

openssl certs

With debian we generally use make-ssl-cert to generate self signed certs. This tools works fine also to generate ssl certs for ldap. The only important thing to remember is to specify your FQN as host name while creating the cert. Failing to do that will make the openldap server fail to start. Remember also to change the permissions of the server certificate to allow the openldap user to read it.

self signed certs VS signed certs

If I understand correctly, openldap works just fine with self signed certs, but this is not optimal. To generate signed certs, you first need to create a CA cert and then use this to sign you server cert. In debian you can find scripts to do that in /usr/lib/ssl/misc/

TLS_REQCERT allow

If you use a self signed cert you need to specify TLS_REQCERT allow in /etc/ldap/ldap.conf and TLSVerifyClient allow in you /etc/ldap/slapd.conf. The first is necessary to get the ldap clients working. I’m not sure about the second one in the server configuration file.

pam and nss

cat /etc/libnss-ldap.conf 
base dc=cduce,dc=org
uri ldaps://osmium.pps.jussieu.fr
ldap_version 3
ssl on

cat /etc/pam_ldap.conf 
base dc=cduce,dc=org
uri ldaps://osmium.pps.jussieu.fr
ssl on
ldap_version 3
pam_password crypt
nss_base_passwd ou=people,dc=cduce,dc=org?one
nss_base_shadow ou=people,dc=cduce,dc=org?one
nss_base_group  ou=group,dc=cduce,dc=org?one
nss_base_netgroup ou=netgroup,dc=cduce,dc=org?one

The important bits here are the ssl on to force the client to use ssl. Of course, remember to specify ldaps in the uri.

Enable ldaps

On debian you need to modify /etc/default/slapd and add this line:

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps://cduce.org:636/"

I decided to keep ldap without ssl on localhost, but only ldaps on the external interface.

More about Kerberos + SASL + OpenLdap soon…