The LDAP server will require an SSL certificate. Of course, you can purchase one, but this isn’t necessary. Unlike web or mail servers, the certificate authority can be easily distributed to the clients during configuration. The openssl package provides the necessary scripts.
First, edit /usr/share/ssl/openssl.cnf and change the following lines to something approprate to your organization. This isn’t a necessary step, but it saves some time as you can just press return to accept the defaults when creating a certificate.
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CH countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = localityName = Locality Name (eg, city) localityName_default = Zurich 0.organizationName = Organization Name (eg, company) 0.organizationName_default = University of Zurich # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Institute for Theoretical Physics commonName = Common Name (eg, your name or your server\'s h ostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 # SET-ex3 = SET extension number 3
Next, I find a minor change to the script to be helpful. Edit /usr/share/ssl/misc/CA and add a value for CADAYS (the number of days that the certificate authority is valid.
DAYS="-days 365" CADAYS="-days 3650"
Now skip down to the -newca section and make the following change.
echo "Making CA certificate ..."
$REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \
-out ${CATOP}/$CACERT $CADAYS
The next step is to create your certificate authority. This needs to be done once, regardless of how many server certificates you subsequently make. When asked for the filename, press enter to create one. Enter a password for the certificate authority. Keep this secure; it could be painful to generate and deploy a new CA if this one is compromised and you have created a large number of certificate.
[root@coma misc]# ./CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .++++++ .....++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CH]: State or Province Name (full name) []: Locality Name (eg, city) [Zurich]: Organization Name (eg, company) [University of Zurich]: Organizational Unit Name (eg, section) [Institute for Theoretical Physics]: Common Name (eg, your name or your server's hostname) []:UniZH Theoretical Physics CA Email Address []:
Now we move on to create a certificate for the LDAP server. We don’t use the script’s -newreq function here because we want a certificate without a password. Instead we call openssl directly. After we finish, we copy the files to the openldap directory.
Remember: You must enter the fully qualified name of the LDAP server for the common name or it won’t work. This is the name returned by hostname and is also the name that resolves in DNS.
[root@coma misc]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem Generating a 1024 bit RSA private key .............................++++++ ................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CH]: State or Province Name (full name) []: Locality Name (eg, city) [Zurich]: Organization Name (eg, company) [University of Zurich]: Organizational Unit Name (eg, section) [Institute for Theoretical Physics]: Common Name (eg, your name or your server's hostname) []:coma.physik.unizh.ch Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Now sign the certificate.
[root@coma misc]# ./CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 20 23:21:51 2006 GMT
Not After : Mar 20 23:21:51 2007 GMT
Subject:
countryName = CH
localityName = Zurich
organizationName = University of Zurich
organizationalUnitName = Institute for Theoretical Physics
commonName = coma.physik.unizh.ch
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A3:94:A4:B1:E9:57:FA:AB:6E:F4:FE:27:9F:DD:29:0B:02:EF:F8:C8
X509v3 Authority Key Identifier:
keyid:C3:96:3C:EF:6B:BE:A3:BF:89:5B:1A:6D:52:D1:5D:F2:FE:32:86:82
DirName:/C=CH/L=Zurich/O=University of Zurich/OU=Institute for
Theoretical Physics/CN=UniZH Theoretical Physics CA
serial:00
Certificate is to be certified until Mar 20 23:21:51 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
<A DUMP OF THE CERTIFICATE APPEARS HERE>
Signed certificate is in newcert.pem
Finally, move the certificate to the correct location. We also copy the certificate authority and set the file permissions.
[root@coma misc]# cp demoCA/cacert.pem /etc/openldap/cacerts/cacerts.pem [root@coma misc]# cp newreq.pem /etc/openldap/slapd.key [root@coma misc]# cp newcert.pem /etc/openldap/slapd.pem [root@coma misc]# chgrp ldap /etc/openldap/slapd.key [root@coma misc]# chmod 640 /etc/openldap/slapd.key