navigation
search
Table of Contents
Secure LDAP connection with SSL/TLS
Create a cert/key pair for the LDAP server
Reference: Setup TLS PKI and stuff.
LDAP server configuration
Enable these in /etc/openldap/slapd.conf:
TLSCACertificateFile /etc/pki/tls/certs/cacert.pem TLSCertificateFile /etc/pki/tls/certs/ldap_cert.pem TLSCertificateKeyFile /etc/pki/tls/private/ldap_key.pem # enable this instead if you want stricter security: # client needs its own cert to connect: # TLSVerifyClient demand
After that, the server will listen on both tcp ports 389, 636. TLS is supported on both ports. If the client connect using ldaps:, the server will auto use TLS to negotiate. If the client connect using ldap: , it must tell the server to use TLS explicity; otherwise the server will use the plain protocol.
Use of port 389 plus Start TLS is preferred as of the new LDAPv3.
Client configuration
You may use system-config-authentication GUI command to set these up.
Set these in /etc/openldap/ldap.conf:
uri ldap://ldap.example.com/ ssl start_tls tls_cacert /etc/pki/tls/certs/cacert.pem
And these in /etc/ldap.conf:
uri ldap://ldap.example.com/ ssl start_tls tls_cacert /etc/pki/tls/certs/cacert.pem
The server name in the URI must be the same as the CN in the certificate!
Configure phpldapadmin to use TLS
Enable these in the config.php:
$servers->setValue('server','tls',true);
Configure smbldap-tools to use TLS
Set these in /etc/smbldap-tools/smbldap.conf:
# keep the port at 389: masterPort="389" slavePort="389" ... ldapTLS="1" cafile="/etc/pki/tls/certs/cacert.pem" clientcert="" clientkey=""
Configure samba to use TLS
Set these in smb.conf:
ldap ssl = start_tls
