Friday, September 12, 2014

Linux - How to Configure OpenLDAP over TLS (Webmin)

OS: Ununtu 14.04
Webmin version: 1.7

I installed openldap through Webmin modules, when I try to configure the LDAP server to use TLS encryption in Webmin, I got some strange error messages. When I click "Generate SSL Certificate" button in webmin, it generates only the /etc/openldap/certs/ldap.cert file and not generating /etc/openldap/certs/ldap.key file (Assuming you use /etc/openldap/certs for your key and certificate file). Like the picture below:



I changed the destination directories permission, ownershop, ..etc. Just couldn't get the ldap.key file generated. So I generated certificate and key files manually:

1. Generate the key file:
# des means encrypt the generated key with DES in ede cbc mode (168 bit key)
# 2048 is the RSA key size
# /usr/bin/openssl genrsa -des3 2048 > server.key
Generating RSA private key, 2048 bit long modulus
......................................................+++
..........................................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

# Remove the passphrase from the key file:
# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

2. Generate the csr file:
# /usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US             
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company name
Organizational Unit Name (eg, section) []:HQ
Common Name (e.g. server FQDN or YOUR name) []:Tony
Email Address []:tonylixu@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Generate a x509 signing request based on an existing certificate:
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=US/ST=California/L=San Francisco/O=Your Company name/OU=HQ/CN=Tony/emailAddress=tonylixu@gmail.com
Getting Private key

4. Update file permissions:
# chmod 400 server.*

5. Set TLS certificate file and key file in webmin:


If you are not using webmin, you will add the following into your slapd.conf
TLSCertificateFile      /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile   /etc/openldap/cacerts/server.key

6. Restart LDAP service:
# /etc/init.d/slapd restart

7. Test your SSL Certificate:
# Check certificate:
# openssl s_client -host server_domain_name -port 636 -showcerts

8. You can use jxplorer to test as well.

No comments: