Cannot use LDAPS on Openldap server

I started by creating a self-signed certificate as follows:

I have installed OpenLDAP on Rocky 9.6 and everything works until I try to convert to LDAPS and I cannot find any clear instructions. I started by creating a self-signed certificate

# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -key ca.key -out ca.pem -days 3650
# openssl x509 -in ca.pem -noout -text
# openssl rsa -in ca.key -out decrypted_ca.key
# openssl genrsa -out ldap1.key 4096
# openssl req -new -key ldap1.key -out ldap1.csr -config cert.cnf
# openssl x509 -req -in ldap1.csr -out ldap1.pem -CA ca.pem -CAkey ca.key -days 3650 -set_serial 01
ln -s ca.pem `openssl x509 -hash -in ca.pem -noout`.0
# openssl req -x509 -new -newkey rsa:4096 -nodes -days 3650 -keyout ldap1.key -out ldap1.pem -config cert.cnf -copy_extensions copyall
# openssl req -x509 -new -newkey rsa:4096 -nodes -days 3650 -keyout ldap1.key -out ldap1.pem -sha256 -addext "subjectAltName = DNS:localhost, DNS:ldap1"

# openssl x509 -req -in ldap1.csr -out ldap1.pem -CA ca.pem -CAkey ca.key -days 3650 -set_serial 01
# chown root:ldap *
chmod 640 *

Is there a better/easier way to do this?
Should I be using the decrypted key with the passphrase removed.

Once I get the certs working I tried to insert them into the LDAP tree and no matter what I just get permissions errors.

# Sets our cert path and information
# The "CertificateFile" has to be set to the hostname of the LDAP server
dn: cn=config
changetype: modify
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/openldap/ldap.conf
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap1.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap1.pem

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=computing

# Adding a rootDN for the config.
# Note that this isn't fully necessary as you can use -Y EXTERNAL -H ldapi:/// instead
# So, treat this as an optional thing. If you do want it, consider a different password.
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=computing

# Set the password again in the mdb database
# This is because sometimes the password set when making the database doesn't 'work'
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}fKR87as2UOchc4xj7FwKmxHxxxxx

# Sets the default password hash to SSHA -- Refer to the 'bug' information if this does not work
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA}

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

I tried to add this using: ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif but just get errors?

Is there any reason for using OpenLDAP instead of say for example iDM or ipa-server as it’s known? This would have SSL/TLS enabled by default. It also has a nice webui as well for managing and maintaining.

I would love to use IDM but my company has a working Centos-7 LDAP/S cluster and wants to migrate like for like as they have about 100 clients.

What’s the actual error that you’re getting? What’s the SASL username that’s being reported when you’re using -Y EXTERNAL?

If the output is not the below, then you need to be root.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

Hi,

I am running everything as root and here is my output:

[root@ldap1 ~]# ldapmodify -v -Y EXTERNAL -H ldapi:/// -f /root/addcerts.ldif
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
replace olcTLSCACertificatePath:
/etc/openldap/ldap.conf
replace olcTLSCACertificateFile:
/etc/openldap/certs/ca.pem
replace olcTLSCertificateKeyFile:
/etc/openldap/certs/ldap1.key
replace olcTLSCertificateFile:
/etc/openldap/certs/ldap1.pem
modifying entry “cn=config”
ldap_modify: Other (e.g., implementation specific) error (80)

I have checked and /etc/openldap/certs is readable by everyone.

The error isn’t about the certificates themselves. 80 refers to an implementation error. This can be numerous things such as:

• The order of modifications for ldapmodify/ldapadd
  • The order in which some attributes are added/modified actually matter
• Rare: Permissions of the working directories (e.g. /etc/openldap/slapd.d)
• Extremely rare: selinux can stop it (check with audit2why if you are unsure)

Before blaming permissions or selinux, you may want to change the order in which you are trying to make changes to your initial openldap configuration and also verify the configuration you are trying to put in is valid.

The first problem I see is this:

dn: cn=config
changetype: modify
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/openldap/ldap.conf
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.pem

What you’re trying to set for olcTLSCACertificatePath is not valid. You cannot point to a conf file. You must point to a directory, e.g. /etc/openldap/certs.

Pointing directly to a CA file may be unnecessary, but if you need to use it, then you can set it. However, I would try without it and stick to setting a valid olcTLSCACertificatePath.

dn: cn=config
changetype: modify
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/pki/ldap
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/ldap/ldapserver.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/ldap/ldapserver.key

The order that has worked in the past is:

• CA Certificate path
• Certificate file
• Certificate key

There may be cases where you need to change the order of these. You may find that the CA certificate has to be last or you may find that the cert key has to come before the cert file. You will need to determine this for yourself.

It also seems that you are likely referencing this page for this setup. I would take a look at this page also for smaller examples.

Hi,
Thanks for your help. I don’t know where the typo came from but it did not help so I tried breaking the requests up into smaller files and that seems to get me further:

[root@ldap1 ~]# cat 1.ldif
dn: cn=config
changetype: modify
replace: olcTLSVerifyClient
olcTLSVerifyClient: never
[root@ldap1 ~]# cat 2.ldif
# Sets our cert path and information
# The "CertificateFile" has to be set to the hostname of the LDAP server
dn: cn=config
changetype: modify
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/openldap/certs
[root@ldap1 ~]# cat 2.ldif
# Sets our cert path and information
# The "CertificateFile" has to be set to the hostname of the LDAP server
dn: cn=config
changetype: modify
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/openldap/certs

I continued breaking them up and it worked until I got to number five:

[root@ldap1 ~]# cat 3.ldif
# Sets our cert path and information
# The "CertificateFile" has to be set to the hostname of the LDAP server
dn: cn=config
changetype: modify
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/openldap/certs
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.pem
[root@ldap1 ~]# cat 4.ldif
# Sets our cert path and information
# The "CertificateFile" has to be set to the hostname of the LDAP server
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap1.key
[root@ldap1 ~]# cat 5.ldif
# Sets our cert path and information
# The "CertificateFile" has to be set to the hostname of the LDAP server
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap1.pem

It looks as though I have another typo but can’t see it?

[root@ldap1 ~]# ldapmodify -v -Y EXTERNAL -H ldapi:/// -f /root/5.ldif
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
replace olcTLSCertificateFile:
        /etc/openldap/certs/ldap1.pem
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

I have found that this seems to work but now I need to check it:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap1.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap1.key

When I run this I get:

# ldapmodify -v -Y EXTERNAL -H ldapi:/// -f /root/5.ldif
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcTLSCACertificateFile:
        /etc/openldap/certs/ca.pem
add olcTLSCertificateFile:
        /etc/openldap/certs/ldap1.pem
add olcTLSCertificateKeyFile:
        /etc/openldap/certs/ldap1.key
modifying entry "cn=config"
ldap_modify: Type or value exists (20)
        additional info: modify/add: olcTLSCACertificateFile: value #0 already exists

It seems be the replace that it doesn’t like?

I have solved it by experimenting with add and replace. The problem was you have to ensure you have ALL the config in the database before anything will work:

# slapcat -v -b cn=config  | grep olcTLS
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCACertificateFile: /etc/openldap/certs/ca.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap1.key
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2
olcTLSCRLCheck: none
olcTLSVerifyClient: allow
olcTLSCertificateFile: /etc/openldap/certs/ldap1.pem

Once you have added them via LDIF and the ldapuser can read all the certs and keys, restart slapd and sssd and your good to go.

# openssl s_client -connect ldap1.test.com:636 -servername ldap1.test.com

# openssl s_client -connect ldap1.test.com:636 -servername ldap1.test.com -tls1_2

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.