Building an LDAP Server on Linux, Part 4 - Page 2
Generating a TLS Certificate
First we must generate a server certificate. This is a self-generated certificate for only slapd to use. This method works fine if you don't need to set up a "Certificate Authority" to authorize other certificates and don't need some sort of trusted third-party certificate authority, like Thawte.
Run the following command in the directory that holds slapd.conf. This will generate a new X509 certificate, without a password. It names the certificate slapd_cert.pem, and it names the key slapd_key.pem, and gives it a lifetime of one year:
root@windbag:/etc/ldap/# openssl req -new -x509 -nodes -out slapd_cert.pem -keyout slapd_key.pem -days 365
Generating a 1024 bit RSA private key
writing new private key to 'slapd_key.pem'
Then it asks you a bunch of questions. Go ahead and tell it everything it wants to know. Both of these files must be owned by the the ldap user, which on Red Hat is 'ldap.' (On Debian it's 'root.') Now set your permissions — slapd_cert.pem must be world-readable, and slapd_key.pem must be readable only by the ldap user, and writable by no one.
Edit slapd.conf Yet Again
Next we need to tell slapd where to find these files:
# The base of your directory in database #1
# Where the database file is physically stored for database #1
#TLS keyfile locations
How do you know what ciphers to name? First see what your OpenSSL supports:
$ openssl ciphers -v
This will generate a long, impressive list. The terms used in the example above are wildcards. HIGH means use all ciphers with key lengths longer than 128 bits (MEDIUM = 128 bits). I don't believe we want to use LOW, which includes 56 and 64-bit strengths. (Visit OpenSSL.org to find out more about these things.)
Now we need to restart the ldap daemon. On Red Hat, type:
# /etc/init.d/ldap restart
# /etc/init.d/slapd restart