Building an LDAP Server on Linux, Part 4 - Page 2

By Carla Schroder | Posted Dec 10, 2003
Page 2 of 3   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Generating a TLS Certificate

First we must generate a server certificate. This is a self-generated certificate for only slapd to use. This method works fine if you don't need to set up a "Certificate Authority" to authorize other certificates and don't need some sort of trusted third-party certificate authority, like Thawte.

Run the following command in the directory that holds slapd.conf. This will generate a new X509 certificate, without a password. It names the certificate slapd_cert.pem, and it names the key slapd_key.pem, and gives it a lifetime of one year:

root@windbag:/etc/ldap/# openssl req -new -x509 -nodes -out slapd_cert.pem -keyout slapd_key.pem -days 365
Generating a 1024 bit RSA private key
...........++++++
...................++++++
writing new private key to 'slapd_key.pem'

Then it asks you a bunch of questions. Go ahead and tell it everything it wants to know. Both of these files must be owned by the the ldap user, which on Red Hat is 'ldap.' (On Debian it's 'root.') Now set your permissions — slapd_cert.pem must be world-readable, and slapd_key.pem must be readable only by the ldap user, and writable by no one.

Edit slapd.conf Yet Again

Next we need to tell slapd where to find these files:

database     bdb
# The base of your directory in database #1
suffix       "dc=carlasworld,dc=net"
rootdn       "cn=Metest,dc=carlasworld,dc=net"
rootpw       {SSHA}Lr7P++EoH6GpIS4GZ36vkV4R422RuW7R
# Where the database file is physically stored for database #1
directory    "/var/lib/ldap"
#Specify ciphers
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3
#TLS keyfile locations
/etc/ldap/slapd_cert.pem
/etc/ldap/slapd_key.pem

How do you know what ciphers to name? First see what your OpenSSL supports:

$ openssl ciphers -v

This will generate a long, impressive list. The terms used in the example above are wildcards. HIGH means use all ciphers with key lengths longer than 128 bits (MEDIUM = 128 bits). I don't believe we want to use LOW, which includes 56 and 64-bit strengths. (Visit OpenSSL.org to find out more about these things.)

Now we need to restart the ldap daemon. On Red Hat, type:

# /etc/init.d/ldap restart

On Debian:

# /etc/init.d/slapd restart

Page 3: Migrating User Data

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter