If you don’t know about LDAP yet, you can visit this introduction article.
In this article we will do installation of OpenLDAP on FreeBSD. Technically say we will install OpenLDAP 2.4 which is provided by standard ports of FreeBSD 8.3. The benefits of LDAP, and OpenLDAP specifically, is we can achieve Single Sign On to other services such as FTP, SSH, etc. The LDAP work as back-end which authenticates user in the Directories.
For this article I have:
- FreeBSD 8.3 amd64 (although amd64 or x86 is not problem)
- Internet connection (for downloading the sources).
Navigate to /usr/ports/net/openldap24-server and do clean installation:
make install clean
You will be prompted by a screen asking you what component you want to install. Choose the default options (checked by default) is best choice if you only want a normal one. But enabling some options are not bad too. For me, I checked SASL to enabled OpenLDAP with SASL using Cyrus-SASL.
OpenLDAP use configuration for DB access, so we must provide it. A quick way is copying template file provided by:
cd /usr/ports/net/openldap24-server cp /usr/local/etc/openldap/DB_CONFIG.example /var/db/openldap-data/DB_CONFIG
There are several things to do after installing OpenLDAP. Basically, a fresh installed OpenLDAP comes with no encryption thus every connection and message transfer to/from OpenLDAP will be plain texts. This is insecure that would cause data easy to be tapped. Here we will set OpenLDAP to use encryption. There are two approach we can use: TLS or SSL.
TLS stands for “Transportation Layer Security“. Services that employ TLS tend to connect on the same ports as the same services without TLS; thus an SMTP server which supports TLS will listen for connections on port 25, and an LDAP server will listen on 389. While SSL stands for “Secure Sockets Layer”, and services that implement SSL do not listen on the same ports as their non-SSL counterparts. Thus SMTPS listens on port 465 (not 45), HTTPS listens on 443, and LDAPS on 636.
The reason SSL uses a different port than TLS is because a TLS connection begins as plain text, and switches to encrypted traffic after the STARTTLS directive. SSL connections are encrypted from the beginning. Other than that there are no substantial differences between the two.
In this article we will choose LDAP over TLS, as SSL is deprecated.
Once OpenLDAP is installed, open /usr/local/etc/openldap/slapd.conf and configure with:
security ssf=128 TLSCertificateFile /path/to/your/cert.crt TLSCertificateKeyFile /path/to/your/cert.key TLSCACertificateFile /path/to/your/cacert.crt
The TLS need certificate files and key. The certificates are proof of authentication and key is the key for encryption. The security ssf=128 tells the OpenLDAP to use 128-bit encryption for all connection, both for search and updating. This parameter may be configured based on the security needs of the system.
The certificates can be signed by third party or by self (self signing). In this article we choose to do self-signing method, thus we need to create certificates manually. To create it, make sure we have OpenSSL installed. Then do following to create key with RSA:
openssl genrsa -out cert.key 1024 openssl req -new -key cert.key -out cert.csr
At this point we will be prompted for some values. Enter whatever values; however, it is important the “Common Name” value be the fully qualified domain name of the OpenLDAP server. In this case, we will choose freebsd.celestial-being.net. Incorrectly set this value will cause clients to fail when making connections. This can cause great frustration, so ensure that you follow these steps closely.
Finally, the certificate signing request needs to be signed:
openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cert.crt
This will create a self-signed certificate that can be used for the directives in slapd.conf, where cert.crt and cacert.crt are the same file. Once this is done, put the following in /etc/rc.conf to make OpenLDAP run automatically on boot.
Then run /usr/local/etc/rc.d/slapd start. This should run slapd. Then confirm slapd is running by confirm whether it is listening on 389. To check do:
sockstat -4 -p 389
Configuring The Client
Install the openldap24-client if it is not installed (normally it will be automatically installed when you install openldap24-server). openldap24-client can be found on /usr/ports/net/openldap24-client. The client machines will always have OpenLDAP libraries since that is all security/pam_ldap and net/nss_ldap support, at least for the moment.
The configuration file for the OpenLDAP libraries is /usr/local/etc/openldap/ldap.conf. Edit this file to contain the following values:
base dc=celestial-being,dc=net uri ldap://freebsd.celestial-being.net/ ssl start_tls tls_cacert /path/to/your/cacert.crt
At this point, we will be able to run ldapsearch -z on the client machine; -z means “use TLS”. If you encounter an error, then something is configured wrong. Most likely from certificates. Use openssl(1)’s s_client and s_server to ensureyou have them configured and signed properly.
Make sure clients have access to cacert.crt, otherwise they won’t be able to connect.