Configure OpenLDAP to use SSL/TLS to encrypt data communication

OpenLDAPAndOpenSSLIntroduction
OpenLDAP is one of the most common directory services. It is an open-source project developed and managed by open-source communities and volunteers. It provides all the functions of directory services, including Directory Search, identity authentication, secure channel, and filter. Most Linux distributions contain OpenLDAP installation packages. By default, OpenLDAP uses the unencrypted TCP/IP protocol to receive service requests and transmit the query results back to the client. Most directory services are used for system security authentication, such as user logon and identity authentication. Therefore, it also supports SSL/TLS-based encryption protocols to ensure the confidentiality and integrity of data transmission. OpenLDAP uses OpenSSL to implement SSL/TLS encrypted communication.
OpenSSL is an open-source implementation package for SSL/TLS encryption algorithms and communication protocols. It implements SSLv2, SSLv3, TLSv1, and TLSv1.2 encryption algorithms and communication protocols, and provides APIs to third-party applications. Third-party applications can easily use OpenSSL to encrypt plaintext communication. The cooperation between OpenLDAP and OpenSSL is the main content of this article, including the SSL/TLS configuration of the OpenLDAP server and the SSL/TLS configuration of the OpenLDAP client.
All the content and commands described in this article apply to Redhat Enterprise Linux 6.3. The Linux versions of other releases may be slightly different.
 
ConfigurationOpenLDAPUseSSL/TLSEncrypted data communication
SSL/TLSIntroduction to encryption principles
SSL/TLS is an encryption method based on the PKI mechanism, including certificate authentication, key exchange, asymmetric encryption, and symmetric encryption. SSL/TLS uses CA as an authoritative organization trusted by the server and client. certificate issuance and authentication depend on CA, it is assumed that the certificate issued by the CA is reliable and reliable, the content in the certificate is authentic and valid, and can be used for secure and reliable communication encryption between the client and the server.
SSL/TLS certificates are used to authenticate the identities of the server and the client, and are used for asymmetric encryption during key exchange. After the key exchange is complete, you can use this key for symmetric encryption of communication data. The specific encryption algorithm is obtained through mutual negotiation between the client and the server. Because of the different SSL/TLS libraries and different user configurations of the server and client, the list of Algorithms supported by both parties is different. when both parties perform SSL/TLS handshake, you need to inform the other party of the list of supported algorithms and their priority. Once the other party finds the first supported algorithm in the priority order, the negotiation is completed. Otherwise, the negotiation fails, SSL/TLS connection is disconnected.
How to configure the algorithm list of the OpenLDAP client and server will be highlighted in the subsequent content of this article. You can control this list to improve the security level, or lower the security level to adapt to more algorithms.
OpenSSLCommon commands
OpenSSL provides a large number of commands to help users use and view SSL/TLS encryption algorithms, view certificates, generate certificates, and test SSL/TLS connections. The following describes some common commands.
· View all algorithms supported by OpenSSL

#openssl ciphers

· Check whether OpenSSL supports an algorithm, such as a ECDH-ECDSA-AES128-GCM-SHA256

# openssl ciphers ECDH-ECDSA-AES128-GCM-SHA256

· Check whether OpenSSL supports a protocol, such as TLSv1.2.

# openssl ciphers TLSv1.2

· View x509 certificates

# openssl x509 -in cert.pem -text –noout

· Detect connections with LDAP server

·                                        # openssl s_client -connect 9.181.137.155:636 -showcerts -state \

  -CAfile /opt/ibm/director/vmi/data/sec/vmitruststore.pem

· Generate a self-Signed CA certificate

·                                        #openssl req -x509 -newkey rsa:1024 -passout pass:123456 -days 3650 \

·                                        -keyout whhit.pem.key -out whhit.pem.cer -subj \

"/CN=whhit.me/OU=WeRun Club/O=whhit/L=Weihai/S=Shandong/C=CN"

· Generate a private key

#openssl genrsa -des3 -out whhit.pem.key -passout pass:123456 1024

· Use the specified private key to generate a CSR (Certificate Signing Request)

·                                        #openssl req -new -key whhit.pem.key -passin pass:123456 \

·                                        -out whhit.pem.csr -subj \

 "/CN=whhit.me/OU=WeRun Club/O=whhit/L=Weihai/S=Shandong/C=CN"

· Export the encrypted private key as the plaintext Private Key

#openssl rsa -in whhit.pem.key -passin pass:123456 -out whhit.pem.clear.key

· Generate a certificate using the specified Private Key signature

#openssl x509 -req -days 3650 -in whhit.pem.csr -signkey whhit.pem.clear.key -out whhit.pem.cer

· Convert the private key and certificate to a single file in PKCS #12 format

·                                        #openssl pkcs12 -export -in whhit.pem.cer -inkey whhit.pem.key -passin pass:123456 \

-out whhit.p12 -passout pass:123456 -name tomcat

OpenLDAP Of SSL/TLS Server Configuration
The configuration of the OpenLDAP Server includes software installation, certificate generation, and password group configuration. The following describes in detail.
· Software to be installed on the server
Check whether the components of OpenLDAP and OpenSSL have been installed. If not, install the following components first:

openldap2-back-meta-2.4.20-35，openldap2-client-2.4.20-35，openldap2-2.4.20-35，\openldap2-back-perl-2.4.20-35，openssl-1.0.1e-13，openssl-32bit-1.0.1e-13，\php5-openssl-5.2.14-0.7.30.38.2，python-openssl-0.7.0-217

· Use PKI to generate SSL/TLS server certificates
There are three steps to create a certificate: creating a CA, creating a certificate request, and signing a certificate request with a CA to generate a certificate.
1. Create a CA
/Etc/pki/tls/misc is the working directory, and/etc/pki/CA is the directory that stores all CA-related files. If the script detects that a file exists under/etc/pki/CA, the CA script does nothing. To ensure that the CA script works properly, delete all files in the/etc/pki/CA directory first.

# Cd/etc/pki/tls/misc (go to the working directory)

#./CA-newca (generate CA)

2. Create a Server certificate
The certificate is generated in two steps: generate the certificate request file and sign the certificate file with the CA.

#./CA. pl-newreq (generate a certificate request)

3. CA sign the certificate request

#./CA.pl –sign

3 files are created under the/etc/pki/tls/misc path, newreq. pem creates a certificate request file, newcert. certificate issued by pem CA, newkey. the key of the pem certificate.
Rename the certificate and private key file

# mv newcert.pem server.cert# mv newkey.pem server.key# chmod 644 server.cert# chmod 644 server.key

Copy the two files and the CA certificate files to the directory where OpenLDAP stores the certificates, usually in/etc/openldap/cacerts. If CA and LDAP server are not on the same machine, run the scp command to copy the following files to the corresponding directory of LDAP server.

# mv server.cert /etc/openldap/cacerts# mv serve.key /etc/openldap/cacerts# cp ../../CA/cacert.pem /etc/openldap/cacerts

· Configure the LDAP server
1. Stop the LDAP Service

#service ldap stop

2. edit/etc/openldap/slapd. conf and add the following content to the slapd. conf file:

3. TLSCACertificateFile/etc/openldap/cacerts/cacert. pem # configure the CA certificate path

4. TLSCertificateFile/etc/openldap/cacerts/server. cert # Configure the server certificate path

5. TLSCertificateKeyFile/etc/openldap/cacerts/server. key # Configure the server Private key Path

6.                          TLSCipherSuite ALL:!TLSv1.1:TLSv1.2:!SSLv2:!aNULL:!eNULL:!MD5:!MEDIUM:!LOW

7 .:! EXPORT: @ STRENGTH # Supported Protocol passwords and unsupported protocols and passwords ,! Not Supported

8. TLSVerifyClient never # Sets whether to authenticate the client identity. The value can be never/allow/try/demand,

9. # never does not need to verify the identity of the client. The Client only needs to have a CA certificate.

10. # The allow Server requires the client to provide a certificate. If the client does not provide a certificate, the session will proceed normally.

11. # try the Client provides a certificate, but the Server may not be able to verify the certificate. This certificate will be ignored and the session is normal.

# Demand Server needs to authenticate the client identity, and the Client needs to have its own certificate and Private Key

12. Start the LDAP Service

#service ldap start

OpenLDAP Of SSL/TLS Client Configuration
The configuration of the OpenLDAP client includes certificate creation, server connection configuration, certificate configuration, and password group configuration. The detailed steps are as follows.
· Client certificate File Creation
The Client certificate is similar to the Server certificate. First, create a request file and then use CA to sign the request file. Generally, the Client host name (hostname) is used as the Common name for signature. The certificate Name is actually the Common Name field in the certificate. This field should be retrieved from the certificate and verified based on the host name. If the two cannot match, the security of the certificate will be questioned. Some companies use the same certificate on different hosts, even if the Common Name in the certificate is only used for one host, this is to ensure that the certificate comes from the same company and can perform more in-depth checks. The value of Common Name depends on the security requirements of the project.

#. /CA. pl-newreq (generate a certificate request )#. /CA. pl-sign # mv newcert. pem client. cert # mv newkey. pem client. key # chmod 644 client. cert # chmod 644 client. key

Copy the two files and the CA certificate files to the Client OpenLDAP directory to store the certificates, such as/etc/openldap/cacerts.
· Edit/etc/openldap/ldap. conf

· URI ldaps: // vm189.cn.ibm.com: 636 # It must be the same as the full qualified name entered in the server certificate.

· TLS_CACERT/etc/openldap/cacerts/cacert. pem # CA certificate

· TLS_REQCERT never # whether the client requires server Authentication

·                                        TLS_CIPHER_SUITE ALL:!TLSv1.1:!TLSv1:!SSLv3:!SSLv2:!aNULL:!eNULL:!MD5:!MEDIUM:!LOW:

!EXPORT:@STRENGTH

· Restart the LDAP Service

#service ldap restart

· Check whether the connection with the LDAP server can be established

·                                        #openssl s_client –connect vm189.cn.ibm.com:636 –CAfile /etc/openldap/cacerts/cacert

.pem-showcerts –state

Verify OpenLDAP The SSL/TLS Agreement Negotiation Method
To verify the correctness of the SSL/TLS connection protocol between the OpenLDAP server and the client, we can follow the steps below.
· Configure the server and restart the LDAP Service on the server
Configure the LDAP server according to the preceding steps.
Restart LDAP Service

#service ldap restart

Import LDAP user information
Upload the ldif file to the ldap server, such as the tmp directory. If the imported file is named ldapou. ldif, the content of the oladmin account in the file is as follows:

dn: uid=oladmin,ou=People,c=cn,dc=ibm,dc=comuid: oladmincn: oladminsn: oladminmail: oladmin@cn.ibm.comobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: topobjectClass: posixAccountuserPassword: passw0rduidNumber: 501gidNumber: 501homeDirectory: /home/oladmin

Run the following command to add users and groups to the LDAP server directory:

# ldapadd -x -D "cn=root,c=cn,dc=ibm,dc=com" -w passw0rd -f /tmp/ldapou.ldif

Restart LDAP Service

#service ldap restart

· Configure the client and restart the LDAP Service of the Client
Configure the ldap. conf file in the/etc/openldap/directory of the client. The content is as follows:

TLS_REQCERT neverTLS_CIPHER_SUITE ALL :! TLSv1.1 :! TLSv1 :! SSLv3 :! SSLv2 :! ANULL :! ENULL :! MD5 :! MEDIUM :! LOW :! EXPORT: @ STRENGTHURI ldaps: // vm189.cn.ibm.com: 636 # ldap server address base c = cn, dc = ibm, dc = com binddn cn = root, c = cn, dc = ibm, dc = combindpw crypt {partition} searchfilter (& (uid = % v) (objectclass = inetOrgPerson) pam_login_attribute uidldap_version 3 timelimit limit 30bindpw_key/etc/openldap/fsm. data # password TLS_CACERT/opt/ibm/director/vmi/data/sec/vmitruststore. pem # CA certificate pam_lookup_policy yes

· Verify the LDAP user information of the server on the client
Run the ldapsearch command to view the user on the server.

# Ldapsearch-x-ZZ-h 9.181.137.189 636 (ZZ is used to start a TLS connection)

Command running result

# extended LDIF# LDAPv3# base <c=cn,dc=ibm,dc=com> (default) with scope subtree# filter: (objectclass=*)# requesting: 636# cn, ibm.comdn: c=cn,dc=ibm,dc=com# People, cn, ibm.comdn: ou=People,c=cn,dc=ibm,dc=com# Group, cn, ibm.comdn: ou=Group,c=cn,dc=ibm,dc=com# oladmin, People, cn, ibm.comdn: uid=oladmin,ou=People,c=cn,dc=ibm,dc=com

...... (Other Account information is omitted here)

From the returned results, you can find the user imported from the server, such as the account information such as oladmin, to prove that the tls ldap connection has been established.
 
Summary
Through the introduction and experiment in this article, we can learn more about how OpenLDAP and OpenSSL work collaboratively, and how to configure the OpenLDAP server and client to meet users' requirements for data communication security, these are users' urgent needs when network security and encryption security problems are becoming increasingly serious.