OpenLDAP Setup with CA Signed Certificate on CentOS

A central directory service is a common fragment of Enterprise IT infrastructures. Frequently companies organize their complete user management through a directory service, giving them the comfort of SSO. This makes it a requirement for services shared by corporate users to seamlessly integrate with the authentication service. The integration of a directory service – may it be an OpenLDAP, Apache Directory Server, or Active Directory – is one of the most common cornerstones of a Hadoop installation.

In up coming posts I am going to highlight some of the necessary steps for a dependable integration of Hadoop in today’s secure enterprise infrastructures including a demonstration of Apache Argus. As a preliminary step we are going to revisit some basic principals in this post that comprises a secure PKI, and a central OpenLDAP directory service. The knowledge of this is going to be presumed going forward. In this post CentOS is used as the operation system.

Creating a CA and Signing the Certificate

Before we begin with the installation of an LDAP directory service we are going to pay attention to the setup of a PKI infrastructure, or at least at some of the core elements of such. A PKI consists of a handful of components that need to be understood well. In addition often there is no clear naming convention to the files, and formats involved that it can be quite confusing.

The components a PKI consist of are (*):

  • Certificate Authority (CA)
  • Registration Authority
  • Central Directory
  • Certificate Management System
  • Certificate Policy

Common naming convention according to X.509 are (*):

  • .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“
  • .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
  • .p7b, .p7cPKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
  • .p12PKCS#12, may contain certificate(s) (public) and private keys (password protected)
  • .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

We will want our directory service to encrypt the communication between our clients in a trusted manner. For this purpose we are going to create a CA that we will further use to sign our used certificates. Client and services will have the same CA and will therefor be able to verify each others requests.

Creating a CA

Let’s begin by creating a Certificate Authority (CA) using OpenSSL. In CentOS you will find the openssl.cnf under /etc/pki/tls/ which we will use. Some minor changes are required in order to be usufuil for our purposes. But before we do any changes it is wise to make a copy of the file.

The CA will be created under the default path  /etc/pki/CA so you should make sure you have this setup correctly under the section  [CA_default]  in the OpenSSL configuration file. The CA certificate is going to be stored under  /etc/pki/CA/certs while the key will reside under /etc/pki/CA/private. The database used by the CA to store information about signed certificates will be stored in the file  index.txt directly in the folder /etc/pki/CA. In addition to that a serial number is needed. Create these files first:

Then make sure you have the following in your OpenSSL configuration file (/etc/tls/openssl.cnf):

The above configuration is the way we want our default CA based on the OpenSSL configuration to be. As we will also make use of  signing_policy  and signing_req , you should make sure your openssl.cnf also contains the below configuration sections:

From here we go ahead and create our CA using OpenSSL. We do this by creating a SSL request (req) using -x509 . Omitting  -x509  would create us a normal PKI request, leaving it create us here a CA valid for 10 years. If you don’t want to secure your private key with a password you can add -nodes to the here provided command. Having no password for the key is less secure, but in a testing environment frees you from providing a password each time you sign a certificate.

The private key also needs also be secured by limiting the access rights. We can achieve this by:

To view the the content of your newly create CA you can try this:

We can now proceed with the creation of our server certificate which we will sign using the prior created CA. Creating a server certificate we issue almost the same openssl request command as before but omitting the -x509 flag:

In the prior step we also already went ahead and signed the fresh certificate with our own CA. Check it out with this command:

Our freshly minted certificate valid unitl 11th of September 2015. Let go ahead and create now our directory service and secure it with this certificate.

Installing OpenLDAP with CA Signed Certificate

Installing OpenLDAP on CentOS is quite straightforward and can be achieved in a few simple steps. Below in the section “Further Readings” you should be able to find some more resources if you are experience some issues following the here provided procedure.

Let’s first install OpenLDAP and configure it using slapd.conf according to our needs:

For administrative operations or as a binding user that is allowed to search the directory (usually any user is allowed to search) we are going to create a Manager or root account. This account needs a password we store it hashed within in the slapd.conf configuration file. To create the password hash you can use the slappasswd command:

Copy the complete  {SSHA}....  part into your slapd.conf configuration at the appropriate place. You can use the here provide configuration by replacing the  rootpw  with your password.

You can go ahead and use the below configuration which also applies password policies. The policies are provided in the next section. Both the  slapd.conf and the policies were taken from here. Go there for further details.

For password policy place this into a file named  ppolicy.ldif  in the /etc/openldapdirectory:

Testing our configuration prior to starting the service:

Before we apply our certificate to the server let’s first test our setup by adding entries to the database including a test user. The entries are stored in a file named  users.ldif that should contain something similar to this:

We now add this to our directory and search for our guest user. If you want to provide your password at command prompt instead of writing it out to your shell replace every  -w your_rootpw with -W.

We are now almost done. What is left to do is secure the service via SSL. For this we need to provide our created signed certificate to the server configuration in addition to the CA certificate itself. Also the client would need the CA certificate. We do this by adding the following to  ldap.conf and  slapd.conf under /etc/openldap:

Please make sure that you’ve also copied the files provided here into the appropriate place.

Now restart the service and test the configuration by StartTLS:

This should work without any issues. We now have our service secured by our own signed certificate over StartTLS. The difference between SSL and StartTLS can be seen as the folllows:

  1. ldap:// + StartTLS should be directed to a normal LDAP port (normally 389), not the ldaps:// port.
  2. ldaps:// should be directed to an LDAPS port (normally 636), not the LDAP port.

By default OpenLDAP after installation will not run on port 636 providing no SSL connectivity over ldaps:// . You can change this by adjusting  /etc/sysconfig/ldap by changing the option  SLAPD_LDAPS  from no to yes.

We can test this like with another search over  ldaps:// this time:

Further Readings

3 thoughts on “OpenLDAP Setup with CA Signed Certificate on CentOS”

Leave a Reply