OpenLDAP Setup with CA Signed Certificate on CentOS

A central directory service is a common fragment of Enterprise IT infrastructures. Frequently companies organize their complete user management through a directory service, giving them the comfort of SSO. This makes it a requirement for services shared by corporate users to seamlessly integrate with the authentication service. The integration of a directory service – may it be an OpenLDAP, Apache Directory Server, or Active Directory – is one of the most common cornerstones of a Hadoop installation.

In up coming posts I am going to highlight some of the necessary steps for a dependable integration of Hadoop in today’s secure enterprise infrastructures including a demonstration of Apache Argus. As a preliminary step we are going to revisit some basic principals in this post that comprises a secure PKI, and a central OpenLDAP directory service. The knowledge of this is going to be presumed going forward. In this post CentOS is used as the operation system.

Creating a CA and Signing the Certificate

Before we begin with the installation of an LDAP directory service we are going to pay attention to the setup of a PKI infrastructure, or at least at some of the core elements of such. A PKI consists of a handful of components that need to be understood well. In addition often there is no clear naming convention to the files, and formats involved that it can be quite confusing.

The components a PKI consist of are (*):

  • Certificate Authority (CA)
  • Registration Authority
  • Central Directory
  • Certificate Management System
  • Certificate Policy

Common naming convention according to X.509 are (*):

  • .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“
  • .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
  • .p7b, .p7cPKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
  • .p12PKCS#12, may contain certificate(s) (public) and private keys (password protected)
  • .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

We will want our directory service to encrypt the communication between our clients in a trusted manner. For this purpose we are going to create a CA that we will further use to sign our used certificates. Client and services will have the same CA and will therefor be able to verify each others requests.

Creating a CA

Let’s begin by creating a Certificate Authority (CA) using OpenSSL. In CentOS you will find the openssl.cnf under /etc/pki/tls/ which we will use. Some minor changes are required in order to be usufuil for our purposes. But before we do any changes it is wise to make a copy of the file.

$ cp /etc/pki/tls/openssl.cnf
$ vi /etc/pki/tls/openssl.cnf

The CA will be created under the default path /etc/pki/CA so you should make sure you have this setup correctly under the section [CA_default]  in the OpenSSL configuration file. The CA certificate is going to be stored under /etc/pki/CA/certs while the key will reside under /etc/pki/CA/private. The database used by the CA to store information about signed certificates will be stored in the file index.txt directly in the folder /etc/pki/CA. In addition to that a serial number is needed. Create these files first:

$ touch index.txt
$ echo '01' > serial.txt

Then make sure you have the following in your OpenSSL configuration file (/etc/tls/openssl.cnf):

# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
[ ca ]
default_ca  = CA_default        # The default ca section

[ CA_default ]
dir     = /etc/pki/CA       # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject    = no            # Set to 'no' to allow creation of
                    # several ctificates with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $certs/ca.crt    # The CA certificate
serial      = $dir/serial.txt   # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/ca.key  # The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions = usr_cert      # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options

# Extension copying option: use with caution.
copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering

The above configuration is the way we want our default CA based on the OpenSSL configuration to be. As we will also make use of signing_policy  and signing_req , you should make sure your openssl.cnf  also contains the below configuration sections:

# For the CA policy
[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ signing_policy ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ signing_req ]

From here we go ahead and create our CA using OpenSSL. We do this by creating a SSL request (req) using -x509 . Omitting -x509  would create us a normal PKI request, leaving it create us here a CA valid for 10 years. If you don’t want to secure your private key with a password you can add -nodes to the here provided command. Having no password for the key is less secure, but in a testing environment frees you from providing a password each time you sign a certificate.

$ cd /etc/pki/CA
$ openssl req -config /etc/pki/tls/openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650

The private key also needs also be secured by limiting the access rights. We can achieve this by:

$ chmod 0400 private/ca.key

To view the the content of your newly create CA you can try this:

$ openssl x509 -in certs/ca.crt -text -noout
        Version: 3 (0x2)
        Serial Number: 10452765967770567559 (0x910faf443d41c387)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=Bavaria, L=Munich, O=Hortonworks Inc., OU=Security CA, CN=knox.cluster/emailAddress=ca@localhost
            Not Before: Sep 11 09:22:17 2014 GMT
            Not After : Sep  8 09:22:17 2024 GMT
        Subject: C=DE, ST=Bavaria, L=Munich, O=Hortonworks Inc., OU=Security CA, CN=knox.cluster/emailAddress=ca@localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

            X509v3 Basic Constraints: 
    Signature Algorithm: sha1WithRSAEncryption

We can now proceed with the creation of our server certificate which we will sign using the prior created CA. Creating a server certificate we issue almost the same openssl request command as before but omitting the -x509 flag:

$ openssl req -config /etc/pki/tls/openssl.cnf -newkey rsa:2048 -sha256 -nodes -out knox_cert.csr -outform PEM -keyout knox_key.pem

# signing the request
$ openssl ca -config /etc/pki/tls/openssl.cnf -policy signing_policy -extensions signing_req -out knox_cert.pem -infiles knox_cert.csr

In the prior step we also already went ahead and signed the fresh certificate with our own CA. Check it out with this command:

$ openssl x509 -in knox_cert.pem -text -noout
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=Bavaria, L=Munich, O=Hortonworks Inc., OU=Security CA, CN=knox.cluster/emailAddress=ca@localhost
            Not Before: Sep 11 18:28:53 2014 GMT
            Not After : Sep 11 18:28:53 2015 GMT
        Subject: C=DE, ST=Bavaria, O=Hortonworks Inc., OU=Hadoop CA, CN=knox.cluster/emailAddress=knox@localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

            X509v3 Basic Constraints: 
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: sha1WithRSAEncryption

Our freshly minted certificate valid unitl 11th of September 2015. Let go ahead and create now our directory service and secure it with this certificate.

Installing OpenLDAP with CA Signed Certificate

Installing OpenLDAP on CentOS is quite straightforward and can be achieved in a few simple steps. Below in the section “Further Readings” you should be able to find some more resources if you are experience some issues following the here provided procedure.

Let’s first install OpenLDAP and configure it using slapd.conf according to our needs:

$ yum install openldap-servers openldap-clients
$ mv slapd.d slapd.d.origin         # making a backup

# preparing the database
$ cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ chown -R ldap:ldap /var/lib/ldap

For administrative operations or as a binding user that is allowed to search the directory (usually any user is allowed to search) we are going to create a Manager or root account. This account needs a password we store it hashed within in the slapd.conf configuration file. To create the password hash you can use the slappasswd command:

$ slappasswd
New password: 
Re-enter new password: 

Copy the complete {SSHA}….  part into your slapd.conf configuration at the appropriate place. You can use the here provide configuration by replacing the rootpw  with your password.

You can go ahead and use the below configuration which also applies password policies. The policies are provided in the next section. Both the slapd.conf and the policies were taken from here. Go there for further details.

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema

# Added for policy
include     /etc/openldap/schema/ppolicy.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
pidfile     /var/run/openldap/
argsfile    /var/run/openldap/slapd.args

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile 
# TLSCertificateFile 
# TLSCertificateKeyFile

database    bdb
suffix      "dc=mycorp,dc=net"
rootdn      "cn=root,dc=mycorp,dc=net"
rootpw      {SSHA}oHEyp39sSpIDrZD3zaC1qiybbI97GRrZ
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=mycorp,dc=net"

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/ldap
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

For password policy place this into a file named ppolicy.ldif  in the /etc/openldap directory:

dn: ou = policies,dc=mycorp,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies
# default, policies,
dn: cn=default,ou=policies,dc=mycorp,dc=net
objectClass: top
objectClass: pwdPolicy
objectClass: person
cn: default
sn: dummy value
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 14482463
pwdMinLength: 2
pwdMaxFailure: 10
pwdLockout: TRUE
pwdLockoutDuration: 60
pwdMustChange: FALSE
pwdAllowUserChange: FALSE
pwdSafeModify: FALSE

Testing our configuration prior to starting the service:

$ slaptest -f /etc/openldap/slapd.conf (db errors can be ignored, because we've not started it yet))
$ service slapd start
$ chkconfig slapd on

Before we apply our certificate to the server let’s first test our setup by adding entries to the database including a test user. The entries are stored in a file named users.ldif that should contain something similar to this:

version: 1

dn: dc=mycorp,dc=net
dc: mycorp
objectClass: top
objectClass: domain

# Please replace with site specific values
dn: dc=hadoop,dc=mycorp,dc=net
objectclass: organization
objectclass: dcObject
o: Hadoop
dc: hadoop

# Entry for a sample people container
# Please replace with site specific values
dn: ou=people,dc=hadoop,dc=mycorp,dc=net
ou: people

# Entry for a sample end user
# Please replace with site specific values
dn: uid=guest,ou=people,dc=hadoop,dc=mycorp,dc=net
cn: Guest
sn: User
uid: guest

We now add this to our directory and search for our guest user. If you want to provide your password at command prompt instead of writing it out to your shell replace every -w your_rootpw with -W.

$ ldapadd -x -D "cn=root,dc=mycorp,dc=net" -w your_rootpw -f users.ldif
$ ldapsearch -H ldap://knox.cluster -D "cn=root,dc=mycorp,dc=net" -w horton '(uid=guest)'

# user search with debug info
$ ldapsearch -H ldap://knox.cluster -D "cn=root,dc=mycorp,dc=net" -w horton -d7 '(uid=guest)'

# search all with debug
$ ldapsearch -H ldap://knox.cluster -D "cn=root,dc=mycorp,dc=net" -w horton -d7

We are now almost done. What is left to do is secure the service via SSL. For this we need to provide our created signed certificate to the server configuration in addition to the CA certificate itself. Also the client would need the CA certificate. We do this by adding the following to ldap.conf and slapd.conf under /etc/openldap:

TLSCACertificateFile /etc/openldap/ca.crt
TLSCertificateFile /etc/openldap/knox_cert.pem
TLSCertificateKeyFile /etc/openldap/knox_key.pem

Please make sure that you’ve also copied the files provided here into the appropriate place.

BASE    dc=mycorp,dc=net
URI ldap://knox.cluster

TLS_CACERT /etc/pki/CA/certs/ca.crt

Now restart the service and test the configuration by StartTLS:

$ service slapd restart
$ ldapsearch -H ldap://knox.cluster -D "cn=root,dc=mycorp,dc=net" -w your_rootpw -ZZ -d7

This should work without any issues. We now have our service secured by our own signed certificate over StartTLS. The difference between SSL and StartTLS can be seen as the folllows:

  1. ldap:// + StartTLS should be directed to a normal LDAP port (normally 389), not the ldaps:// port.
  2. ldaps:// should be directed to an LDAPS port (normally 636), not the LDAP port.

By default OpenLDAP after installation will not run on port 636 providing no SSL connectivity over ldaps:// . You can change this by adjusting /etc/sysconfig/ldap by changing the option SLAPD_LDAPS  from no to yes.

# Run slapd with -h "... ldaps:/// ..."
#   yes/no, default: no

We can test this like with another search over ldaps:// this time:

$ ldapsearch -H ldaps://knox.cluster:636 -D "cn=root,dc=mycorp,dc=net" -w horton -d7

# testing SSL using openssl
openssl s_client -connect know.cluster:389 -CApath /etc/pki/CA/certs/

Further Readings


3 thoughts on “OpenLDAP Setup with CA Signed Certificate on CentOS

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s