Adding SSL/TLS to LDAP

Why do we want SSL security?

encrypt data in transit over the network (i.e. so snoopers cannot sniff passwords)
- any certificate is good enough for this
client should verify identity of server before submitting a password for approval (i.e. to prevent an imposter ldap server or man-in-the-middle from collecting valid passwords)
- to achieve this, we need a server certificate whose authenticity can be verified by the client - i.e. a certificate signed by a trusted CA
- depending on the nature/spread of the LDAP client base we need to serve, a local CA created with OpenSSL tools may be entirely adequate - i.e. there may be no need to purchase server certificates from a commercial CA

Setting Up A Private CA with OpenSSL Tools

reference: Viega et. al., p59-70

Create environment for CA:
choose a location - I'm using /ldap/sslCA for convenience, but you should think about security (e.g. avoid using an nfs export?)

    mkdir /ldap/sslCA
    cd /ldap/sslCA
    mkdir certs private
    chmod 700 private
    echo '01' > serial      /* must be in hex */
    touch index.txt

Build an OpenSSL Config File:

    # config for general operation of the CA:

    [ ca ]
    default_ca = shellgritca

    [ shellgritca ]
    dir             = /ldap/sslCA
    certificate     = $dir/cacert.pem
    database        = $dir/index.txt
    new_certs_dir   = $dir/certs
    private_key     = $dir/private/cakey.pem
    serial          = $dir/serial

    default_crl_days = 7
    default_days    = 365
    default_md      = md5

    policy          = shellgritca_policy
    x509_extensions = certificate_extensions

    [ shellgritca_policy ]
    commonName              = supplied
    stateOrProvinceName     = supplied
    countryName             = supplied
    emailAddress            = optional
    organizationName        = supplied
    organizationalUnitName  = optional

    [ certificate_extensions ]
    basicConstraints        = CA:false


    # additional configuration required to generate the CA's self-signed root certificate:

    [ req ]
    default_bits    = 2048
    default_keyfile = /ldap/sslCA/private/cakey.pem
    default_md      = md5

    prompt                  = no
    distinguished_name      = root_ca_disinguished_name

    x509_extensions         = root_ca_extensions

    [ root_ca_disinguished_name ]
    commonName              = Shellgrit CA
    stateOrProvinceName     = South Australia
    countryName             = AU
    emailAddress            = ca@shellgrit.com
    organizationName        = Shellgrit Root Certification Authority

    [ root_ca_extensions ]
    basicConstraints        = CA:true

Tell OpenSSL where to find the config file:

    # export OPENSSL_CONF=/ldap/sslCA/openssl.conf

Create a new pair of keys and a self-signed root certificate:
```
    # cd /ldap/sslCA
    # openssl req -x509 -days 3660 -newkey rsa -out cacert.pem -outform PEM
    Generating a 2048 bit RSA private key
    ..............................................+++
    ...........+++
    writing new private key to '/ldap/sslCA/private/cakey.pem'
    Enter PEM pass phrase:shellgritCAkey
    Verifying - Enter PEM pass phrase:shellgritCAkey
    -----
  
```
- The pass phrase will be used to encrypt the private key, and will need to be supplied whenever the private key needs to be used (eg for signing a certificate).
- It's possible to create your root private key without password protection, but it makes sense to use all the security measures you can, since the security of every certificate (and CRL) you publish depends on it.
Have a look at what we created:
- more cacert.pem
- openssl x509 -in cacert.pem -text -noout

Use Private CA to Generate Server Certificates

Create a key-pair and a certificate signing request for each server:
- This is a CA-client operation, not a CA operation (ideally performed locally on each server so the the generated private key never needs to be shipped anywhere). Therefore we don't want to use the CA's config file.
- Use '-nodes' to save private key in-the-clear (otherwise OpenLDAP will not be able to start without a person present to type in the private key's passphrase => cannot boot system unattended).
- Use server's FQDN as the 'CommonName' in the certificate.
```
    unset OPENSSL_CONF
    cd /ldap/ssl_serverkeys
    # openssl req -newkey rsa:1024 -nodes -keyout ldap4key.pem -keyform PEM -out ldap4req.pem -outform PEM
    # openssl req -newkey rsa:1024 -nodes -keyout ldap3key.pem -keyform PEM -out ldap3req.pem -outform PEM
  
```
Have a look at what we've got:
- private key file
- raw certificate request file
- # openssl req -in ldap4req.pem -text -noout
- # openssl req -in ldap3req.pem -text -noout

Now use our CA to generate the certificates:

    # export OPENSSL_CONF=/ldap/sslCA/openssl.conf
    # cd /ldap/sslCA
    # openssl ca -in ../ssl_serverkeys/ldap4req.pem
    # openssl ca -in ../ssl_serverkeys/ldap3req.pem -notext

Have a look at what we did:

    # cat index.txt
    V  060307064312Z  01  unknown /CN=ldap4.shellgrit.com/ST=South Australia/C=AU/O=Shellgrit Computing
    V  060307065157Z  02  unknown /CN=ldap3.shellgrit.com/ST=South Australia/C=AU/O=Shellgrit Computing

    # ls -l certs/
    -rw-r--r--  1 root root 3361 Mar  7 17:13 01.pem
    -rw-r--r--  1 root root 1090 Mar  7 17:22 02.pem

    # openssl x509 -in certs/01.pem -text -noout
    # openssl x509 -in certs/02.pem -text -noout

Configuring TLS with OpenLDAP

Install keys and certificates:

Each server needs:

certificate (contains its public key), signed by the CA

      # mkdir /etc/openldap/ssl
      # chown ldap:ldap /etc/openldap/ssl
      # cp /ldap/sslCA/certs/01.pem /etc/openldap/ssl/ldap4.shellgrit.com.pem
      # chmod 444 /etc/openldap/ssl/ldap4.shellgrit.com.pem

private key file (must be readable by slapd, but otherwise protect as much as you can)

      # mkdir /etc/openldap/ssl/private
      # chown ldap:ldap /etc/openldap/ssl/private
      # chmod 500 /etc/openldap/ssl/private
      # cp /ldap/ssl_serverkeys/ldap4key.pem /etc/openldap/ssl/private/ldap4keyclear.pem
      # chown ldap:ldap /etc/openldap/ssl/private/*
      # chmod 400 /etc/openldap/ssl/private/*

file locations configured in /etc/openldap/slapd.conf:

      TLSCACertificateFile /etc/ssl/cacert.pem
      TLSCertificateFile /etc/openldap/ssl/ldap4.shellgrit.com.pem
      TLSCertificateKeyFile /etc/openldap/ssl/private/ldap4keyclear.pem
      TLSCipherSuite HIGH

Each client needs:
- a copy of the CA's root certificate (contains CA's public key), with which it can verify certificates offered by servers
```
      # mkdir /etc/ssl
      # cp /ldap/sslCA/cacert.pem /etc/ssl/cacert.pem
      
```
- file location configured in /etc/openldap/ldap.conf for openldap tools (e.g. ldapsearch):
```
      TLS_CACERT /etc/ssl/cacert.pem
      
```
- (file location configured in /etc/ldap.conf for other things, e.g. pam_ldap - see below)

Test that the server can talk TLS:

  # service ldap restart
  # ldapsearch -ZZ -h ldap4.shellgrit.com -D cn=Manager,dc=shellgrit,dc=com -x -w secretmaster -b dc=shellgrit,dc=com '(objectClass=*)'

Notes:

-Z requests TLS of the server
-ZZ requires it
must use FQDN in host spec (-h) if that's what the certificate contains

Configuring a Fedora Client to Utilise TLS

Tell pam_ldap where to find CA certificates which it should trust (pam_ldap uses /etc/ldap.conf, as opposed to /etc/openldap/ldap.conf):
```
    tls_cacertfile /etc/ssl/cacert.pem
    
```
Run the 'authconfig' tool, and select the 'use TLS' option.
or edit /etc/ldap.conf:
```
    < ssl no
    > ssl start_tls
    
```
If paranoid, run ethereal to confirm that bind passwords are no longer sent by client in-the-clear.
Note:
- this configuration relies upon the client to request TLS
- you may prefer the server to disallow non-TLS-protected authentication requests so that a mis-configured client will not leak cleartext passwords onto your network
- will replication traffic be protected by TLS?
- these things should be possible via either:
  - making the server serve only ldaps://, not ldap:// (adds encryption overhead where it may not be adding value), or
  - advanced configuration in slapd.conf to demand TLS in certain circumstances