web analytics

Blog

How To Setup A Backup LDAP Server Through LDAP Replication With TLS Authentication

Tags: ldapldap replication tlstls authentication

Published on: July 5, 2012 by Scott S

How To Setup A Backup LDAP Server Through LDAP Replication With TLS Authentication

Scenario:

If you have set up replication between servers, it is an always a better practice to encrypt (StartTLS) the replication traffic to stop others from sniffing your data. This is distinct from using encryption with authentication as we did in https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralised-authentication-on-ubuntu-lts-12-04-part-3 . Le us see discuss how to do the LDAP replication with tls authetication.

The assumption here is that you have set up replication between Provider and Consumer following https://www.supportsages.com/2012/07/how-to-setup-a-backup-ldap-server-through-ldap-replication and have configured TLS for authentication on the Provider by following https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralised-authentication-on-ubuntu-lts-12-04-part-3

 

As I mentioned before, the objective for us with replication is high availability for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. What other things to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary files over to the Consumer.

On the Provider(ldapserver.int.sages.com)

Create a holding directory (which will be used for the eventual transfer) and then the Consumer’s private key:

root@ldapserver:]# mkdir ldapreplserver-ssl

root@ldapserver:]# cd ldapreplserver-ssl

root@ldapserver:ldapreplserver-ssl]# certtool –generate-privkey –bits 1024 –outfile

ldapreplserver.int.sages.com_slapd_key.pem

Create an info file, ldapreplserver.info, for the Consumer server, adjusting it’s values accordingly:

root@ldapserver:]# vi ldapreplserver.info

=========================================================

organization = Support Sages

cn = ldapreplserver.int.sages.com

tls_www_server

encryption_key

signing_key

expiration_days = 3650

=========================================================

The expiration_days attribute define the number of days the cert is valid. The above certificate is good for 10 years.(Rough calculation)

Create the Consumer’s certificate:

root@ldapserver:]# certtool –generate-certificate –load-privkey ldapreplserver.int.sages.com_slapd_key.pem –load-ca-certificate /etc/ssl/certs/cacert.pem  –load-ca-privkey /etc/ssl/private/cakey.pem –template ldap02.info –outfile ldapreplserver.int.sages.com_slapd_cert.pem

 

Get a copy of the CA certificate:

root@ldapserver:ldapreplserver-ssl]# cp /etc/ssl/certs/cacert.pem .

We’re done. Now transfer the ldapreplserver-ssl directory to the Consumer.

Here we use scp (adjust accordingly):

root@ldapserver:ldapreplserver-ssl]# cd ..

root@ldapserver:]# scp -r ldapreplserver-ssl root@ldapreplserver:

On the Consumer

Install the ssl-cert package first:

root@ldapreplserver:]# apt-get install ssl-cert

Add the openldap user to ssl-cert group and adjust the permissions as shown below:

root@ldapreplserver:]# adduser openldap ssl-cert

root@ldapreplserver:]# cp ldapreplserver.int.sages.com_slapd_cert.pem /etc/ssl/certs

root@ldapreplserver:]# cp ldapreplserver.int.sages.com_slapd_key.pem /etc/ssl/private

root@ldapreplserver:]# chgrp ssl-cert /etc/ssl/private/ldapreplserver.int.sages.com_slapd_key.pem

root@ldapreplserver:]# chmod g+r /etc/ssl/private/ldapreplserver.int.sages.com_slapd_key.pem

root@ldapreplserver:]# chmod o-r /etc/ssl/private/ldapreplserver.int.sages.com_slapd_key.pem

Create the file /etc/ssl/certinfo.ldif with the following contents (adjust accordingly):

root@ldapreplserver:]# vi /etc/ssl/certinfo.ldif

=========================================

dn: cn=config

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/ldapreplserver.int.sages.com_slapd_cert.pem

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/ldapreplserver.int.sages.com_slapd_key.pem

 

Configure the slapd-config database:

root@ldapreplserver:]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

Configure /etc/default/slapd as on the Provider (SLAPD_SERVICES).

On the Consumer, configure TLS for Consumer-side replication. Modify the existing olcSyncrepl attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute’s value(s).

Create the file consumer_sync_tls.ldif with the following contents:

root@ldapreplserver:]# vi consumer_sync_tls.ldif

===================================================

dn: olcDatabase={1}hdb,cn=config

replace: olcSyncRepl

olcSyncRepl: rid=0 provider=ldap://ldapserver.int.sages.com bindmethod=simple binddn=”cn=admin,dc=int,dc=sages,dc=com” credentials=sages123 searchbase=”dc=int,dc=sages,dc=com” logbase=”cn=accesslog” logfilter=”(&(objectClass=auditWriteObject)(reqResult=0))”

schemachecking=on type=refreshAndPersist retry=”60 +” syncdata=accesslog

starttls=critical tls_reqcert=demand

===================================================

The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider’s identity.

Implement these changes to our LDAP tree:

root@ldapreplserver:]# ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif

And restart slapd:

root@ldapreplserver:]# /etc/init.d/slapd restart

 

 

On the Provider(ldapserver.int.sages.com),

Check to see that a TLS session has been established. In /var/log/syslog, providing you have ‘conns’-level logging set up, you should see messages similar to:

=============================================================

slapd[3620]: conn=1047 fd=20 ACCEPT from IP=xx.xx.xx.xx:57922 (IP=0.0.0.0:389)

slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037

slapd[3620]: conn=1047 op=0 STARTTLS

slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=

slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128

slapd[3620]: conn=1047 op=1 BIND dn=”cn=admin,dc=int,dc=sages,dc=com” method=128

slapd[3620]: conn=1047 op=1 BIND dn=”cn=admin,dc=int,dc=sages,dc=com” mech=SIMPLE ssf=0

slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text

=============================================================

Category : General, Howtos, Linux

Scott S

Scott S

Scott follows his heart and enjoys design and implementation of advanced, sophisticated enterprise solutions. His never ending passion towards technological advancements, unyielding affinity to perfection and excitement in exploration of new areas, helps him to be on the top of everything he is involved with. This amateur bike stunting expert probably loves cars and bikes much more than his family. He currently spearheads the Enterprise Solutions and Infrastructure Consultancy wing of SupportSages.

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items