932
edits
Changes
Added investigation 2 instructions for adding TLS to openldap:x
<ol>
<li>Install the openssl package</li>
<li>Run the following commands to create a self-signed TLS certificate for your server (make sure you replace the values with ones from your machine):
<source>
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem
openssl genrsa -out vm1.pcallagh.ops.key 4096
openssl req -new -key vm1.pcallagh.ops.key -out vm1.pcallagh.ops.csr
openssl x509 -req -in vm1.pcallagh.ops.csr -CA ca.cert.pem -CAkey ca.key -out vm1.pcallagh.ops.crt -CAcreateserial -days 365 -sha256
</source></li>
<li>Copy the certificate, the private key, and the certificte authority file to an appropriate directory (make sure it is owned by the ldap account):
<source>cp ldap.pcallagh.ops.crt ldap.pcallagh.ops.key ca.cert.pem /etc/openldap/certs/</source></li>
<li>Write an ldif file to add the following values to dn: cn=config (again making sure to put in values from your own machine):
<source>
olcTLSCertificateFile: /etc/openldap/certs/vm1.pcallagh.ops.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/vm1.pcallagh.ops.key
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem
</source></li>
<li>You can use slapcat to ensure they are set correctly:
<source>slapcat -b "cn=config" | egrep "Certificate(Key)?File"</source></li>
<li>Update /etc/openldap/ldap.conf to locate your CACERT, and to indicate that ldaps is now allowed:
<ul><li>Set the URI parameter to ldaps://vm1.<yourdomain>.ops. It is suggested you also include ldapi:/// so local connections are allowed.</li>
<li>Set TLSCACERT to the absolute path of your certificate authority file (e.g. /etc/openldap/certs/ca.cert.pem).</li>
<li>Set TLSCACERTDIR to the directory your certificate authority file is in (e.g. /etc/openldap/certs).</li></ul></li>
<li>Update your firewall to permanently allow ldaps instead of ldap.</li>
</ol>
