|s i s t e m a o p e r a c i o n a l m a g n u x l i n u x||~/ · documentação · suporte · sobre|
10. SSL/TLS and SSL/TLS wrappers for LDAP
10.1. A Brief description of SSL
The Secure Socket Layer (SSL) is an application layer protocol that provides a secure transmission channel between parties. It stands between TCP/IP and application level protocols, such as HTTP, LDAP, SMTP etc... It is based on public key cryptography systems (various ciphers can be used) and on X.509 certificates.
SSL was initially a Netscape protocol, then it has gone trough a standardization process and now is called TLS (Transmission Layer Security). It is commonly referred as SSL/TLS.
The SSL/TLS protocol provides:
10.2. SSL/TLS availability for OpenLDAP
Since OpenLDAP 2.0.x, that is an LDAP V3 toolkit, SSL/TLS is provided by the server. OpenLDAP 2.0.x needs to be compiled using the OpenSSL library to add SSL/TLS. It also has Start-TLS support.
OpenLDAP 1.2.x, instead, is an LDAP V2 protocol implementation and does not provide SSL/TLS.
Valuable information on SSL/TLS on OpenLDAP 2.0.x can be found on the OpenLDAP web site, here we will focus how to use an SSL tunnel to secure LDAP parties that are not SSL/TLS aware
10.3. How to use stunnel to provide SSL/TLS to an LDAP V2 server
If you use OpenLDAP 1.2.x you need a general purpose SSL wrapper to add SSL capabilities to the server. Stunnel (www.stunnel.org) has been found to be stable and suitable for this application.
Installing it is quite simple, but first you have to install OpenSSL (www.OpenSSL.org) to have the required library and tools.
OpenSSL, is an open source implementation of the SSL protocol that provides the SSL library and a set of cryptography tools.
To install OpenSSL you have to type the following commands:
usually, everything will be installed in /usr/local/ssl.
If OpenSSL is correctly installed the only command needed to compile and install stunnel are:
Stunnel uses a server certificate for SSL, this can be a self signed certificate, or, better, a certificate signed by your own Certification Authority (the SSL client has to trust the CA too).
A commonly used place used to store such certificate is:
If having a Certification Authority is not a concern, a self signed certificate can be produced using the tools provided by the OpenSSL suite.
In the stunnel directory (to use the configuration file stunnel.cnf) type the following commands:
This will produce a self signed certificate, valid for a year, in the file stunnel.pem.
Once stunnel is installed, you can start up first the LDAP server on port 389 (the default LDAP port):
Then stunnel on port 636 (the port used by LDAPS client):
For debugging you can start stunnel in foreground with the following syntax:
10.4. How to use stunnel to provide SSL to LDAP clients
Many LDAP client are not SSL aware, anyway, it is possible using stunnel in client mode, to provide SSL to these clients.
This is quite simple. You can start stunnel on the client host, using the LDAPS port, and forward requests to this port to the actual LDAP server:
Now LDAP clients must be configured using localhost:636 as the LDAPS server to use.
10.5. How to use stunnel to provide SSL for slurpd replication
At the moment slurpd (slapd replication daemon) hasn't SSL capabilities, anyway you can use stunnel in client mode to have this job done.
Using stunnel in client mode on the master, you can forward a local port to a remote port:
and have on the master LDAP server in slapd.conf