Go to main content

Working With Oracle® Solaris 11.4 Directory and Naming Services: LDAP

Exit Print View

Updated: November 2020

Setting Up TLS Security

If you are using Transport Layer Security (TLS), you must install the mandatory PEM certificate files before using the ldapclient command. These PEM certificate files are the self-signed server certificate and CA certificate files that must first be installed to validate the LDAP server, and possibly to validate client access to the server. For example, if you have the PEM CA certificate certdb.pem, you must ensure that certdb.pem is added to the certificate path and readable from the certificate path.

Starting with Oracle Solaris 11.4, the OpenLDAP LDAP library uses OpenSSL for security services. OpenSSL offers more robust certificate management than the certificate management that was used in prior Oracle Solaris releases.

You must install the necessary CA or self-signed certificate into the certificate directory prior to configuring the LDAP client. By default, the certificate directory location is /var/ldap. To change the location, use the ldapclient command to set the certificatePath attribute or change the location in the LDAP profile on the server. See the ldapclient(8) and ldapaddent(8) man pages for details. The certificatePath attribute is discussed in more detail in the ldapclient(8) man page.

When you upgrade a system from Oracle Solaris 11.3 or earlier to Oracle Solaris 11.4, the Mozilla certificate databases, if they exist, are automatically converted to the newer OpenSSL PEM format. The svc:/system/name-service/upgrade:default SMF service converts the Mozilla certificate databases to the OpenSSL PEM format and writes them to files within the certificate directory. OpenSSL hash links to those PEM files are also created. After the certificate databases are converted, they are renamed and can be deleted. If any unconverted Mozilla certificate databases remain in the certificate directory, they can be converted to PEM files by manually restarting the name-service/upgrade:default service. For information about restarting a service, see Restarting a Service in Managing System Services in Oracle Solaris 11.4 and the svcadm(8) man page.

The OpenSSL library also supports the option of storing all the mandatory CA or self-signed certificates within a single PEM file, thus negating the need for the PEM hashing scheme. If you use this option, then LDAP naming services look for a certdb.pem file in the certificate directory by default instead of hashes. If the value of certificatePath points to a directory, then the LDAP client looks for PEM file hashes, and then for a certdb.pem file, and uses the certificate format that it discovers.

In order to allow OpenLDAP commands such as ldapsearch, ldapadd, and ldapmodify to work with the TLS configuration, the location of the PEM certificate files must be specified in /etc/openldap/ldap.conf. See the TLS_CACERTDIR option or, if using certdb.pem, the TLS_CACERT option in the ldap.conf(5oldap) man page.

Note -  The PEM certificate files must be readable by everyone. Do not encrypt or remove read permissions on these files. Otherwise, commands such as ldaplist will fail.

For information about how to create and manage PEM formatted certificates, see Directory Server Security.