24.4.3 Replacing the Default Certificates

If you configure LDAP to use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to secure the connection to the LDAP server, you need a public certificate that clients can download. You can obtain certificates from a Certification Authority (CA) or you can use the openssl command to create the certificate. See Section 24.4.4, “Creating and Distributing Self-signed CA Certificates”.

Once you have a server certificate, its corresponding private key file, and a root CA certificate, you can replace the default certificates that are installed in /etc/openldap/certs.

To display the existing certificate entries that slapd uses with TLS, use the ldapsearch command:

# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" \
  olcTLSCACertificatePath olcTLSCertificateFile olcTLSCertificateKeyFile 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
...

To replace the TLS attributes in the LDAP configuration:

  1. Create an LDIF file that defines how to modify the attributes, for example:

    dn: cn=config
    changetype: modify
    delete: olcTLSCACertificatePath
    
    # Omit the following clause for olcTLSCACertificateFile
    # if you do not have a separate root CA certificate
    dn: cn=config
    changetype: modify
    add: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/ssl/certsCAcert.pem
    
    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/ssl/certs/server-cert.pem
    
    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/ssl/certs/server-key.pem
    
    dn: cn=config
    changetype: modify
    add: olcTLSCipherSuite
    olcTLSCipherSuite: TLSv1+RSA:!NULL
    
    dn: cn=config
    changetype: modify
    add: olcTLSVerifyClient
    olcTLSVerifyClient: never

    If you generate only a self-signed certificate and its corresponding key file, you do not need to specify a root CA certificate.

  2. Use the ldapmodify command to apply the LDIF file:

    # ldapmodify -Y EXTERNAL -H ldapi:/// -f mod-TLS.ldif 
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry "cn=config"
    
    modifying entry "cn=config"
    
    modifying entry "cn=config"
    ...
  3. Verify that the entries have changed:

    # ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" \
      olcTLSCACertificatePath olcTLSCertificateFile olcTLSCertificateKeyFile 
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    dn: cn=config
    olcTLSCACertificateFile: /etc/ssl/certs/CAcert.pem
    olcTLSCertificateFile: /etc/ssl/certs/server-cert.pem
    olcTLSCertificateKeyFile: /etc/ssl/certs/server-key.pem
    olcTLSCipherSuite: TLSv1+RSA:!NULL
    olcTLSVerifyClient: never
    ...
  4. Restart the slapd service to make it use the new certificates:

    # systemctl restart slapd

For more information, see the ldapmodify(1), ldapsearch(1) and openssl(1) manual pages.