The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
If you configure LDAP to use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to secure the connection to the LDAP server, you need a public certificate that clients can download. You can obtain certificates from a Certification Authority (CA) or you can use the openssl command to create the certificate. See Section 23.4.4, “Creating and Distributing Self-signed CA Certificates”.
Once you have a server certificate, its corresponding private
key file, and a root CA certificate, you can replace the default
certificates that are installed in
/etc/openldap/certs
.
To display the existing certificate entries that
slapd
uses with TLS, use the
ldapsearch command:
#ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config"
\olcTLSCACertificatePath olcTLSCertificateFile olcTLSCertificateKeyFile
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: "OpenLDAP Server" olcTLSCertificateKeyFile: /etc/openldap/certs/password ...
To replace the TLS attributes in the LDAP configuration:
Create an LDIF file that defines how to modify the attributes, for example:
dn: cn=config changetype: modify delete: olcTLSCACertificatePath # Omit the following clause for olcTLSCACertificateFile # if you do not have a separate root CA certificate dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certsCAcert.pem dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/server-cert.pem dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/certs/server-key.pem dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: TLSv1+RSA:!NULL dn: cn=config changetype: modify add: olcTLSVerifyClient olcTLSVerifyClient: never
If you generate only a self-signed certificate and its corresponding key file, you do not need to specify a root CA certificate.
Use the ldapmodify command to apply the LDIF file:
#
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod-TLS.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" modifying entry "cn=config" modifying entry "cn=config" ...Verify that the entries have changed:
#
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config"
\olcTLSCACertificatePath olcTLSCertificateFile olcTLSCertificateKeyFile
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config olcTLSCACertificateFile: /etc/ssl/certs/CAcert.pem olcTLSCertificateFile: /etc/ssl/certs/server-cert.pem olcTLSCertificateKeyFile: /etc/ssl/certs/server-key.pem olcTLSCipherSuite: TLSv1+RSA:!NULL olcTLSVerifyClient: never ...Restart the
slapd
service to make it use the new certificates:#
service slapd restart
For more information, see the ldapmodify(1)
,
ldapsearch(1)
and
openssl(1)
manual pages.