The Secure Socket Layer (SSL) is an application layer protocol that
provides a secure transmission channel between parties. It stands between
TCP/IP and application level protocols, such as HTTP, LDAP, SMTP etc... It is
based on public key cryptography systems (various ciphers can be used) and on
X.509 certificates.
SSL was initially a Netscape protocol, then it has gone trough a
standardization process and now is called TLS (Transmission Layer Security).
It is commonly referred as SSL/TLS.
The SSL/TLS protocol provides:
Data encryption: Client/server session is
encrypted
Server authentication: Client can verify the server
identity
Message integrity: Data is not modified during transmission;
this prevents "man in the middle" attacks.
Client authentication: Server can verify the client
identity
Since OpenLDAP 2.0.x, that is an LDAP V3 toolkit, SSL/TLS is provided by
the server. OpenLDAP 2.0.x needs to be compiled using the OpenSSL library to
add SSL/TLS. It also has Start-TLS support.
Note: Start-TLS allows to enable TLS if the client requests it. This way
it is possible to use only an LDAP port for both secure and insecure
connections.
OpenLDAP 1.2.x, instead, is an LDAP V2 protocol implementation and does
not provide SSL/TLS.
Valuable information on SSL/TLS on OpenLDAP 2.0.x can be found on the
OpenLDAP web site, here we will focus how to use an SSL tunnel to secure LDAP
parties that are not SSL/TLS aware
If you use OpenLDAP 1.2.x you need a general purpose SSL wrapper to add
SSL capabilities to the server. Stunnel (www.stunnel.org) has been found to be
stable and suitable for this application.
Installing it is quite simple, but first you have to install OpenSSL
(www.OpenSSL.org) to have the
required library and tools.
OpenSSL, is an open source implementation of the SSL protocol that
provides the SSL library and a set of cryptography tools.
To install OpenSSL you have to type the following commands:
$ ./config
$ make
$ make test
# make install |
usually, everything will be installed in
/usr/local/ssl.
If OpenSSL is correctly installed the only command needed to compile and
install stunnel are:
$ ./configure
$ make
# make install |
Stunnel uses a server certificate for SSL, this can be a self signed
certificate, or, better, a certificate signed by your own Certification
Authority (the SSL client has to trust the CA too).
A commonly used place used to store such certificate is:
/usr/local/ssl/certs/stunnel.pem |
If having a Certification Authority is not a concern, a self signed
certificate can be produced using the tools provided by the OpenSSL
suite.
In the stunnel directory (to use the configuration file
stunnel.cnf) type the following commands:
$ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf \
-out stunnel.pem -keyout stunnel.pem
$ openssl gendh 512 >> stunnel.pem |
This will produce a self signed certificate, valid for a year, in the
file stunnel.pem.
Once stunnel is installed, you can start up first the LDAP server on port
389 (the default LDAP port):
#/usr/local/libexec/slapd |
Then stunnel on port 636 (the port used by LDAPS client):
# /usr/local/sbin/stunnel -r ldap -d 636 \
-p /usr/local/ssl/certs/stunnel.pem |
For debugging you can start stunnel in foreground
with the following syntax:
# /usr/local/sbin/stunnel -r ldap -d 636 \
-D 7 -f -p /usr/local/ssl/certs/stunnel.pem |
Many LDAP client are not SSL aware, anyway, it is possible using stunnel
in client mode, to provide SSL to these clients.
This is quite simple. You can start stunnel on the client host, using the
LDAPS port, and forward requests to this port to the actual LDAP server:
# stunnel -c -d 636 -r ldapserver.yourorg.com:636 |
Now LDAP clients must be configured using
localhost:636 as the LDAPS server to use.
At the moment slurpd (slapd replication daemon) hasn't SSL capabilities,
anyway you can use stunnel in client mode to have this job done.
Using stunnel in client mode on the master, you can forward a local
port to a remote port:
# stunnel -c -d 9636 -r ldapreplica.yourorg.com:636 |
and have on the master LDAP server in slapd.conf
replica host=localhost:9636 |
