SSL/TLS and SSL/TLS wrappers for LDAP
A Brief description of SSL
The Secure Socket Layer (SSL) is an application layer protocol that
provides a secure transmission channel between parties. It stands between
TCP/IP and application level protocols, such as HTTP, LDAP, SMTP etc... It is
based on public key cryptography systems (various ciphers can be used) and on
X.509 certificates.
SSL was initially a Netscape protocol, then it has gone trough a
standardization process and now is called TLS (Transmission Layer Security).
It is commonly referred as SSL/TLS.
The SSL/TLS protocol provides:
Data encryption: Client/server session is
encrypted
Server authentication: Client can verify the server
identity
Message integrity: Data is not modified during transmission;
this prevents "man in the middle" attacks.
Client authentication: Server can verify the client
identity
SSL/TLS availability for OpenLDAP
Since OpenLDAP 2.0.x, that is an LDAP V3 toolkit, SSL/TLS is provided by
the server. OpenLDAP 2.0.x needs to be compiled using the OpenSSL library to
add SSL/TLS. It also has Start-TLS support.
Start-TLS allows to enable TLS if the client requests it. This way
it is possible to use only an LDAP port for both secure and insecure
connections.
OpenLDAP 1.2.x, instead, is an LDAP V2 protocol implementation and does
not provide SSL/TLS.
Valuable information on SSL/TLS on OpenLDAP 2.0.x can be found on the
OpenLDAP web site, here we will focus how to use an SSL tunnel to secure LDAP
parties that are not SSL/TLS aware
How to use stunnel to provide SSL/TLS to an LDAP V2
server
If you use OpenLDAP 1.2.x you need a general purpose SSL wrapper to add
SSL capabilities to the server. Stunnel (www.stunnel.org) has been found to be
stable and suitable for this application.
Installing it is quite simple, but first you have to install OpenSSL
(www.OpenSSL.org) to have the
required library and tools.
OpenSSL, is an open source implementation of the SSL protocol that
provides the SSL library and a set of cryptography tools.
To install OpenSSL you have to type the following commands:
$ ./config
$ make
$ make test
# make install
usually, everything will be installed in
/usr/local/ssl.
If OpenSSL is correctly installed the only command needed to compile and
install stunnel are:
$ ./configure
$ make
# make install
Stunnel uses a server certificate for SSL, this can be a self signed
certificate, or, better, a certificate signed by your own Certification
Authority (the SSL client has to trust the CA too).
A commonly used place used to store such certificate is:
/usr/local/ssl/certs/stunnel.pem
If having a Certification Authority is not a concern, a self signed
certificate can be produced using the tools provided by the OpenSSL
suite.
In the stunnel directory (to use the configuration file
stunnel.cnf) type the following commands:
$ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf \
-out stunnel.pem -keyout stunnel.pem
$ openssl gendh 512 >> stunnel.pem
This will produce a self signed certificate, valid for a year, in the
file stunnel.pem.
Once stunnel is installed, you can start up first the LDAP server on port
389 (the default LDAP port):
#/usr/local/libexec/slapd
Then stunnel on port 636 (the port used by LDAPS client):
# /usr/local/sbin/stunnel -r ldap -d 636 \
-p /usr/local/ssl/certs/stunnel.pem
For debugging you can start stunnel in foreground
with the following syntax:
# /usr/local/sbin/stunnel -r ldap -d 636 \
-D 7 -f -p /usr/local/ssl/certs/stunnel.pem
How to use stunnel to provide SSL to LDAP clients
Many LDAP client are not SSL aware, anyway, it is possible using stunnel
in client mode, to provide SSL to these clients.
This is quite simple. You can start stunnel on the client host, using the
LDAPS port, and forward requests to this port to the actual LDAP server:
# stunnel -c -d 636 -r ldapserver.yourorg.com:636
Now LDAP clients must be configured using
localhost:636 as the LDAPS server to use.
How to use stunnel to provide SSL for slurpd replication
At the moment slurpd (slapd replication daemon) hasn't SSL capabilities,
anyway you can use stunnel in client mode to have this job done.
Using stunnel in client mode on the master, you can forward a local
port to a remote port:
# stunnel -c -d 9636 -r ldapreplica.yourorg.com:636
and have on the master LDAP server in slapd.conf
replica host=localhost:9636