From 0760564a729088c8ca696082e01927aedcf3b5c9 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 19 May 2005 00:54:42 +0000 Subject: Fixed formatting. (This used to be commit 4ea4e60ef4e61e4e6df673d8b6f91647b988f2c5) --- docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml | 584 ++++++++++----------- 1 file changed, 284 insertions(+), 300 deletions(-) diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml b/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml index 86e2845037..2fa4423d37 100644 --- a/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml +++ b/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml @@ -1,130 +1,104 @@ - Transport Layer Security - - Introduction - - - Transport Layer Seccurity, TLS - Introduction - - Up until now, we have discussed the straight forward configuration of - OpenLDAP, with some advanced features such as - . This does not however, deal with the - fact that the network transmissions are still in plain text. This is - where Transport Layer Security (TLS) comes in. - - - OpenLDAP clients and servers are capable of - using the Transport Layer Security (TLS) framework to provide - integrity and confidentiality protections in accordance with - - RFC2830; - Lightweight Directory Access Protocol (v3): Extension - for Transport Layer Security - - - TLS uses X.509 certificates. All servers are required to have valid - certificates, whereas client certificates are optional. We will only - be discussing server certificates. - - - The DN of a server certificate must use the CN attribute to name the - server, and the CN must carry the server's fully qualified domain name - (FQDN). Additional alias names and wildcards may be present in the - certificate extension. More details on - server certificate names are in - RFC2830. - - - - +Transport Layer Security + + +Introduction + + + Transport Layer Seccurity, TLSIntroduction + Up until now, we have discussed the straight forward configuration of OpenLDAP, + with some advanced features such as ACLs. This does not however, deal with the fact that the network + transmissions are still in plain text. This is where Transport Layer Security (TLS) + comes in. + + + + OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) + framework to provide integrity and confidentiality protections in accordance with - RFC2830; Lightweight Directory Access Protocol (v3): + Extension for Transport Layer Security. + + + + TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates + are optional. We will only be discussing server certificates. + + + + The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the + server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the + certificate extension. More details on server certificate names are in RFC2830. + + + We will discuss this more in the next sections. - - - - - Configuring - - - Transport Layer Seccurity, TLS - Configuring - + + + + + + Configuring + + + Transport Layer Seccurity, TLSConfiguring Now on to the good bit. - - - + + + Generating the Certificate Authority - - In order to create the relevant certificates, we need to become our own - Certificate Authority (CA). - - - We could however, get our generated server certificate signed by proper CAs, - like Thawte and - VeriSign, which you pay for, - or the free ones, via CAcert - - - This is necessary, so we can sign the server certificate. - - - We will be using the OpenSSL - - - The downside to making our own CA, is that the certificate is not automatically - recognised by clients, like the commercial ones are. - - - software for this, which is included with every great - Linux distribution. - - - TLS is used for many types of servers, but the instructions - - - For information straight from the horses mouth, please visit - - - ttp://www.openssl.org/docs/HOWTO/; the main OpenSSL site. - - - presented here, are tailored for &OL;. - - - The Common Name (CN), if the following example, - MUST be the fully qualified domain name (fqdn) - of your ldap server. - - - + + + In order to create the relevant certificates, we need to become our own Certificate Authority (CA). + We could however, get our generated server certificate signed by proper CAs, like Thawte and VeriSign, which + you pay for, or the free ones, via CAcert + This is necessary, so we can sign the server certificate. + + + + We will be using the OpenSSL The downside to + making our own CA, is that the certificate is not automatically recognised by clients, like the commercial + ones are. software for this, which is included with every great Linux distribution. + + + + TLS is used for many types of servers, but the instructionsFor information straight from the + horses mouth, please visit - http://www.openssl.org/docs/HOWTO/; the main OpenSSL + site. presented here, are tailored for &OL;. + + + + The Common Name (CN), if the following example, MUST be + the fully qualified domain name (fqdn) of your ldap server. + + - First we need to generate the CA: - - -[ghenry@suretec ldap-docs]$ mkdir myCA - - - Move into that directory: - - -[ghenry@suretec ldap-docs]$ cd myCA - - - Now generate the CA: - - - Your CA.pl or CA.sh might - not be in the same location as mine is, you can find it by using the - locate command, i.e. locate CA.pl. - If the command complains about the database being too old, run - updatedb as root to update it. - - - - -[ghenry@suretec myCA]$ /usr/share/ssl/misc/CA.pl -newca + First we need to generate the CA: + + +&rootprompt; mkdir myCA + + + Move into that directory: + + +&rootprompt; cd myCA + + + Now generate the CA:Your CA.pl or CA.sh might not be + in the same location as mine is, you can find it by using the locate command, i.e. + locate CA.pl. If the command complains about the database being too old, run + updatedb as root to update it. + + +&rootprompt; /usr/share/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) - + Making CA certificate ... Generating a 1024 bit RSA private key .......................++++++ @@ -140,42 +114,47 @@ There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- -Country Name (2 letter code) [AU]:GB -State or Province Name (full name) [Some-State]:Aberdeenshire -Locality Name (eg, city) []:Aberdeen -Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suretec Systems Ltd. +Country Name (2 letter code) [AU]:AU +State or Province Name (full name) [Some-State]:NSW +Locality Name (eg, city) []:Sydney +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas Organizational Unit Name (eg, section) []:IT -Common Name (eg, YOUR name) []:ldap.suretecsystems.com -Email Address []:support@suretecsystems.com - - +Common Name (eg, YOUR name) []:ldap.abmas.biz +Email Address []:support@abmas.biz + + + - Now, there are some things to note here. - - - - You MUST remember the password, as we will need - it to sign the server certificate.. - - - - - The Common Name (CN), MUST be the - fully qualified domain name (fqdn) of your ldap server. - - - + Now, there are some things to note here. - - + + + + You MUST remember the password, as we will need + it to sign the server certificate.. + + + + + + The Common Name (CN), MUST be the + fully qualified domain name (fqdn) of your ldap server. + + + + + + + Generating the Server Certificate + - Now we need to generate the server certificate: - - -[ghenry@suretec myCA]$ openssl req -new -nodes -keyout newreq.pem -out newreq.pem + Now we need to generate the server certificate: + + +&rootprompt; openssl req -new -nodes -keyout newreq.pem -out newreq.pem Generating a 1024 bit RSA private key .............++++++ ........................................................++++++ @@ -188,72 +167,76 @@ There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- -Country Name (2 letter code) [AU]:GB -State or Province Name (full name) [Some-State]:Aberdeenshire -Locality Name (eg, city) []:Aberdeen -Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suretec Systems Ltd. +Country Name (2 letter code) [AU]:AU +State or Province Name (full name) [Some-State]:NSW +Locality Name (eg, city) []:Sydney +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas Organizational Unit Name (eg, section) []:IT -Common Name (eg, YOUR name) []:ldap.suretecsystems.com -Email Address []:support@suretecsystems.com - +Common Name (eg, YOUR name) []:ldap.abmas.biz +Email Address []:support@abmas.biz + Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: - - + + + - Again, there are some things to note here. - - - - You should NOT enter a password. - - - - - The Common Name (CN), MUST be - the fully qualified domain name (fqdn) of your ldap server. - - - + Again, there are some things to note here. + + + + + You should NOT enter a password. + + + + + + The Common Name (CN), MUST be + the fully qualified domain name (fqdn) of your ldap server. + + + + - Now, we sign the certificate with the new CA: - - -[ghenry@suretec myCA]$ /usr/share/ssl/misc/CA.pl -sign + Now, we sign the certificate with the new CA: + + +&rootprompt; /usr/share/ssl/misc/CA.pl -sign Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: - Serial Number: 1 (0x1) - Validity - Not Before: Mar 6 18:22:26 2005 GMT - Not After : Mar 6 18:22:26 2006 GMT - Subject: - countryName = GB - stateOrProvinceName = Aberdeenshire - localityName = Aberdeen - organizationName = Suretec Systems Ltd. - organizationalUnitName = IT - commonName = ldap.suretecsystems.com - emailAddress = support@suretecsystems.com - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE - X509v3 Authority Key Identifier: - keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC - DirName:/C=GB/ST=Aberdeenshire/L=Aberdeen/O=Suretec Systems Ltd./OU=IT/CN=ldap.suretecsystems.com/emailAddress=support@suretecsystems.com - serial:00 - -Certificate is to be certified until Mar 6 18:22:26 2006 GMT (365 days) +Serial Number: 1 (0x1) +Validity + Not Before: Mar 6 18:22:26 2005 EDT + Not After : Mar 6 18:22:26 2006 EDT +Subject: + countryName = AU + stateOrProvinceName = NSW + localityName = Sydney + organizationName = Abmas + organizationalUnitName = IT + commonName = ldap.abmas.biz + emailAddress = support@abmas.biz +X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE + X509v3 Authority Key Identifier: + keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC + DirName:/C=AU/ST=NSW/L=Sydney/O=Abmas/OU=IT/CN=ldap.abmas.biz/emailAddress=support@abmas.biz + serial:00 + +Certificate is to be certified until Mar 6 18:22:26 2006 EDT (365 days) Sign the certificate? [y/n]:y @@ -261,89 +244,90 @@ Sign the certificate? [y/n]:y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem - - + + + - That completes the server certificate generation. + That completes the server certificate generation. - - + + + + Installing the Certificates + - Now we need to copy the certificates to the right configuration directories, - rename them at the same time for convenience, change the ownership and - finally the permissions: - - -[ghenry@suretec myCA]$ cp demoCA/cacert.pem /etc/openldap/ -[ghenry@suretec myCA]$ cp newcert.pem /etc/openldap/servercrt.pem -[ghenry@suretec myCA]$ cp newreq.pem /etc/openldap/serverkey.pem -[ghenry@suretec myCA]$ chown ldap.ldap /etc/openldap/*.pem -[ghenry@suretec myCA]$ chmod 640 /etc/openldap/cacert.pem; chmod 600 /etc/openldap/serverkey.pem - - - - - Now we just need to add these locations to slapd.conf, - anywhere before the declaration and ldap.conf: + Now we need to copy the certificates to the right configuration directories, + rename them at the same time for convenience, change the ownership and + finally the permissions: + + +&rootprompt; cp demoCA/cacert.pem /etc/openldap/ +&rootprompt; cp newcert.pem /etc/openldap/servercrt.pem +&rootprompt; cp newreq.pem /etc/openldap/serverkey.pem +&rootprompt; chown ldap.ldap /etc/openldap/*.pem +&rootprompt; chmod 640 /etc/openldap/cacert.pem; chmod 600 /etc/openldap/serverkey.pem + + + - slapd.conf - - + Now we just need to add these locations to slapd.conf, + anywhere before the declaration as shown here: + + TLSCertificateFile /etc/openldap/servercrt.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem TLSCACertificateFile /etc/openldap/cacert.pem - - + + + - ldap.conf - - + Here is the declaration and ldap.conf: +ldap.conf + + TLS_CACERT /etc/openldap/cacert.pem - - + + + - That's all there is to it. Now on to + That's all there is to it. Now on to - - - - - Testing - - - Transport Layer Seccurity, TLS - Testing - - This is the easy part. Restart the server: - - -[ghenry@suretec myCA]$ /etc/init.d/ldap restart + + + + + + +Testing + + +Transport Layer Seccurity, TLSTesting +This is the easy part. Restart the server: + + +&rootprompt; /etc/init.d/ldap restart Stopping slapd: [ OK ] Checking configuration files for slapd: config file testing succeeded Starting slapd: [ OK ] - - - Then, using ldapsearch, test an anonymous search with the - - - See man ldapsearch: - - - option: - - -[ghenry@suretec myCA]$ ldapsearch -x -b "dc=ldap,dc=suretecsystems,dc=com" -H 'ldap://ldap.suretecsystems.com:389' -ZZ - - + + + Then, using ldapsearch, test an anonymous search with the + See man ldapsearch option: + + +&rootprompt; ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" -H 'ldap://ldap.abmas.biz:389' -ZZ + + Your results should be the same as before you restarted the server, for example: - - -[ghenry@suretec myCA]$ ldapsearch -x -b "dc=ldap,dc=suretecsystems,dc=com" -H 'ldap://ldap.suretecsystems.com:389' -ZZ + + +&rootprompt; ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ + -H 'ldap://ldap.abmas.biz:389' -ZZ # extended LDIF # @@ -353,54 +337,54 @@ Starting slapd: [ OK ] # requesting: ALL # -# suretecsystems.com -dn: dc=ldap,dc=suretecsystems,dc=com +# abmas.biz +dn: dc=ldap,dc=abmas,dc=biz objectClass: dcObject objectClass: organization -o: Suretec Systems Ltd. -dc: suretecsystems +o: Abmas +dc: abmas -# Manager, ldap.suretecsystems.com -dn: cn=Manager,dc=ldap,dc=suretecsystems,dc=com +# Manager, ldap.abmas.biz +dn: cn=Manager,dc=ldap,dc=abmas,dc=biz objectClass: organizationalRole cn: Manager -# SURETEC, suretecsystems.com -dn: sambaDomainName=SURETEC,dc=ldap,dc=suretecsystems,dc=com -sambaDomainName: SURETEC +# ABMAS, abmas.biz +dn: sambaDomainName=ABMAS,dc=ldap,dc=abmas,dc=biz +sambaDomainName: ABMAS sambaSID: S-1-5-21-238355452-1056757430-1592208922 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 67109862 sambaNextGroupRid: 67109863 - - + + If you have any problems, please read - - - - - Troubleshooting - - - Transport Layer Seccurity, TLS - Troubleshooting - - The most common error when configuring TLS, as I have already mentioned - numerous times, is that the Common Name (CN) you entered - in is NOT - the Full Qualified Domain Name (FQDN) of your ldap server. - - Other errors could be that you have a typo somewhere in your - ldapsearch command, or that your have the wrong - permissions on the servercrt.pem and - cacert.pem files. They should be set with - chmod 640, as per . - - - For anything else, it's best to read through your ldap logfile or - join the &OL; mailing list. - - + + + + + +Troubleshooting + + +Transport Layer Seccurity, TLSTroubleshooting +The most common error when configuring TLS, as I have already mentioned numerous times, is that the +Common Name (CN) you entered in is +NOT the Full Qualified Domain Name (FQDN) of your ldap server. + + + +Other errors could be that you have a typo somewhere in your ldapsearch command, or that +your have the wrong permissions on the servercrt.pem and cacert.pem +files. They should be set with chmod 640, as per . + + + +For anything else, it's best to read through your ldap logfile or join the &OL; mailing list. + + + -- cgit