The Secure Socket Layer (SSL) is an application layer protocol that provides a secure transmission channel between parties. It stands between TCP/IP and application level protocols, such as HTTP, LDAP, SMTP etc... It is based on public key cryptography systems (various ciphers can be used) and on X.509 certificates.
SSL was initially a Netscape protocol, then it has gone trough a standardization process and now is called TLS (Transmission Layer Security). It is commonly referred as SSL/TLS.
The SSL/TLS protocol provides:
Data encryption: Client/server session is encrypted
Server authentication: Client can verify the server identity
Message integrity: Data is not modified during transmission; this prevents "man in the middle" attacks.
Client authentication: Server can verify the client identity
Since OpenLDAP 2.0.x, that is an LDAP V3 toolkit, SSL/TLS is provided by the server. OpenLDAP 2.0.x needs to be compiled using the OpenSSL library to add SSL/TLS. It also has Start-TLS support.
Note: Start-TLS allows to enable TLS if the client requests it. This way it is possible to use only an LDAP port for both secure and insecure connections.
OpenLDAP 1.2.x, instead, is an LDAP V2 protocol implementation and does not provide SSL/TLS.
Valuable information on SSL/TLS on OpenLDAP 2.0.x can be found on the OpenLDAP web site, here we will focus how to use an SSL tunnel to secure LDAP parties that are not SSL/TLS aware
If you use OpenLDAP 1.2.x you need a general purpose SSL wrapper to add SSL capabilities to the server. Stunnel (www.stunnel.org) has been found to be stable and suitable for this application.
Installing it is quite simple, but first you have to install OpenSSL (www.OpenSSL.org) to have the required library and tools.
OpenSSL, is an open source implementation of the SSL protocol that provides the SSL library and a set of cryptography tools.
To install OpenSSL you have to type the following commands:
$ ./config $ make $ make test # make install |
usually, everything will be installed in /usr/local/ssl.
If OpenSSL is correctly installed the only command needed to compile and install stunnel are:
$ ./configure $ make # make install |
Stunnel uses a server certificate for SSL, this can be a self signed certificate, or, better, a certificate signed by your own Certification Authority (the SSL client has to trust the CA too).
A commonly used place used to store such certificate is:
/usr/local/ssl/certs/stunnel.pem |
If having a Certification Authority is not a concern, a self signed certificate can be produced using the tools provided by the OpenSSL suite.
In the stunnel directory (to use the configuration file stunnel.cnf) type the following commands:
$ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf \ -out stunnel.pem -keyout stunnel.pem $ openssl gendh 512 >> stunnel.pem |
This will produce a self signed certificate, valid for a year, in the file stunnel.pem.
Once stunnel is installed, you can start up first the LDAP server on port 389 (the default LDAP port):
#/usr/local/libexec/slapd |
Then stunnel on port 636 (the port used by LDAPS client):
# /usr/local/sbin/stunnel -r ldap -d 636 \ -p /usr/local/ssl/certs/stunnel.pem |
For debugging you can start stunnel in foreground with the following syntax:
# /usr/local/sbin/stunnel -r ldap -d 636 \ -D 7 -f -p /usr/local/ssl/certs/stunnel.pem |
Many LDAP client are not SSL aware, anyway, it is possible using stunnel in client mode, to provide SSL to these clients.
This is quite simple. You can start stunnel on the client host, using the LDAPS port, and forward requests to this port to the actual LDAP server:
# stunnel -c -d 636 -r ldapserver.yourorg.com:636 |
Now LDAP clients must be configured using localhost:636 as the LDAPS server to use.
At the moment slurpd (slapd replication daemon) hasn't SSL capabilities, anyway you can use stunnel in client mode to have this job done.
Using stunnel in client mode on the master, you can forward a local port to a remote port:
# stunnel -c -d 9636 -r ldapreplica.yourorg.com:636 |
and have on the master LDAP server in slapd.conf
replica host=localhost:9636 |