Securing LDAP through TLS
Research links: http://www.sun.com/blueprints/0602/816-5203-10.pdf
The first step, or prerequisite step, is to have a Certificate Authority(CA) that can issue and sign other certificates. A certificate authority can be purchased or you can create a self-signed one yourself. Creating a self-signed Certificate Authority can be accomplished by several methods.
WARNING: - To prevent man-in-the-middle attacks, an LDAP client must compare the server hostname that it used to open the connection to the LDAP server with the server's identity that is listed in the key. Therefore, when creating your server certificate it is important to set the Common Name of the certificate to the server's fully qualified domain name 'fqdn'. (see Section 3.6 of RFC2830)
- NOTE: The OpenVPN+CA webmin module does not make it clear that the "Key Name" field IS the "common name" field. The English language file (./lang/en) can be modified on a site-by-site basis to help clarify that (note date: 2007-06-05)
21.Edit the slapd.conf and ldap.conf file to add in the appropriate TLSoptions
slapd.conf parameters TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/certs/ca.crt TLSCertificateFile /etc/certs/ldap.example.lan.crt TLSCertificateKeyFile /etc/certs/ldap.example.lan.key TLSDHParamFile /etc/certs/dh2048.pem #TLSCACertificatePath /etc/certs/ #TLSCRLCheck all
ldap.conf (nss_padl) paramaters TLS_CACERT /etc/certs/ca.crt TLS_CACERTDIR /etc/certs TLS_CERT /etc/certs/ldap.gwiinc.lan.crt TLS_KEY /etc/certs/ldap.gwiinc.lan.key TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2 TLS_REQCERT allow #TLS_REQCERT try TLS_CRLCHECK none #TLS_CRLCHECK all