OpenLDAP with TLS - rlaich/avctrec GitHub Wiki

Environment:

OS: CentOS 7 (64bit) Eng. (Server with GUI)
OpenLDAP: 2.4.44
OpenSSL: 1.1.1b (tgz)
VMWare: workstation 9.0
OpenLDAP: 2.4.47(tgz) for TLS 1.3 support

OpenLDAP with TLS 1.3 support

Install OpenSSL (tgz)
Create CA key/certificates, server key/certificates
Install OpenLDAP (tgz)
Setup slapd.conf file
Import LDAP tree
Setup service and firewall
Test LDAP connection

Install OpenSSL 1.1.1b

Prepare tools

sudo yum install libtool perl-core zlib-devel -y

Download package and install

cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz
tar -zxf openssl-1.1.1b.tar.gz
cd openssl-1.1.1b
./config --api=0.9.8 enable-ssl-trace enable-weak-ssl-ciphers
make
make test
make install

Setup default openssl and test (remove exists link if need)

mv /usr/bin/openssl /root/
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl /usr/include/openssl
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so
openssl version

Create CA key/certificates, server key/certificates (After OpenLDAP installed)

Create CA key and certificate

cd /usr/local/etc/openldap/certs
openssl genrsa -des3 -out rootca.key 2048
openssl req -new -key rootca.key -out rootca.req  
openssl x509 -req -days 7305 -sha256 -extfile /usr/local/ssl/openssl.cnf -extensions v3_ca -signkey rootca.key -in 
rootca.req -out rootca.crt 
openssl x509 -in rootca.crt -outform der -out rootca.der

Create Server key and certificate (wildcard) (Contunite with previous path)

openssl genrsa -out ldapskey_wildcard.pem 2048
openssl req -new -key ldapskey_wildcard.pem -out ldapscert_wildcard.csr
openssl x509 -req -days 3650 -sha256 -extfile /usr/local/ssl/openssl.cnf -extensions v3_req -CA rootca.crt -CAkey rootca.key -CAserial rootca.srl -CAcreateserial -in ldapscert_wildcard.csr -out ldapscert_wildcard.pem

Create Server key and certificate (FQDN) (Contunite with previous path)
```
openssl genrsa -out ldapskey_fqdn.pem 2048
openssl req -new -key ldapskey_fqdn.pem -out ldapscert_fqdn.csr
openssl x509 -req -days 3650 -sha256 -extfile /usr/local/ssl/openssl.cnf -extensions v3_req -CA rootca.crt -CAkey rootca.key -CAserial rootca.srl -CAcreateserial -in ldapscert_fqdn.csr -out ldapscert_fqdn.pem
```
Note:
- Using sha256 to ensure security strength
- Sign ca key for 7305 days (20 years)
- CP4 need CA signed certificate and ca key(Import to BMC as trusted CA)
- Transfer key format to der for CP4 import
- When sign certificate, common name should be set correctly
  - wildcard: *.test.com
  - FQDN: openldap.test.com
- [openldapcerts]
  - Include
    - rootca.key, rootca.crt
    - ldapscert_wildcard.pem, ldapskey_wildcard.pem
    - ldapscert_fqdn.pem, ldapskey_fqdn.pem
    - slapd.conf

Install OpenLDAP 2.4.47

Download package and install

wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.47.tgz
tar -zxf openldap-2.4.47.tgz
cd openldap-2.4.47
./configure --with-tls=openssl --enable-crypt=yes --enable-ldap=yes
make depend
make
make test (optional)
make install

Check lib

ldd /usr/local/libexec/slapd

Response should be

linux-vdso.so.1 =>  (0x00007ffc07b8f000)
libdb-5.3.so => /lib64/libdb-5.3.so (0x00007f9044961000)
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f90446cf000)
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f90441e8000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f9043fcf000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9043db3000)
libc.so.6 => /lib64/libc.so.6 (0x00007f90439e6000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f90437e2000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9044d20000)

Setup access and prepare certificate, schema then change ownership of files
```
groupadd -g 55 ldap
useradd  -g 55 -u 55 -s /sbin/nologin -d /var/lib/ldap -c "OpenLDAP server" ldap
chown ldap:ldap /usr/local/etc/openldap -R
```
- Put certificate files under /usr/local/etc/openldap/certs, for example
  - /usr/local/etc/openldap/certs/rootca.crt
  - /usr/local/etc/openldap/certs/ldapscert_wildcard.pem
  - /usr/local/etc/openldap/certs/ldapskey_wildcard.pem
- add rfc2307bis.schema
  - /usr/local/etc/openldap/schema/rfc2307bis.schema
Edit slapd.conf and run up, check the listen port
```
/usr/local/libexec/slapd -h "ldap:/// ldapi:/// ldaps:///" -d 256
netstat -tunlp
```
- slapd.conf (ref to openldapcerts)
- port 389 and 636 should display in response of netstat -tunlp

Import LDAP tree and test

ldapadd -c -Wx -D "cn=Manager,dc=imm,dc=avct,dc=com" -H ldap://127.0.0.1 -a -f /tmp/ldap_dump-opensuse_mod.ldif
ldapsearch -x uid=hurdle -b dc=imm,dc=avct,dc=com

Setup firewall

firewall-cmd --permanent --add-service=ldap
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --reload

Test tls 1.3 by openssl command

openssl s_client -connect 192.168.1.204:636 -tls1_3

Test LDAP connection with CentOS

After set LDAP configuration in BMC, connect to bmc with LDAP user (hurdle)

Test LDAPs connection

Change CentOS server IPv4 IP to 192.168.1.204, than add record HOST(AAAA) openldap in test.com DNS server(192.168.1.203)
Set BMC DNS server to 192.168.1.203
Add LDAPs server configuration
Import rootca.der as trusted certificate by sslcfg command and enable client security in order to enable LDAPs
Login BMC with LDAP user hurdle

Below are old version:

Steps:

Install OpenLDAP (CentOS)
Export LDAP tree as ldif file from OpenSuse
Modify ldif file, than import to CentOS
Setup service and firewall
Test LDAP connection
Upgrade OpenSSL, create CA key/certificates, server key/certificates
Setup server certificate configurations and firewalls
Test LDAPs connection

Install OpenLDAP

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

Enable Service

systemctl start slapd
systemctl enable slapd
netstat -tunlp | grep 389  # Check 389 port is listened

Set Manager password(secret)
```
slappasswd -h {SSHA} -s secret
```

Set base configuration by import db.ldif, here set values to match OpenSuse OpenLDAP settings.

ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif

olcSuffix : root/base
olcRootDN : Manager
olcRootPW : Manager password

db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=imm,dc=avct,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=imm,dc=avct,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}+s5drqMbhSIGDmyV/aipsR2QGC6cR//0

Import schemas

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/rfc2307bis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Get rfc2307bis.ldif

curl https://gist.githubusercontent.com/m4ldonado/d6616b1b86a1792a9488123320d5a0fd/raw/57c629e6f951dea836ac14476e4b6a363ce30d30/rfc2307bis.ldif > /etc/openldap/schema/rfc2307bis.ldif

Note: Usually, it recommend to import nis.ldif, but it will response error when import LDAP tree with

objectClass: posixGroup
objectClass: top
objectClass: groupOfNames

Because nis.ldif not support multi class, so I found rfc2307bis.ldif can support this configuration.

Export LDAP tree as ldif file from OpenSuse(192.168.1.203)

ldapsearch -z max -Wx -D "cn=Manager,dc=imm,dc=avct,dc=com" -b "dc=imm,dc=avct,dc=com" -H ldap://192.168.1.204 -LLL > /tmp/ldap_dump-opensuse.ldif

Modify configuration to ldif file, then import to CentOS

ldapadd -c -Wx -D "cn=Manager,dc=imm,dc=avct,dc=com" -H ldap://127.0.0.1 -a -f /tmp/ldap_dump-opensuse_mod.ldif
ldapsearch -x uid=hurdle -b dc=imm,dc=avct,dc=com    #test user hurdle has imported success

Note:

Using -z max to avoid the size limitation and the -c to go on even if the target domain already exists

Setup service and firewall

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

Set rsyslog, record LDAP log in /var/log/ldap.log

echo 'local4.* /var/log/ldap.log' >> /etc/rsyslog.conf
systemctl restart rsyslog

Test LDAP connection (CP4) with CentOS

After set LDAP configuration in BMC, connect to bmc with LDAP user (hurdle)

Upgrade OpenSSL, create CA key/certificates, server key/certificates

Upgrade OpenSSL to 1.1.1b

Create CA key and certificate

cd /etc/openldap/certs
openssl genrsa -des3 -out rootca.key 2048
openssl req -new -key rootca.key -out rootca.req  
openssl x509 -req -days 7305 -sha256 -extfile /usr/local/ssl/openssl.cnf -extensions v3_ca -signkey rootca.key -in 
rootca.req -out rootca.crt 
openssl x509 -in rootca.crt -outform der -out rootca.der

Create Server key and certificate
```
openssl genrsa -out ldapskey_wildcard.pem 2048
openssl req -new -key ldapskey_wildcard.pem -out ldapscert_wildcard.csr
openssl x509 -req -days 3650 -sha256 -extfile /usr/local/ssl/openssl.cnf -extensions v3_req -CA rootca.crt -CAkey rootca.key -CAserial rootca.srl -CAcreateserial -in ldapscert_wildcard.csr -out ldapscert_wildcard.pem
```
Note:
- Using sha256 to ensure security strength
- Sign ca key for 7305 days (20 years)
- CP4 need CA signed certificate and ca key(Import to BMC as trusted CA)
- Transfer key format to der for CP4 import
- When sign certificate, common name should be set correctly
  - wildcard: *.test.com
  - FQDN: openldap.test.com
- [rootca.crt]
- [rootca.der]

Setup server certificate configurations and firewalls

Setup server certificate configurations
- Set certificate owner and privilege
```
chown -R ldap:ldap /etc/openldap/certs/*.pem
chmod 666 /etc/openldap/certs/*.*
```
- Modify certificate file and key file configuration in cn=config
```
ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f key.ldif
slaptest -u            # test modified configuration is good or not
```
Note:
- [certs.ldif]
- [key.ldif]
- Modify certificate and key in once may cause configuration bad, as a result I modified them separately.

Add firewall rule

firewall-cmd --permanent --add-service=ldaps
firewall-cmd --reload

Edit support protocol> modify /etc/sysconfig/slapd
```
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
```

Restart service

systemctl restart slapd
netstat -tunlp | grep slapd              # Check 636 port is listened

Test LDAPs connection

Change CentOS server IPv4 IP to 192.168.1.204, than add record HOST(AAAA) openldap in test.com DNS server(192.168.1.203)
Set BMC DNS server to 192.168.1.203
Add LDAPs server configuration
Import rootca.der as trusted certificate by sslcfg command and enable client security in order to enable LDAPs
Login BMC with LDAP user hurdle

Enter CentOS8 rescure mode

Stop at GRUB menu
Add start option after line which start with linux

systemd.unit=rescue.target

Press Ctrl+x to start the system
Using root/rootpwd to enter OS

OpenLDAP with TLS - rlaich/avctrec GitHub Wiki

Environment:

OpenLDAP with TLS 1.3 support

Install OpenSSL 1.1.1b

Create CA key/certificates, server key/certificates (After OpenLDAP installed)

Install OpenLDAP 2.4.47

Test LDAP connection with CentOS

Test LDAPs connection

Steps:

Install OpenLDAP

Export LDAP tree as ldif file from OpenSuse(192.168.1.203)

Modify configuration to ldif file, then import to CentOS

Setup service and firewall

Test LDAP connection (CP4) with CentOS

Upgrade OpenSSL, create CA key/certificates, server key/certificates

Setup server certificate configurations and firewalls

Test LDAPs connection

Enter CentOS8 rescure mode

Reference