Securing openldap-servers with SSL/TLS on RHEL5
Updated -
Securing openldap-servers (openldap-servers-2.3.43-28.el5_10) that uses openssl
This article is part of the Securing Applications Collection
Configuration File
/etc/openldap/slapd.conf
shortform
TLSCACertificateFile /etc/pki/tls/certs/slapd.int.pem
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/private/slapd.key
TLSCipherSuite kDH:AES
TLSDHParamFile /etc/pki/tls/private/slapd.dh.params
Protocols
There is no control over the protocol level used. clients can use SSLv3 or TLSv1.0
Ciphers
TLSCipherSuite kDH:AES
Strongest available ciphers only
Certificate Handling
openldap server expects separate PEM format files for key and certificate, and another for the CA chain.
Key File
TLSCertificateKeyFile /etc/pki/tls/private/slapd.key
key should be readable only by the user ldap
Certificate File
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
This is just the server certificate
Certificate Authority Chain
TLSCACertificateFile /etc/pki/tls/certs/slapd.int.pem
Intermediate and Root certificates for the TLSCertificateFile
DH Parameters
TLSDHParamFile /etc/pki/tls/certs/slapd.dh.params
Use of stronger ciphers can be enabled by ensuring there is a Diffie-Helman parameter file available
This file should be renewed on a periodic (weekly) basis.openssl dhparam -out /etc/pki/tls/private/slapd.dh.params.tmp 1024 mv /etc/pki/tls/private/slapd.dh.params.tmp /etc/pki/tls/private/slapd.dh.params
Comments