Securing openldap-servers with SSL/TLS on RHEL5

Updated -

Securing openldap-servers (openldap-servers-2.3.43-28.el5_10) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/openldap/slapd.conf

shortform

TLSCACertificateFile    /etc/pki/tls/certs/slapd.int.pem
TLSCertificateFile      /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile   /etc/pki/tls/private/slapd.key
TLSCipherSuite          kDH:AES
TLSDHParamFile          /etc/pki/tls/private/slapd.dh.params

Protocols

There is no control over the protocol level used. clients can use SSLv3 or TLSv1.0

Ciphers

    TLSCipherSuite          kDH:AES

Strongest available ciphers only

Certificate Handling

openldap server expects separate PEM format files for key and certificate, and another for the CA chain.

Key File

TLSCertificateKeyFile   /etc/pki/tls/private/slapd.key

key should be readable only by the user ldap

Certificate File

TLSCertificateFile      /etc/pki/tls/certs/slapd.pem

This is just the server certificate

Certificate Authority Chain

TLSCACertificateFile    /etc/pki/tls/certs/slapd.int.pem

Intermediate and Root certificates for the TLSCertificateFile

DH Parameters

TLSDHParamFile          /etc/pki/tls/certs/slapd.dh.params

Use of stronger ciphers can be enabled by ensuring there is a Diffie-Helman parameter file available
This file should be renewed on a periodic (weekly) basis.

openssl dhparam -out /etc/pki/tls/private/slapd.dh.params.tmp 1024
mv /etc/pki/tls/private/slapd.dh.params.tmp  /etc/pki/tls/private/slapd.dh.params

Comments