Securing openldap-servers with SSL/TLS on RHEL7

Updated -

Securing openldap-servers (openldap-servers-2.4.44-5.el7) that uses NSS

This article is part of the Securing Applications Collection

Configuration File

   /etc/openldap/slapd.d/cn=config.ldif

This file should be modified via ldapmodify under the base cn=config if the server is running

shortform

olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "rhel7-64.example.com"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSProtocolMin: 3.3
olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
olcTLSDHParamFile:  /etc/openldap/certs/slapd.dh.params

Protocols

olcTLSProtocolMin: 3.3

Support TLSv1.2 or better

Protocol - Alternative Values

olcTLSProtocolMin: 3.1

TVSv1.0 or better

olcTLSProtocolMin: 3.0

Allow old clients, SSLv3 or better

Ciphers

Cipher strings for openldap/NSS need to follow a specific format as documented in the Cipher Strings with openldap / NSS article.

    olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL

Strongest available ciphers only

Ciphers - Alternative Values

   olcTLSCipherSuite: EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

Strongest ciphers only

   olcTLSCipherSuite:  ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Allow very old clients

Certificate Handling

openldap server on RHEL7 uses NSS with the certificates in a set of .db files.

# ls -l /etc/openldap/certs/
total 100
-rw-r--r--. 1 root root 65536 Jun  8 16:56 cert8.db
-rw-r--r--. 1 root root 16384 Jun  8 16:56 key3.db
-rw-r-----. 1 root ldap     9 Jun  8 16:56 password
-rw-r--r--. 1 root root 16384 Jun  8 16:56 secmod.db

# certutil -L -d /etc/openldap/certs/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

rhel7-64.example.com                                         u,u,u
Certificate Authority                                        CT,C,C
Signing Cert                                                 CT,C,C

The configuration uses olcTLSCACertificatePath to define where the certificates are, then olcTLSCertificateFile to define the name of the server certificate in the database, and the olcTLSCertificateKeyFile defines the filename where the password for access to the key material can be found. The password only contains the password.

# cat /etc/openldap/certs/password
password

DH Parameters

olcTLSDHParamFile:  /etc/openldap/certs/slapd.dh.params

Use of stronger ciphers can be enabled by ensuring there is a Diffie-Helman parameter file available
This file should be renewed on a period (weekly) basis.

openssl dhparam -out /etc/openldap/certs/slapd.dh.params.tmp 1024
mv /etc/openldap/certs/slapd.dh.params.tmp  /etc/openldap/certs/slapd.dh.params

Comments