Securing openldap-servers with SSL/TLS on RHEL7
Securing openldap-servers (openldap-servers-2.4.44-5.el7) that uses NSS
This article is part of the Securing Applications Collection
Configuration File
/etc/openldap/slapd.d/cn=config.ldif
This file should be modified via ldapmodify under the base cn=config if the server is running
shortform
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "rhel7-64.example.com"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSProtocolMin: 3.3
olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
olcTLSDHParamFile: /etc/openldap/certs/slapd.dh.params
Protocols
olcTLSProtocolMin: 3.3
Support TLSv1.2 or better
Protocol - Alternative Values
olcTLSProtocolMin: 3.1
TVSv1.0 or better
olcTLSProtocolMin: 3.0
Allow old clients, SSLv3 or better
Ciphers
Cipher strings for openldap/NSS need to follow a specific format as documented in the Cipher Strings with openldap / NSS article.
olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL
Strongest available ciphers only
Ciphers - Alternative Values
olcTLSCipherSuite: EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
Strongest ciphers only
olcTLSCipherSuite: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
Allow very old clients
Certificate Handling
openldap server on RHEL7 uses NSS with the certificates in a set of .db files.
# ls -l /etc/openldap/certs/
total 100
-rw-r--r--. 1 root root 65536 Jun 8 16:56 cert8.db
-rw-r--r--. 1 root root 16384 Jun 8 16:56 key3.db
-rw-r-----. 1 root ldap 9 Jun 8 16:56 password
-rw-r--r--. 1 root root 16384 Jun 8 16:56 secmod.db
# certutil -L -d /etc/openldap/certs/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
rhel7-64.example.com u,u,u
Certificate Authority CT,C,C
Signing Cert CT,C,C
The configuration uses olcTLSCACertificatePath to define where the certificates are, then olcTLSCertificateFile to define the name of the server certificate in the database, and the olcTLSCertificateKeyFile defines the filename where the password for access to the key material can be found. The password only contains the password.
# cat /etc/openldap/certs/password
password
DH Parameters
olcTLSDHParamFile: /etc/openldap/certs/slapd.dh.params
Use of stronger ciphers can be enabled by ensuring there is a Diffie-Helman parameter file available
This file should be renewed on a period (weekly) basis.openssl dhparam -out /etc/openldap/certs/slapd.dh.params.tmp 1024 mv /etc/openldap/certs/slapd.dh.params.tmp /etc/openldap/certs/slapd.dh.params
Comments