openldap-logo

#yum install openssl

Generate a self-signed certificate

#cd /etc/ssl/certs
#openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650

Screenshot-12
#vi /etc/openldap/slapd.conf
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /etc/ssl/certs/server.pem
TLSCertificateFile /etc/ssl/certs/server.pem
TLSCertificateKeyFile /etc/ssl/certs/server.pem

NOTE: 

TLSCipherSuite directive allows all ciphers using greater than 128-bit encryption(HIGH),  all ciphers with 128-bit encryption (MEDIUM), and disable all SSL version 2.0 ciphers (-SSLv2). Using SSLv2 is not recommended for use however if you really need it (i.e. incompatibilites) change -SSLv2 to  +SSLv2.
#vi ssl.conf
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/server.pem

add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/server.pem

add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/server.pem
#ldapmodify -x -D cn=admin,cn=config -W -f ssl.ldif

Screenshot-13a

(or)

#vi /etc/openldap/slap.d/cn\=config.ldif

olcTLSCACertificateFile: /etc/ssl/certs/server.pem
olcTLSCertificateFile: /etc/ssl/certs/server.pem
olcTLSCertificateKeyFile: /etc/ssl/cets/server.pem

Screenshot-13
The start parameters are located at /etc/default/slapd configuration file.

#vi /etc/default/slapd
SLAPD_SERVICES=”ldaps://127.0.0.1/

#service slapd restart

Screenshot-14

Client side configuration to authenticate against OpenLDAP server.

#vi /etc/openldap/ldap.conf

URI ldaps://192.168.31.50/
BASE dc=bhuvana,dc=com
TLS_CACERTDIR /etc/ssl/certs
TLS_REQCERT allow

# vi /etc/nslcd.conf

tls_cacertdir /etc/ssl/certs
ssl start_tls
tls_reqcert allow

#vi /etc/pam_ldap.conf

tls_cacertdir /etc/ssl/certs
pam_password md5
ssl start_tls
tls_reqcert allow

 

# vi /etc/pam.d/system-auth
# add like follows
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
#add if you need ( create home directory automatically if it’s none )
session optional pam_mkhomedir.so skel=/etc/skel umask=077

 

#vi /etc/nsswitch.conf

passwd:files ldap
shadow:files ldap
group:files ldap
netgroup:ldap
automount: files ldap

 

#vi /etc/sysconfig/authconfig
USELDAP=yes

 

 

Test the SSL connection to the openldap server

#openssl s_client -connect 192.168.31.50:636 -showcerts

Screenshot-15

 

#service nslcd restart

#chkconfig nslcd on

#shutdown -r now
http://www.sathish.com login: bhuvana
Password:

j