OpenLDAP with Let's Encrypt
After obtaining the Let's Encrypt certificates the following steps can be used to setup an OpenLDAP server that can be reached over ldaps.
The certificates need to be readable by the ldap user.
rm /etc/openldap/certs/*
cp -L /etc/letsencrypt/live/example.org/* /etc/openldap/certs/
chown -Rc ldap:ldap /etc/openldap/certs
Place the following in a .ldif
file:
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem
olcTLSCACertificateFile: /etc/openldap/certs/chain.pem
olcTLSCACertificatePath: /etc/ssl/cert
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2:-SSLv3
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/nis.ldif
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=example,dc=org
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcDbDirectory: /var/lib/openldap/openldap-data
olcDbIndex: objectClass eq
Make sure the OpenLDAP service is not running and load the initial configuration:
systemctl stop slapd
slapadd -n 0 -F /etc/openldap/slapd.d -l config.ldif
chown -Rc ldap:ldap /etc/openldap/slapd.d
systemctl start slapd
Assuming no firewall sits in the way the server can now be reached over ldaps:
ldapsearch -x -H ldaps://example.org -b cn=Subschema -s base '(objectClass=subschema)' objectClasses
From this point on the root user can execute normal ldap commands like ldapadd
and ldapmodify
from the host like so:
ldapadd -H ldapi:/// -Y EXTERNAL -f addition.ldif
ldapmodify -H ldapi:/// -Y EXTERNAL -f modification.ldif