B.nana Technology
Log in

OpenLDAP with Let's Encrypt

After obtaining the Let's Encrypt certificates the following steps can be used to setup an OpenLDAP server that can be reached over ldaps.

The certificates need to be readable by the ldap user.

rm /etc/openldap/certs/*
cp -L /etc/letsencrypt/live/example.org/* /etc/openldap/certs/
chown -Rc ldap:ldap /etc/openldap/certs

Place the following in a .ldif file:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem
olcTLSCACertificateFile: /etc/openldap/certs/chain.pem
olcTLSCACertificatePath: /etc/ssl/cert
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2:-SSLv3

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/nis.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=example,dc=org
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcDbDirectory: /var/lib/openldap/openldap-data
olcDbIndex: objectClass eq

Make sure the OpenLDAP service is not running and load the initial configuration:

systemctl stop slapd
slapadd -n 0 -F /etc/openldap/slapd.d -l config.ldif
chown -Rc ldap:ldap /etc/openldap/slapd.d
systemctl start slapd

Assuming no firewall sits in the way the server can now be reached over ldaps:

ldapsearch -x -H ldaps://example.org -b cn=Subschema -s base '(objectClass=subschema)' objectClasses

From this point on the root user can execute normal ldap commands like ldapadd and ldapmodify from the host like so:

ldapadd -H ldapi:/// -Y EXTERNAL -f addition.ldif
ldapmodify -H ldapi:/// -Y EXTERNAL -f modification.ldif