Configure and enable TLS for OpenLDAP
Zur Navigation springen
Zur Suche springen
Shell Command
- useradd letsencrypt
- chown openldap:letsencrypt /etc/letsencrypt/ -R
- usermod -a -G letsencrypt openldap
Make sure the following parameters are set:
File: /etc/default/slapd SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" Create a new file with the following contents:
File: /root/add_ssl.ldif dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: NORMAL - add: olcTLSCRLCheck olcTLSCRLCheck: none - add: olcTLSVerifyClient olcTLSVerifyClient: never - add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/letsencrypt/live/<your-domain>/fullchain.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/letsencrypt/live/<your-domain>/cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/letsencrypt/live/<your-domain>/privkey.pem - add: olcTLSProtocolMin olcTLSProtocolMin: 3.3
Apply the changes to your OpenLDAP with the following command
Shell Command
- cd ~
- ldapmodify -Y EXTERNAL -H ldapi:/// -f add_ssl.ldif
Finally the following output of this command:
Shell Command
- cat /etc/ldap/slapd.d/cn\=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 XXXXXX dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX creatorsName: cn=config createTimestamp: XXXXXXXXXXXXXXXXXXXXX olcTLSCipherSuite: NORMAL olcTLSCRLCheck: none olcTLSVerifyClient: never olcTLSCACertificateFile: /etc/letsencrypt/live/<your-domain>/fullchain.pem olcTLSCertificateFile: /etc/letsencrypt/live/<your-domain>/cert.pem olcTLSCertificateKeyFile: /etc/letsencrypt/live/<your-domain>/privkey.pem olcTLSProtocolMin: 3.3 entryCSN: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: XXXXXXXXXXXXXXXX
If you are ever in the situation to change the paths of your certificates use the following script
- (it's the same script we used above, simply replace add
- with replace)
File: /root/add_ssl.ldif dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: NORMAL - replace: olcTLSCRLCheck olcTLSCRLCheck: none - replace: olcTLSVerifyClient olcTLSVerifyClient: never - replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/letsencrypt/live/<your-domain>/fullchain.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/letsencrypt/live/<your-domain>/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/letsencrypt/live/<your-domain>/privkey.pem - replace: olcTLSProtocolMin olcTLSProtocolMin: 3.3 Now restart OpenLDAP and Apache2: Shell Command service slapd restart service apache2 restart