Enkripsi TLS pada OpenLDAP¶

sudo apt install gnutls-bin ssl-cert

nano ~/mnt/ldap_data/certs/ca_server.conf

# ca_server.conf
cn = LDAP Server CA
ca
cert_signing_key

nano ~/mnt/ldap_data/certs/ldap_server.conf

# ldap_server.conf
organization = "PROXSIS"
cn = ldap.proxsis.com
tls_www_server
encryption_key
signing_key
expiration_days = 3652

certtool -p --outfile ~/mnt/ldap_data/certs/ca_server.key
certtool -s --load-privkey ~/mnt/ldap_data/certs/ca_server.key --template ~/mnt/ldap_data/certs/ca_server.conf --outfile ~/mnt/ldap_data/certs/ca_server.pem
certtool -p --sec-param high --outfile ~/mnt/ldap_data/certs/ldap_server.key
certtool -c --load-privkey ~/mnt/ldap_data/certs/ldap_server.key --load-ca-certificate ~/mnt/ldap_data/certs/ca_server.pem --load-ca-privkey ~/mnt/ldap_data/certs/ca_server.key --template ~/mnt/ldap_data/certs/ldap_server.conf --outfile ~/mnt/ldap_data/certs/ldap_server.pem

sudo usermod -aG ssl-cert openldap
sudo chown :ssl-cert /etc/ssl/private/ldap_server.key
sudo chmod 640 /etc/ssl/private/ldap_server.key

nano ~/mnt/ldap_data/ldif/addcerts.ldif
# addcerts.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key
# apply addcerts.ldif
sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif

nano ~/mnt/ldap_data/ldif/forcetls.ldif
# forcelts.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
# apply forcetls.ldif
sudo ldapmodify -H ldapi:// -Y EXTERNAL -f forcetls.ldif
# reload ldap service
sudo service slapd force-reload
# search
ldapsearch -H ldap:// -x -b "dc=ldap,dc=proxsis,dc=com" -LLL dn