10. SSL/TLS and SSL/TLS wrappers for LDAP

10.1. A Brief description of SSL

The Secure Socket Layer (SSL) is an application layer protocol that provides a secure transmission channel between parties. It stands between TCP/IP and application level protocols, such as HTTP, LDAP, SMTP etc... It is based on public key cryptography systems (various ciphers can be used) and on X.509 certificates.

SSL was initially a Netscape protocol, then it has gone trough a standardization process and now is called TLS (Transmission Layer Security). It is commonly referred as SSL/TLS.

The SSL/TLS protocol provides:

10.2. SSL/TLS availability for OpenLDAP

Since OpenLDAP 2.0.x, that is an LDAP V3 toolkit, SSL/TLS is provided by the server. OpenLDAP 2.0.x needs to be compiled using the OpenSSL library to add SSL/TLS. It also has Start-TLS support.

Note: Start-TLS allows to enable TLS if the client requests it. This way it is possible to use only an LDAP port for both secure and insecure connections.

OpenLDAP 1.2.x, instead, is an LDAP V2 protocol implementation and does not provide SSL/TLS.

Valuable information on SSL/TLS on OpenLDAP 2.0.x can be found on the OpenLDAP web site, here we will focus how to use an SSL tunnel to secure LDAP parties that are not SSL/TLS aware

10.3. How to use stunnel to provide SSL/TLS to an LDAP V2 server

If you use OpenLDAP 1.2.x you need a general purpose SSL wrapper to add SSL capabilities to the server. Stunnel (www.stunnel.org) has been found to be stable and suitable for this application.

Installing it is quite simple, but first you have to install OpenSSL (www.OpenSSL.org) to have the required library and tools.

OpenSSL, is an open source implementation of the SSL protocol that provides the SSL library and a set of cryptography tools.

To install OpenSSL you have to type the following commands:

$ ./config
$ make
$ make test
# make install

usually, everything will be installed in /usr/local/ssl.

If OpenSSL is correctly installed the only command needed to compile and install stunnel are:

$ ./configure
$ make
# make install

Stunnel uses a server certificate for SSL, this can be a self signed certificate, or, better, a certificate signed by your own Certification Authority (the SSL client has to trust the CA too).

A commonly used place used to store such certificate is:

/usr/local/ssl/certs/stunnel.pem

If having a Certification Authority is not a concern, a self signed certificate can be produced using the tools provided by the OpenSSL suite.

In the stunnel directory (to use the configuration file stunnel.cnf) type the following commands:

$ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf \
            -out stunnel.pem -keyout stunnel.pem
$ openssl gendh 512 >> stunnel.pem

This will produce a self signed certificate, valid for a year, in the file stunnel.pem.

Once stunnel is installed, you can start up first the LDAP server on port 389 (the default LDAP port):

#/usr/local/libexec/slapd

Then stunnel on port 636 (the port used by LDAPS client):

# /usr/local/sbin/stunnel  -r ldap  -d 636 \
 -p /usr/local/ssl/certs/stunnel.pem

For debugging you can start stunnel in foreground with the following syntax:

# /usr/local/sbin/stunnel  -r ldap  -d 636 \
 -D 7 -f -p /usr/local/ssl/certs/stunnel.pem

10.4. How to use stunnel to provide SSL to LDAP clients

Many LDAP client are not SSL aware, anyway, it is possible using stunnel in client mode, to provide SSL to these clients.

This is quite simple. You can start stunnel on the client host, using the LDAPS port, and forward requests to this port to the actual LDAP server:

# stunnel -c -d 636 -r  ldapserver.yourorg.com:636

Now LDAP clients must be configured using localhost:636 as the LDAPS server to use.

10.5. How to use stunnel to provide SSL for slurpd replication

At the moment slurpd (slapd replication daemon) hasn't SSL capabilities, anyway you can use stunnel in client mode to have this job done.

Using stunnel in client mode on the master, you can forward a local port to a remote port:

# stunnel -c -d 9636 -r  ldapreplica.yourorg.com:636

and have on the master LDAP server in slapd.conf

replica host=localhost:9636