<HTML ><HEAD ><TITLE >SSL/TLS and SSL/TLS wrappers for LDAP</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.63 "><LINK REL="HOME" TITLE="LDAP Implementation HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="Publishing digital certificates with LDAP" HREF="certificates.html"><LINK REL="NEXT" TITLE="Ldap schema's" HREF="schemas.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >LDAP Implementation HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="certificates.html" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="schemas.html" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="SSL" >10. SSL/TLS and SSL/TLS wrappers for LDAP</A ></H1 ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN856" >10.1. A Brief description of SSL</A ></H2 ><P >The Secure Socket Layer (SSL) is an application layer protocol that provides a secure transmission channel between parties. It stands between TCP/IP and application level protocols, such as HTTP, LDAP, SMTP etc... It is based on public key cryptography systems (various ciphers can be used) and on X.509 certificates.</P ><P >SSL was initially a Netscape protocol, then it has gone trough a standardization process and now is called TLS (Transmission Layer Security). It is commonly referred as SSL/TLS.</P ><P >The SSL/TLS protocol provides: </P ><P ></P ><UL ><LI ><P >Data encryption: Client/server session is encrypted</P ></LI ><LI ><P >Server authentication: Client can verify the server identity</P ></LI ><LI ><P >Message integrity: Data is not modified during transmission; this prevents "man in the middle" attacks.</P ></LI ><LI ><P >Client authentication: Server can verify the client identity</P ></LI ></UL ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN870" >10.2. SSL/TLS availability for OpenLDAP</A ></H2 ><P > Since OpenLDAP 2.0.x, that is an LDAP V3 toolkit, SSL/TLS is provided by the server. OpenLDAP 2.0.x needs to be compiled using the OpenSSL library to add SSL/TLS. It also has Start-TLS support.</P ><DIV CLASS="NOTE" ><BLOCKQUOTE CLASS="NOTE" ><P ><B >Note: </B >Start-TLS allows to enable TLS if the client requests it. This way it is possible to use only an LDAP port for both secure and insecure connections.</P ></BLOCKQUOTE ></DIV ><P >OpenLDAP 1.2.x, instead, is an LDAP V2 protocol implementation and does not provide SSL/TLS.</P ><P >Valuable information on SSL/TLS on OpenLDAP 2.0.x can be found on the OpenLDAP web site, here we will focus how to use an SSL tunnel to secure LDAP parties that are not SSL/TLS aware</P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN877" >10.3. How to use stunnel to provide SSL/TLS to an LDAP V2 server</A ></H2 ><P >If you use OpenLDAP 1.2.x you need a general purpose SSL wrapper to add SSL capabilities to the server. Stunnel (<A HREF="http://www.stunnel.org" TARGET="_top" >www.stunnel.org</A >) has been found to be stable and suitable for this application. </P ><P >Installing it is quite simple, but first you have to install OpenSSL (<A HREF="http://www.OpenSSL.org" TARGET="_top" >www.OpenSSL.org</A >) to have the required library and tools. </P ><P >OpenSSL, is an open source implementation of the SSL protocol that provides the SSL library and a set of cryptography tools.</P ><P >To install OpenSSL you have to type the following commands:</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" >$ ./config $ make $ make test # make install</PRE ></TD ></TR ></TABLE ></P ><P >usually, everything will be installed in <TT CLASS="FILENAME" >/usr/local/ssl</TT >.</P ><P >If OpenSSL is correctly installed the only command needed to compile and install stunnel are:</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" >$ ./configure $ make # make install</PRE ></TD ></TR ></TABLE ></P ><P >Stunnel uses a server certificate for SSL, this can be a self signed certificate, or, better, a certificate signed by your own Certification Authority (the SSL client has to trust the CA too).</P ><P >A commonly used place used to store such certificate is:</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" >/usr/local/ssl/certs/stunnel.pem</PRE ></TD ></TR ></TABLE ></P ><P >If having a Certification Authority is not a concern, a self signed certificate can be produced using the tools provided by the OpenSSL suite.</P ><P >In the stunnel directory (to use the configuration file <TT CLASS="FILENAME" >stunnel.cnf</TT >) type the following commands:</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" >$ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf \ -out stunnel.pem -keyout stunnel.pem $ openssl gendh 512 >> stunnel.pem</PRE ></TD ></TR ></TABLE ></P ><P >This will produce a self signed certificate, valid for a year, in the file <TT CLASS="FILENAME" >stunnel.pem</TT >.</P ><P >Once stunnel is installed, you can start up first the LDAP server on port 389 (the default LDAP port):</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" >#/usr/local/libexec/slapd</PRE ></TD ></TR ></TABLE ></P ><P >Then stunnel on port 636 (the port used by LDAPS client): </P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" ># /usr/local/sbin/stunnel -r ldap -d 636 \ -p /usr/local/ssl/certs/stunnel.pem</PRE ></TD ></TR ></TABLE ></P ><P >For debugging you can start <TT CLASS="FILENAME" >stunnel</TT > in foreground with the following syntax:</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" ># /usr/local/sbin/stunnel -r ldap -d 636 \ -D 7 -f -p /usr/local/ssl/certs/stunnel.pem</PRE ></TD ></TR ></TABLE ></P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN913" >10.4. How to use stunnel to provide SSL to LDAP clients</A ></H2 ><P >Many LDAP client are not SSL aware, anyway, it is possible using stunnel in client mode, to provide SSL to these clients.</P ><P >This is quite simple. You can start stunnel on the client host, using the LDAPS port, and forward requests to this port to the actual LDAP server:</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" ># stunnel -c -d 636 -r ldapserver.yourorg.com:636</PRE ></TD ></TR ></TABLE ></P ><P >Now LDAP clients must be configured using <TT CLASS="FILENAME" >localhost:636</TT > as the LDAPS server to use.</P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN921" >10.5. How to use stunnel to provide SSL for slurpd replication</A ></H2 ><P >At the moment slurpd (slapd replication daemon) hasn't SSL capabilities, anyway you can use stunnel in client mode to have this job done.</P ><P >Using stunnel in client mode on the master, you can forward a local port to a remote port:</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" ># stunnel -c -d 9636 -r ldapreplica.yourorg.com:636</PRE ></TD ></TR ></TABLE ></P ><P >and have on the master LDAP server in <TT CLASS="FILENAME" >slapd.conf</TT ></P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="PROGRAMLISTING" >replica host=localhost:9636</PRE ></TD ></TR ></TABLE ></P ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="certificates.html" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="schemas.html" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Publishing digital certificates with LDAP</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Ldap schema's</TD ></TR ></TABLE ></DIV ></BODY ></HTML >