OpenLDAP + TLS in Solaris 11

This blog post serves as a followup to Configuring a Basic LDAP Server + Client in Solaris 11. It covers creating self-signed certificates and enabling TLS for secure communication.

1) Enable ldaps:

Edit /lib/svc/method/ldap-olsapd

Remove the following line:
typeset -r SLAPD="/usr/lib/slapd -u ${LDAPUSR} -g ${LDAPGRP} -f ${CONF_FILE}"

Add the following two lines in its place:
typeset -r TYPE="ldap:/// ldaps:///"
typeset -r SLAPD=`/usr/lib/slapd -u ${LDAPUSR} -g ${LDAPGRP} -f ${CONF_FILE} -h "${TYPE}"`

2) Create certificates

# mkdir /etc/openldap/certs
# cd /etc/openldap/certs
# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
  -keyout server.key -out server.crt
# chmod 400 server.*
# chown openldap:openldap server.*

3) Update slapd.conf

Add the following lines to the end of /etc/openldap/slapd.conf

TLSCACertificateFile /etc/certs/ca-certificates.crt
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key

4) Restart LDAP server

# svcadm disable ldap/server
# svcadm enable ldap/server

That's it! Connect to your LDAP server on port 636.

posted by paulie

16:23 PST - August 8, 2015