This blog post serves as a followup to Configuring a Basic LDAP Server + Client in Solaris 11. It covers creating self-signed certificates and enabling TLS for secure communication.

1) Enable ldaps:
Edit /lib/svc/method/ldap-olsapd

Remove the following line:
typeset -r SLAPD="/usr/lib/slapd -u ${LDAPUSR} -g ${LDAPGRP} -f ${CONF_FILE}"

Add the following two lines in its place:
typeset -r TYPE="ldap:/// ldaps:///"
typeset -r SLAPD=`/usr/lib/slapd -u ${LDAPUSR} -g ${LDAPGRP} -f ${CONF_FILE} -h "${TYPE}"`
2) Create certificates
# mkdir /etc/openldap/certs
# cd /etc/openldap/certs
# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
  -keyout server.key -out server.crt
# chmod 400 server.*
# chown openldap:openldap server.*
3) Update slapd.conf
Add the following lines to the end of /etc/openldap/slapd.conf

TLSCACertificateFile /etc/certs/ca-certificates.crt
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
4) Restart LDAP server
# svcadm disable ldap/server
# svcadm enable ldap/server
That's it! Connect to your LDAP server on port 636.

posted by paulie
10:23 PST - August 8, 2015