Integrating LDAP and Kerberos: Part Two (LDAP)

Juliet Kemp

Thursday, January 10th, 2008

Share This:

In the first installment we covered setting up Kerberos. Now it’s time to set up LDAP and ensure that it works happily ever after with Kerberos.

OpenSSL

OpenSSL enables you to run a secure LDAP server (over ldaps:/// on port 636). The relevant Debian packages are libssl-dev, openssl, ca-certificates, and libssl0.9.8.

To generate a self-signed certificate:

1. First generate a certificate authority:

cd /etc/ssl
/usr/lib/ssl/misc/CA.sh -newca


The CN asked for here must be the FQDN of the LDAP server. Do not use the “challenge password” attribute, but do set the PEM passphrase (and remember it!).

2. Create the certificate:
   openssl req -new -x509 -nodes -out newreq.pem -keyout newreq.pem -days 365
   

   The -nodes switch is important in order to create an unencrypted certificate, so that it will work with LDAP. Again, when asked for the CN, it needs to be the FQDN (fully qualified domain name) of your server, e.g. ldapserver.example.com.

3. Sign the certificate:
   /usr/lib/ssl/misc/CA.sh -signcert
   

   Again, do not use a challenge password. The new certificate will be in newcert.pem. (Note: this script looks for the file newreq.pem and signs that; if you have used another file in the certificate creation you will need to rename or copy it.)

If you want Verisign or another Certificate Authority to sign your certificate, the process is easier — you only need step 2, and should leave out the -x509 switch. Check the instructions from your CA as to what you should do with…