LDAP SSL Certificates

Our LDAP istances (clipboard, view) use a Moz-NSS database located at /etc/openldap/certs for handling SSL certificates. Here they come some maintenance commands using certutil and modutil.

On the LDAP (SLAPD) server

Re-create *.db files

sudo mkdir /etc/openldap/certs
sudo modutil -create -dbdir /etc/openldap/certs

List certificates on the database

sudo certutil -d /etc/openldap/certs/ -L

Setup a CA Certificate

sudo certutil -d /etc/openldap/certs -A -n "StartSSL CA" -t TCu,Cu,Tuw -a -i /etc/openldap/cacerts/sub.class2.server.ca.pem

where sub.class2.server.ca.pem can be found at http://www.startssl.com/certs/sub.class2.server.ca.pem.

Remove password from the DB

sudo modutil -dbdir /etc/openldap/certs -changepw 'NSS Certificate DB'

Creates the .p12 file and imports it on the DB

sudo openssl pkcs12 -inkey gnome.key -in gnome.crt -export -out gnome.p12 -nodes -name 'LDAP-Certificate'

sudo pk12util -i gnome.p12 -d /etc/openldap/certs

where gnome.key and gnome.crt are the names of the certificates you previously created at StartSSL.com.

On the clients (nslcd uses ldap.conf while sssd uses /etc/sssd/sssd.conf)

On /etc/openldap/ldap.conf

BASE    dc=gnome,dc=org
URI     ldaps://ldap-back

TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT  demand

On /etc/sssd/sssd.conf

ldap_tls_cacert = /etc/openldap/cacerts/ca.pem
ldap_tls_reqcert = demand
ldap_uri = ldaps://ldap-back

How to test the whole setup

ldapsearch -x -b 'dc=gnome,dc=org' -D "cn=Replicator1,dc=gnome,dc=org" '(objectclass=*)' -H ldaps://ldap.gnome.org -W -v

s/ldap/view for testing it on view.gnome.org.