Step 5 Hardening Your Setup

Full blown authentication system

  1. Installation and basic configuration of OpenLDAP and MITv5 Kerberos
  2. Linking OpenLDAP with MITv5 Kerberos
  3. Linking FreeRADIUS
  4. Replication
  5. Hardening your setup
  6. Configure your clients
  7. Varia

In this part I will describe what security measures you could take and how to take them. I will mainly describe the following:

  • Encryption
  • ACLs



Add TLS to the OpenLDAP service

Install the necessary packages:

sudo apt-get install gnutls-bin ssl-cert

Generate the private key for your CA:

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"

Create a template file to define the CA:

vim /etc/ssl/
cn = Example

Create the self-signed CA certificate:

certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ --outfile /etc/ssl/certs/cacert.pem

Generate the private key for the LDAP server:

sudo certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/provider_slapd_key.pem
vim /etc/ssl/
organization = Example
cn =
expiration_days = 1095

Create the LDAP server’s certificate:

sudo certtool --generate-certificate --load-privkey /etc/ssl/private/provider_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ --outfile /etc/ssl/certs/provider_slapd_cert.pem

Create the LDIF file to add into your LDAP scheme:

vim /etc/ssl/certinfo.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/provider_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/provider_slapd_key.pem
ldapmodify -x -D cn=admin,cn=config -W -f /etc/ssl/certinfo.ldif

Tighten up ownership and permissions:

sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private/provider_slapd_key.pem
sudo chmod g+r /etc/ssl/private/provider_slapd_key.pem
sudo chmod o-r /etc/ssl/private/provider_slapd_key.pem

Restart the LDAP service:

sudo service slapd restart

LDAP will still run under ldap:// and port 389, since it uses STARTTLS, instead of SSL/TLS. This means that after the session is established, TLS encryption will be added (the session will be upgraded to an encrypted session). This method is in favor of the deprecated SSL/TLS method (e.g. HTTP/HTTPS).
For the replicated server, generate the private key and certificate on the provider and use the CAkey and CAcertificate that you just created. Afterwards copy as well as the CAcertificate as the private key and the certificate destined for the replicated server, to the consumer.


Add TLS to OpenLDAP replication

vim consumer_sync_tls.ldif
dn: olcDatabase={1}hdb,cn=config
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap:// bindmethod=simple
binddn="cn=admin,dc=example,dc=com" credentials= searchbase="dc=example,dc=com"
logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
starttls=critical tls_reqcert=demand

Update the LDAP scheme and restart LDAP:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif
/etc/init.d/slapd restart


With the previous ACL, it is possible for unauthenticated users on your network to do ldapsearches, because read access is allowed. Since I didn’t want this, I changed it so only authenticated users can do this:

ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
add: olcAccess
olcAccess: to dn.base="" by anonymous auth by * read
add: olcAccess
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by anonymous auth by * read

modifying entry "olcDatabase={1}hdb,cn=config"

An LDAP search can now be performed with the following line:

ldapsearch -xLLL -b dc=example,dc=com -D "cn=admin,cn=config" -W

Use -ZZZ to enforce an encrypted search.
This was step 5. To proceed, go to step 6.