Step 5 Hardening Your Setup

Full blown authentication system

  1. Installation and basic configuration of OpenLDAP and MITv5 Kerberos
  2. Linking OpenLDAP with MITv5 Kerberos
  3. Linking FreeRADIUS
  4. Replication
  5. Hardening your setup
  6. Configure your clients
  7. Varia

In this part I will describe what security measures you could take and how to take them. I will mainly describe the following:

  • Encryption
  • ACLs

STARTTLS

inadmissible

Add TLS to the OpenLDAP service

Install the necessary packages:

sudo apt-get install gnutls-bin ssl-cert

Generate the private key for your CA:

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"

Create a template file to define the CA:

vim /etc/ssl/ca.info
cn = Example
ca
cert_signing_key

Create the self-signed CA certificate:

certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem

Generate the private key for the LDAP server:

sudo certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/provider_slapd_key.pem
vim /etc/ssl/provider.info
organization = Example
cn = provider.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 1095

Create the LDAP server’s certificate:

sudo certtool --generate-certificate --load-privkey /etc/ssl/private/provider_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/provider.info --outfile /etc/ssl/certs/provider_slapd_cert.pem

Create the LDIF file to add into your LDAP scheme:

vim /etc/ssl/certinfo.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/provider_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/provider_slapd_key.pem
ldapmodify -x -D cn=admin,cn=config -W -f /etc/ssl/certinfo.ldif

Tighten up ownership and permissions:

sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private/provider_slapd_key.pem
sudo chmod g+r /etc/ssl/private/provider_slapd_key.pem
sudo chmod o-r /etc/ssl/private/provider_slapd_key.pem

Restart the LDAP service:

sudo service slapd restart

LDAP will still run under ldap:// and port 389, since it uses STARTTLS, instead of SSL/TLS. This means that after the session is established, TLS encryption will be added (the session will be upgraded to an encrypted session). This method is in favor of the deprecated SSL/TLS method (e.g. HTTP/HTTPS).
For the replicated server, generate the private key and certificate on the provider and use the CAkey and CAcertificate that you just created. Afterwards copy as well as the CAcertificate as the private key and the certificate destined for the replicated server, to the consumer.

source:  https://help.ubuntu.com/11.10/serverguide/C/openldap-server.html#openldap-tls

Add TLS to OpenLDAP replication

vim consumer_sync_tls.ldif
dn: olcDatabase={1}hdb,cn=config
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://provider.example.com bindmethod=simple
binddn="cn=admin,dc=example,dc=com" credentials= searchbase="dc=example,dc=com"
logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
starttls=critical tls_reqcert=demand

Update the LDAP scheme and restart LDAP:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif
/etc/init.d/slapd restart

OpenLDAP ACLs

With the previous ACL, it is possible for unauthenticated users on your network to do ldapsearches, because read access is allowed. Since I didn’t want this, I changed it so only authenticated users can do this:

ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
-
add: olcAccess
olcAccess: to dn.base="" by anonymous auth by * read
-
add: olcAccess
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by anonymous auth by * read

modifying entry "olcDatabase={1}hdb,cn=config"

An LDAP search can now be performed with the following line:

ldapsearch -xLLL -b dc=example,dc=com -D "cn=admin,cn=config" -W

Use -ZZZ to enforce an encrypted search.
This was step 5. To proceed, go to step 6.