Alwina's open source efforts

|

Specialized in FreeBSD and CentOS

Archive for the ‘Network Services’ Category

Preventing SSH attacks with DenyHosts

Tuesday, December 21st, 2010

Introduction

SSH server running on the common port 22 are subject to many worm-attacks, usually brute force. You can find these attacks in your /var/log/auth.log (or similar logfile like secure.log, depending on your specific operating system). An example how these attacks show up in your logfile:

Dec 20 13:02:47 freebsdx_vm14 sshd[70497]: Invalid user admin from 75.147.8.209
Dec 20 13:02:50 freebsdx_vm14 sshd[70537]: Invalid user stud from 75.147.8.209
Dec 20 13:02:51 freebsdx_vm14 sshd[70563]: Invalid user trash from 75.147.8.209
Dec 20 13:02:52 freebsdx_vm14 sshd[70585]: Invalid user aaron from 75.147.8.209
Dec 20 13:02:53 freebsdx_vm14 sshd[70601]: Invalid user gt05 from 75.147.8.209
Dec 20 13:02:55 freebsdx_vm14 sshd[70621]: Invalid user william from 75.147.8.209
Dec 20 13:02:56 freebsdx_vm14 sshd[70643]: Invalid user stephanie from 75.147.8.209

You can use DenyHosts to help to prevent these annoying attacks.

In this posting I explain how to install and configure this software on FreeBSD.

Procedure

1. install denyhosts from the ports

# cd /usr/ports/security/denyhosts
# make install clean
# vi /etc/rc.conf

2. edit /etc/rc.conf

Add the following lines:

denyhosts_enable=”YES”
syslogd_flags=”-s -c”

3. edit rules in /etc/hosts.allow

# vi /etc/hosts.allow

Add # to the line

ALL : ALL : allow

at the beginning of the file, so it reads

#ALL : ALL : allow

Add these lines or uncomment the right ones, so we have:

sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow

4. create empty /etc/hosts.deniedssh file

# touch /etc/hosts.deniedssh

5. edit /usr/local/etc/denyhosts.conf

# vi /usr/local/etc/denyhosts.conf

Uncomment the line

#BLOCK_SERVICE=sshd

so it reads

BLOCK_SERVICE=sshd

6. restart syslogd

# /etc/rc.d/syslogd restart

7. start denhosts

# /usr/local/etc/rc.d/denyhosts start

Now everything should work properly.
You can review and change the configuration of this program by editing denyhosts.conf.

Installing NTOP on CentOS 5.x

Friday, October 22nd, 2010

NTOP is a network and traffic analyzer that provides lots of information on networking hosts and protocols. It is accessable from a built-in webinterface. In this posting I share how I installed this tool.

NTOP makes use of the RRDTool package. This package is used to store and display time-series data. In this case the package is used to display all kind of network traffic data with graphs. The procedure is that we first install the RRDTool and then the NTOP package.

I. Installing RRDTool

1. Prepare installation of RRDTool

Login as root and type the folowing commands:

yum install cairo-devel libxml2-devel pango-devel pango libpng-devel
yum install freetype freetype-devel libart_lgpl-devel

Please pay attention to the _ and the – in libart_lgpl-devel!

2. Download latest rrdtool

cd /opt
wget http://oss.oetiker.ch/rrdtool/pug/rrdtool-1.4.4.tar.gz

3. Untar the tar ball

tar -zxvf rrdtool-1.4.4.tar.gz

4. Configure

cd /opt/rrdtool-1.4.4
./configure –prefix=/usr/local/rrdtool

5. Compile and install

make
make install

Congratulations, first part completed…

II. Install NTOP

1. Prepare installation of NTOP

yum install libpcap libpcap-devel gdbm gdm-devel
yum install GeoIP libevent libevent-devel

2. Download the ntop tarball

cd /opt
wget http://downloads.sourceforge.net/project/ntop/ntop/ntop-3.3.10/ntop-3.3.10.tar.gz

I do not recommend to download newer versions for CentOS 5.x. These versions need Python26 and the installation could interfere with the proper functioning of your CentOS system.

3. Configuration of ntop

cd ntop-3.3.10
./autogen.sh –prefix=/usr/local/ntop

4. Compile and install

make
make install

5. Create ntop user

useradd -M -s /sbin/nologin -r ntop

6. Setup directory permissions

chown ntop:root /usr/local/var/ntop
chown ntop:ntop /usr/local/share/ntop

7. Set ntop admin password

ntop -A

8. Start ntop

ntop -d -L -u ntop -P /usr/local/var/ntop –skip-version-check –use-syslog=daemon

9. Viewing ntop stats

You can view the ntop stats with

http://localhost:3000

See how good it looks:

Creating certificates

Monday, May 31st, 2010

Introduction
In this article I will explain how to create  self signed certificates for OpenVPN and other applications. Finally I make some remarks about obtaining “official” certificates. The steps in this article are on a FreeBSD 7.x system. For Linux based systems it should work quite similar.

Creating free self signed certificates for OpenVPN

OpenVPN comes with a set of scripts to setup certificates and keys easily. I assume you have installed a fresh install of OpenVPN.
It is not difficult. You just have to type a bunch of commands. You can follow the following steps to create the necessary certificates, keys and other files.

1. Make sure /bin/bash is available

The scripts of OpenVPN use /bin/bash.

# ls -ls /bin/bash

If the file is not found, execute the following commands:

# cd /bin
# ln -s sh bash

This creates a symbolic link from /bin/bash to /bin/sh. This trick allows the OpenVPN scripts to run without compiling and installing the bash shell (which is very time consuming).

2. Edit basic settings for certificates

# cd /usr/local/share/openvpn/easy-rsa/2.0
# vi vars

Edit the basic paramaters for the certificates. Edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL parameters.

3. Initialize the PKI and build the certificate authority

We start the shell, read the vars file, clean all and build the certificate authority with the following commands:

# sh
# . ./vars
# ./clean-all
# ./build-ca

The final command (build-ca) builds the certificate authority (CA) certifcate and key by invoking openssl commands.
Do not exit the shell /bin/sh. We proceed within this shell.

Most requested parameters can be defaulted. The only parameter which must be explicitely entered is the Common Name. In this example I use the name “openvpn1.alwina.org”.

4. Generate certificate and key pair for the server

# ./build-key-server openvpn1.alwina.org

As in the previous step most parameters can be defaulted. When the Common Name is queried, enter the same name you entered is Common Name in the previous step. For this example it is “openvpn1.alwina.org”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit?[y/n]“.

5. Generate certificate and key pairs for your clients

# ./build-key client1

Make sure to use a unique common name for each client, for instance “client1″, “client2″, or “client3″.

If you use the server option “client-cert-not-required” of openVPN there is no need for client certificates. In this case you can omit these step.

6. generate Diffy Hellman parameters

Diffy Hellman parameters must be generated for the OpenVPN server:

# ./build-dh

7. Save your generated files, key and additional files and create a backup

# mkdir -p /usr/local/etc/openvpn/privnet
# mv /usr/local/share/doc/openvpn/easy-rsa/2.0/keys/* /usr/local/etc/openvpn/privnet
# tar cfzp /root/openvpn-privnet.tar.gz /usr/local/etc/openvpn/privnet
# chmod 700 /root/openvpn-privnet.tar.gz
# chmod 700 /etc/openvpn/privnet

8. Overview

Files needed for your OpenVPN server (openvpn1.alwina.org):

  • dh1024.pem
  • ca.crt
  • ca.key
  • openvpn1.alwina.org.crt
  • openvpn1.alwina.org.key

Files needed for your OpenVPN client (client1.alwina.org):

  • ca.crt
  • client1.crt
  • client1.key

The client certificate and key files are not needed if client certifcates are disabled on the OpenVPN server.

Creating free self signed certificates for non-OpenVPN applications

If you need to generate self signed certificates you could do the following steps:

1. Create certificate and key for Certificate Authority

You need the create once a certificate and a key for yourself as a Certificate Authority. If you have not such a certificate / key pair available you need to create these. You can create this pair with the following commands:

# mkdir –p /usr/local/etc/privnet
# cd /usr/local/etc/privnet
# openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt

Choose common name ca.<your domain>.

The number 3650 represents the number of days the certificate will be valid. In this case the certificate will be valid for 10 years.

2. Copy the certificate of the Certificate Authority  to a public place

You probably want to copy the certificate to a public place, to make it for accessible. This part is public. The key file must be kept private!

# mkdir -p /usr/share/certificates
# cp /usr/local/etc/privnet/ca.crt /usr/share/certificates
# cd /usr/share
# chmod –R 755 certificates

3. Create certificate and key pairs for your servers

Once you have a created a certificate and key pair for yourself as a Certificate Authority, you can generate certficates for your servers. You repeat the following steps for all your servers that need certificates. For instance: ldap.alwina.org, vpn.alwina.org and www.alwina.org.

If you own a website that needs access via SSL, you probably would prever to use an official certifate to prevent warning messages like:

Please read on. The paragraph “Creating official certificates” shows the steps to generate an official certificate that allows secure access without warning messages.

First go back to the privnet directory:

# cd /usr/local/etc/privnet

Now repeat the following for all servers you need certifiate / key pair for. Replace the word “server” with the common name you will use. For instance: ldap.alwina.org.

3a. Create the  key for your server and a certificate signing request (server.csr).

# openssl req -days 3650 -nodes -new -keyout server.key -out server.csr

3b. Finally create the signed certificate out of the certificate request.

# openssl x509 -req -days 3650 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial

You can repeat step 3a and 3b several times, to generate certificate / key pairs for all your servers.

4. Set file permissions

# cd /usr/local/etc
# chmod -R 700 privnet

This completes steps needed to create self signed certificates.

Creating official certificates

There are several providers available for official certificates. My prefered supplier is StartCOM. They offer free certificates. They are accepted by most browsers as a certificate authority, so annoying warning messagses from browsers usually will be prevented. If you are interested, please visit there website and follow the instruction. Note that official certifiates suppliers usually work with Chain Certificates. These certificates are a intermediate between Certificate Authority and the provided server certificate / key pair. For instance, for my website www.alwina.org I needed the following files from StartCOM:

  1. ca.pam: certificate authority certificate of StartCOM (public)
  2. sub.class1.server.ca.pam: chain certificate (public)
  3. SSL.crt: the certificate of my server (public)
  4. SSL.key: the key of my server (private)

VPN server with LDAP support

Friday, May 28th, 2010

1. Start with a standard FreeBSD installation.
2. Update the ports

# portsnap fetch
# portsnap extract

3. Install ldap client software

Install the ldap client software with pam and nss support on the OpenVPN server.

# cd /usr/ports/net/openldap24-client
# make install clean -DBATCH
# cd /usr/ports/security/pam_ldap
# make install clean -DBATCH
# ln -s /usr/local/lib/pam_ldap.so /usr/lib
# cd /usr/ports/net/nss_ldap
# make install clean -DBATCH

4. One configuration file for ldap

Combine the three ldap configuration file in one with symbolic links.
One configuration file for ldap is easier and less error-prone.

# cd /usr/local/etc
# ln -s /usr/local/etc/openldap/ldap.conf .
# ln -s /usr/local/etc/openldap/ldap.conf nss_ldap.conf

4. Edit configuration file for ldap

# vi /usr/local/etc/ldap.conf

Change the file like this:

The uppercase items correspond with openldap settings. You should adapt the parameters BASE, URI and TLS-CACERT to your situation. TLS_CACERT refers to the Certifcatie Authority certificate of your LDAP server.

The lowercase items correspond to nss_ldap and pam_ldap settings. You should adapt the parameters suffix binddn, bindpw, nss_base_passwd, and nss_base_shadows to your situation.

5. Edit configuration files for pam and nss

Change the confituration files to enable ldap.

# cd /etc/pam.d
# vi system

Change the file like this:

# vi /etc/nsswitch.com

Change the file like this:

6. Build openvpn from the ports

# cd /usr/prots/security/openvpn
# make install clean -DBATCH

7. Create certificate and key for openVPN

See the section “Creating openVPN certificates in the article Creating Certificates.

8. Configuration of openvpn

# mkdir -p /usr/local/etc/openvpn
# vi /usr/local/etc/openvpn/openvpn.conf

The content of the file:

The files ca.crt, server.crt, server.key and dh1024.pem correspond to the several files you need for supporting certificate based encryption within OpenVPN.
In the publication Creating certificates you can read how to generate these files.

# cd /usr/local/etc/openvpn
# mkdir ccs
# cd ccs
# vi testuser

Create the following file:

# vi /etc/rc.conf

Add the lines regarding openvpn, so the file should look like this:

9. Install openvpn on a client
Build and configure openvpn on a client (similar to step 6 and 7 described above).

10. Configure and test from the client

# vi /usr/local/etc/openvpn/openvpn.conf

Replace 87.253.140.80 with the remote ip of your openvpn server.
11194 is the portnumber you choose.

11. Enable ipfilter and ipnat on the openvpn server

First of all we need to enable ipfilter and ipnat.

# vi /etc/rc.conf

The file should look like this:

12. Configure ipfilter and ipnat
The providing setting in this example, supports the definities of rules on a per user basis.
In the following example we have a user with the following ip’s: local ip: 10.8.1.1, remote ip: 10.8.1.2.
We permit only the access of port 50050 of the ip: 172.16.0.1 on the remote network (seen from the client)/
Furthermore we map port 3389 of 10.8.1.2 to the port 50050 of 172.16.0.1.

# vi /etc/ipf.rules

The file should look like this:

# vi /etc/ipnat.rules

The file should look like this:

13. Start ipfilter and ipnat

# /etc/rc.d/ipfilter start
# /etc/rc.d/ipnat start

14. Test from the client

Is the openvpn server reachable?

Can I reach the network?

In the example I try to access the server with rdesktop on the default port number 3389.

# rdesktop 10.8.1.2

The result:

It works!!

Secure fileserver with LDAP

Saturday, May 15th, 2010

Introduction
This article describes how to setup a secure file server on a server running FreeBSD. This version is based on FreeBSD 7.3. It is likely to work on newer version without too much difficulty.

This walkthrough will setup a very secure file server that will root your users to their home directories. This will prevent users browsing all over your server. The file server handles the well supported and secure sftp service. Other services are not provided. We will show how to use an LDAP directory service for authentication.

Before you begin

1. Standard installation of FreeBSD
This articles asumes you have a working install of FreeBSD 7.3 for i386 logged in as root with the ports collection installed. You can use sysinstall, portsnap or similar to install the ports collections. A standard installation of FreeBSD is described in this article.

2. This article is based on an LDAP authentication. If you do not have an LDAP server up and running you could use this article to setup a standard openLDAP server.

3. Update /usr/ports

# portsnap fetch
# portsnap extract

Procedure

1. Install ssh2 from the ports

For improved security we take advantage of new functionality offered in this software.

# cd /usr/ports/security/ssh2
# make install clean -DBATCH

2. Adapt current sshd server (optional)

The file server we install will use the standard port 22. If this port is already active with an sshd-instance for remote login. We need to adapt the settings.

# vi /etc/ssh/sshd_config

Change the line:

#Port 22

so the line reads

Port 5022

So the “old” sshd server will listen to port 5022 for remote logins and will not interfere with the secure file server.

3. Restart sshd

# /etc/rc.d/sshd restart

4. Configure sshd2

# cd /usr/local/etc/ssh2
# cp sshd2_config.example sshd2_config
# vi sshd2_config

Remove the # from the line

#AllowedAuthentications hostbased, publickey,keyboard-interactive

so the line reads

AllowedAuthentications hostbased, publickey,keyboard-interactive

Add the lines:

AuthKbdInt.Optional        pam
ChRootGroups                .*

5. Edit /etc/rc.conf

Enable the sshd2 server.

# vi /etc/rc.conf

Add the line:

sshd2_enable=”YES”

6. Start the sshd2-server

# /usr/local/etc/rc.d/sshd2 start

Now your sftp server should be up and running.
You should be able to connect to this machine with

# sftp <user>@<ipnumber of your fileserver>

You are not yet able to connect, but it should prompt for a user name and a password.

7. Install openldap24-client, pam_ldap and nss_ldap

Now we proceed with getting the LDAP authentication in place. The software will be installed from the ports.

# cd /usr/ports/net/openldap24-client
# make install clean -DBATCH
# cd /usr/ports/security/pam_ldap
# make install clean -DBATCH
# ln -s /usr/local/lib/pam_ldap.so /usr/lib
# cd /usr/ports/net/nss_ldap
# make install clean -DBATCH

8. Create one ldap.conf file

The software requires several vesions of ldap-configuration files. To make life easier we simulate with symbolic links just one big configuration files. This is a lot easier to maintain and debug.

# cd /usr/local/etc
# ln -s /usr/local/etc/openldap/ldap.conf .
# ln -s /usr/local/etc/openldap/ldap.conf nss_ldap.conf

9. Edit the configuration file

# vi /usr/local/etc/ldap.conf

Change the file to create a file as shown:

Make sure you install the CA-certificate of the LDAP-server in the directory /usr/share/openlap (or another directory of choice).

The setting is based on the LDAP-schema as described in my article OpenLDAP server on FreeBSD. If you use another configuration you should adjust the configuration accordingly.

10. Install pam_mkhomedir

We want the automatic home directory creation at first access for our users. We need to install the corresponding software from the ports.

# cd /user/ports/security/pam_mkhomedir
# make install clean -DBATCH
# ln -s /usr/local/lib/pam_mkhomedir.so /usr/lib

The latter step is needed because we do not want the specify the complete path in the pam configuration files.

11. Configure PAM using LDAP for sshd2

# cp -pr /etc/pam.d/sshd etc/pam.d/sshd2
# vi /etc/pam.d/sshd2

Adapt the file so it looks like this (or similar):

12. Configure NSS using LDAP

# vi /etc/nsswitch.conf

Change the line with group: compat and change the line with passwd: compat.
After change the file should look like this (or similar):

13. Test the fileserver

Try the following command on a client:

sftp <user>@<ipnumber of your fileserver>

It should prompt for the applicable password. Now you should be able to login and transfer files. Users are restricted  to their home directories and can only use the sftp protocol and securily transfer files. Users are not allowed to remotely login.

Congratulations!! Your secure fileserver with LDAP authentication is up and running.

openLDAP server on FreeBSD

Friday, May 7th, 2010

Introduction
OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol”. This software can make it a lot easier to work on the the system (with a single centralized password), to get in touch with customers (centralized customer address book), and provide a reliable infrastructure for the future.

In this article I will describe the steps to prepare an OpenLDAP server  on FreeBSD in an actual production environment for alwina.org. The configuration is based on a directory with 3 type of branches:

  • People (OrganizationalUnit)
  • Groups (OrganizationalUnit)
  • Roles (OrganizationalUnit)

In the example I provide in this article these branches are subdivided as follows:

  • Groups: contains posixGroup “customers”. The objectclass “posixGroup” is mappable to Unix-groups
  • People: contains posixAccount “testuser”. The objectclass “posixAccount” is mappable to Unix-users.
  • Roles: contains organizationalRole “ldapmanager” and “ldapreader”.

In this posting I will not go in detail about the mapping these items to Unix-groups and users and authentication schemas. In forthcoming postings I hope to address these subjects.

Well, lets get started and get the LDAP server up and running!

Procedure

1. Standard FreeBSD installation
The first stap is a standard FreeBSD installation as described in standard FreeBSD Installation. A disk space 5GB should suffice.

2. Update /usr/ports
Make sure you have the most recent snapshots with the following commands:

# portsnap fetch
# portsnap extract

3. Install openLDAP
This may take some time!

# cd /usr/ports/net/openldap24-server
# make install clean -DBATCH

4. Create a secret password for SLAP
SLAP is the daemon supporting LDAP-services. The password for SLAP needs to be set. For this purpose we need to create the secret string. We can can use several encryption schemes:

{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), SHA-1 with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), SMD5 with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be added to userPassword as clear text.

We choose the {MD5} because its broad support.

# slappasswd -h {MD5}

The result of this command:

Please copy the part {MD5}…..
We need to provide this string in the following step.

# cd /usr/local/etc/openldap
# vi slapd.conf

5. Edit slapd.conf

Make the following changes:

  • Add the schema’s cosine.schema, inetorgperson.schema and nis.schema
  • Uncomment and add some lines about read / write access (look for the word access)
  • Add the line with “allow bind_v2″
  • Add the line with password-hash {md5}
  • Change the line with the suffix with “dc=alwina,dc=org”
  • Change the rootdn line with “cn=Manager,dc=alwina,dc=org”
  • Change the word “secret” with the MD5-string from the previous step “{MD5}…..”

The file should look like this now:

6. Configuration of the database

This is really easy, just copy the configuration file.

# mv DB_CONFIG.example /var/db/openldap-data/DB_CONFIG

7. Edit ldap.conf

The file ldap.conf is used for accessing LDAP services.  This file needs to be configures.

# vi ldap.conf

Make the following changes:

  • Uncomment the lines with BASE, URI, SIZELIMIT, TIMELIMIT, and DEREF
  • Change the lines with BASE and URI

The result should look like this:

8. Start the openLDAP server

# vi /etc/rc.conf

Add the following line:

slapd_enable=”YES”

You can start the server with the following command:

# /usr/local/etc/rc.d/slapd start

You can check if slapd runs with the following command:

# sockstat -4

The output should contain at least one line with the word slapd and shows the ip’s and ports it is listening on. For instance:

9. Create initial tree

First we need to create a file that contains the initial entries.

# vi alwina.ldif

This file should exactly look as described. Please mind empty lines and spaces!

dn: dc=alwina,dc=org
objectClass: dcObject
objectClass: organization
o: Alwina
dc: alwina

dn: ou=People,dc=alwina,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=alwina,dc=org
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Roles,dc=alwina,dc=org
ou: Roles
objectClass: top
objectClass: organizationalUnit

dn: cn=customers,ou=Groups,dc=alwina,dc=org
objectClass: posixGroup
objectClass: top
cn: customers
gidNumber: 5001

dn: uid=testuser,ou=People,dc=alwina,dc=org
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
cn: Test User
sn: TestUser
givenName: Test
displayName: Testuser
uidNumber: 5001
gidNumber: 5001
gecos: Testuser
homeDirectory: /home/testuser
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
mail: testuser@alwina.com
postalCode: 2132DL
l: Hoofddorp
o: Voorbeeld
mobile: 0616xxx
homePhone: 3123xxxxx
title: System Tester
postalAddress:
initials: TU
loginShell: /bin/sh
shadowExpire: -1

dn: cn=ldapmanager,ou=Roles,dc=alwina,dc=org
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapmanager
description: LDAP manager user for unrestricted read/write
userPassword:

dn: cn=ldapreader,ou=Roles,dc=alwina,dc=org
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapreader
description: LDAP reader for unrestrited reads
userPassword:

Once this file is created we can create the initial tree with the following command:

# ldapadd -x -D “cn=Manager,dc=alwina,dc=org” -W -f alwina.ldif

The command should display the added entries.

10. Install and use ldapvi tool the edit the ldap directory (optional step)

For manually editting the ldap directory the handy tool ldapvi is available. You can install it from the ports with the following steps:

# cd /usr/ports/sysutils/ldapvi
# make install clean -DBATCH
# rehash

Once installed you can easily enter or correct the ldap directory.

# ldapvi –ldap-conf -D “cn=Manager,dc=alwina,dc=org”

11. Create LDAP-password for Manager

With this step we set the password fot the special roles “ldapmanager” with complete manage control over the ldap directory  and “ldapreader” with readaccess over ldap directory.
Not that “ldapmanager” has similar access rights as the manager of the openLDAP server (“cn=Manager,dc=alwina,dc=org”). The latter is not explicitely defined in the directory.

# ldappasswd -x -D “cn=ldapreader,ou=Roles,dc=alwina,dc=org” -W -S
# ldappasswd -x -D “cn=ldapmanager,ou=Roles,dc=alwina,dc=org” -W -S

12. Restart the openLDAP service

# /usr/local/etc/rc.d/slapd restart

13. Check the service

Perform the following command to check the directory service:

# ldapsearch -D “cn=ldapreader,ou=Roles,dc=alwina,dc=org” -W

The result should look like this:

Your openLDAP service is up and running.

Now it is time to secure your openLDAP server with an encryption schema. OpenLDAP supports two similar kinds of encryption, SSL and TLS.

TLS stands for “Transport Layer Security”. Services that employ TLS tend to connect to the same services without TLS. An LDAP server could handle unsecured and TLS-secured services on the same port.
SSL stands for “Secure Socket Layer”, and services that implement SSL do not listen on the same port as their non-SSL counterparts.

In the following steps we will adjust our LDAP-server to use TLS, as SSL is concidered deprecated.

14. Obtain a set of SSL keys/certificates

There are many ways to obtain SSL/TLS certificates with. You could obtain a set from a provider or generate a self-signed certificate/key pairs yourself with the pre installed openssl tool from OpenSSL. Please note that there is no need for commercial certificates like Thawte’s in our case. In the example I just re-used a free certificate I obtained from StartCOM. If you do not have a set of SSL keys/certiticates available, do the following steps to generate a self signed certificate:

  • Build the certificate authority (CA)
  • Generate certificate + key for your LDAP-server

The SSL keys/certificate files I will use:

  • ca.pam = Certificate Authority
  • sub.class1.server.ca.pem = Chain Certificate
  • SSL.crt = Server Certificate
  • SSL.key = Server Key [ Keep secret ]

15. Place the SSL keys/certificates on your system

Perform the following steps on your server:

# cd /usr/local/etc/openldap
# mkdir private

Copy the Server Certificate and Server Key files to the newly created directory (SSL.crt and SSL.key).

If you need to generate a self signed certificate, you could do the following additional steps:

# cd /usr/local/etc/openldap/private

Create the certificate and the key for the Certificate Authority with the following command.

# openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt

Choose common name ca.<your domain>.

Create the  key for your server and a certificate signing request (server.csr).

# openssl req -days 3650 -nodes -new -keyout server.key -out server.csr

Choose common name ldap.<your domain>.

Finally create the signed certificate out of the certificate request.

# openssl x509 -req -days 3650 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial

This completes the extra steps needed to create self signed certificates.

16. Continue with the following steps:

# cd /usr/local/etc/openldap
# chown -R ldap:ldap private
# chmod -R 700 private

Move the Certificate Authority and the Chain Certificate files to a public place:

# mkdir -p /usr/share/openldap
# mv /usr/local/etc/ldap/private/ca.pam /usr/share/openldap
# mv /usr/local/etc/ldap/private/sub.class1.server.ca.pem /usr/share/openldap
# cd /usr/share/openldap
# chmod 755 *

17. Edit slapd.conf

# vi /usr/local/etc/openldap/slapd.conf

Add the following:

security ssf=256
TLSCertificateFile /usr/local/etc/openldap/private/SSL.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/SSL.key
TLSCACertificateFile /usr/share/openldap/sub.class1.server.ca.pem /usr/share/openldap/ca.pem

The order of the files in TLSCACertificateFile is important.
In case you generated a self signed certificate, there is no chain certificate. You can just omit it.

18. Restart your openLDAP service

# /usr/local/etc/rc.d/slapd restart

Check is it is up and running:

# sockstat -4 | grep slapd

You should see a line with the listening port.
If there is an error, you could check /var/log/debug.log for further information.

19. Check if confidentiality is required by the server now

Check is security is required:

# ldapsearch -x -D “cn=Manager,dc=alwina,dc=org” -W

Now you should get an error “Confidentiality required”.

20. Edit ldap.conf

# vi /usr/local/etc/openldap/ldap.conf

Add the following line:

TLS_CACERT    /usr/share/openldap/ca.pem

21. Check if it works now

# ldapsearch -x -D “cn=Manager,dc=alwina,dc=org” -W -Z

The -Z option enables TLS.

Now you should see a response like this:

You can ignore the security warning.

After entering the password the result should be like this:

Your fully secured openLDAP server is up and running. Congratulations!

In forthcoming posting I will explain how to use and take advantage of your openLDAP server.