Openldap 2.4 and TLS

The HOWTOs I used were:

• TLS section of the admin guide
  
• The TLS FAQ entry - also includes a quick howto for creating your own CA
  

The most annoying thing about openldap is that pretty much every bit of advice and howto on the Internet is for the old version that uses slapd.conf. In the new version (2.4) everything is stored in the LDAP database in ldif itself. So where is the advice about how to add the TLS config directives? Nowhere! Not only that, but ldapadd and ldapmodify are really difficult to use, with poor error messages if you screw up your ldif syntax.

You need to write a file tls_config.ldif:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/servercrt.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/serverkey.pem

Then run:

ldapmodify -f tls_config.ldif -D cn=admin,cn=config -x -W

Most advice on the internet tells you to look in slapd.conf for rootpw - retarded. Interestingly, after I disabled regular ldap in favour of ldaps below, I couldn't use ldapmodify anymore, even when I specified ldaps:// with the -H parameter. Had to re-enable regular ldap, run the command then turn it off again.

Add the following line to /etc/default/slapd (if you only want SSL then just use ldaps):

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Restart slapd.

For testing, on the client you need to write the following line at the end of /etc/ldap/ldap.conf:

TLS_REQCERT never