OpenLDAP with SSL

# Go to ldap Folder and create a SSL Folder
cd /etc/ldap/

mkdir ssl

cd ssl/

# Create CA
openssl req \
-subj "/C=IN/ST=Maharashtra/L=Mumbai City/O=Information Security Systems/OU=IT Services/CN=OpenLDAP Test Server" \
-x509 \
-newkey rsa:4096 -nodes \
-sha256 \
-out openldap_selfsignedca_bundle.pem \
-keyout openldap_selfsignedca_bundle.pem \
-days 365
 
# Generate CSR for Server
openssl req \
-subj "/C=IN/ST=Maharashtra/L=Mumbai City/O=Information Security Systems/OU=IT Services/CN=openldap_server.com" \
-newkey rsa:4096 -nodes \
-sha256 \
-out openldap_server.csr \
-keyout openldap_server.key
 
# Sign Server CSR with CA
openssl x509 \
-req \
-days 360 \
-in openldap_server.csr \
-extensions v3_server_ext \
-extfile <(printf "[v3_server_ext]\n \
basicConstraints=CA:FALSE\n \
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n \
subjectAltName = DNS:*openldap_server.com \n \
") \
-CA openldap_selfsignedca_bundle.pem \
-CAkey openldap_selfsignedca_bundle.pem \
-CAcreateserial \
-out openldap_server.crt \
-sha256

# Check
ls -lrth /etc/ldap/ssl/

# Make sure to Set the Access Control
cd /etc/ldap/ssl/
chown -v openldap:openldap *
chmod -v 400 *

# Create file LDIF to import CA Certificate in OpenLDAP Config 
vim importca_to_ldap.ldif

# Content (Without DoubleQuote)
"
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/openldap_selfsignedca_bundle.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/openldap_server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/openldap_server.key
"

# Restart OpenLDAP Service
/etc/init.d/slapd restart

# Test it
openssl s_client -connect 127.0.0.1:636 -showcerts