Some questions about LDAPS

Since 7 years I’m working with LDAP but when times change the company who is using the software wants it to be LDAPS.

I’m currently running on Centos 6 (will be 7 this year).

The company provided me with an certificate in PFX format and a password. How do I install a PFX on Centos 6, and how do I get LDAPS working? Do I need OpenLDAP (and how to config that)?

I only need to check if a user + pass is in the AD, I don’t need anything more from the AD.

OpenLDAP with LDAPS and N-Way Multi-master replication

We have the following setup:

  • Two OpenLDAP servers – openldap1, openldap2
  • They are to be set up as N-Way multi-master
  • Certificates are all set up correctly with alternate names etc and trust each other

I want slapd to bind to all interfaces on the server, so was hoping to run the service as

/usr/sbin/slapd -u ldap -h ldaps://  

However, this gives

5cabf191 <<< dnNormalize: <cn=subschema> 5cabf191 read_config: no serverID / URL match found. Check slapd -h arguments. 5cabf191 slapd destroy: freeing system resources. 5cabf191 syncinfo_free: rid=002 5cabf191 syncinfo_free: rid=002 5cabf191 slapd stopped. 5cabf191 connections_destroy: nothing to destroy. 

I think i understand this to be because of our replication setup which looks like the following ServerIDs:

dn: cn=config objectClass: olcGlobal cn: config ..snipped.. olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem olcServerID: 1 ldaps://openldap1 olcServerID: 2 ldaps://openldap2 entryCSN: 20190409004218.061111Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20190409004218Z contextCSN: 20190409004339.981340Z#000000#000#000000 

I think my error is because slapd -h argument cannot match to a serverID in the list?

If this is the case, how do I work around it?

If i manually run the following it, works, but this doesn’t help me bind to all interfaces.

/usr/sbin/slapd -u ldap -h ldaps://openldap1 

I have an IP that floats between both servers to give high availability if one were to go down, so need slapd to listen on all interfaces.

Best way to enable LDAPS / Self Signed Cert

Looking for best secure way to enable LDAPS support in ActiveDirectory / on DMZ servers, I did some leg work but I would like to run this by you guys.

I don’t have CA available, and domain is .local so I can’t purchase signed cert. ( at this point migration to TLD is not an option. )

I found tutorial that showing that I can create self signed certificate with makecert, are there any issues doing that … ?

Tutorial

Run – makecert -a sha1 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sr localmachine -ss MY -pe -r -n “CN=DCNAME2” -len -m 12 LDAP.cer

From MMC – Certificates go to Personal Store – export created certificate with KEY

Then import the PFX file that was created in previous step under Local Computer – Trusted Root Certificates.

Does this make sense… ? and what are the security implications, any better way of doing it.

Thank’s