Install and configure OpenLDAP on Debian 8 (Jessie)

• Debian 8 installation

• apt-get install slapd openldap

—-

• TODO

• Make sure you have the following files:
  • cert.crt - Your certificate (without any other intermediate certs)
  • cert.key - Your private key
  • chain.pem - The intermediate certs
• I assume the files are located at /opt/ssl
• Add the openldap user to the ssl-cert group:

• $> usermod -aG ssl-cert openldap

• chown your files and set permissions:

• $> chown root:ssl-cert cert.crt cert.key chain.pem
  $> chmod 640 cert.crt cert.key chain.pem

• Create the tls.ldif file:

• dn: cn=config
  changetype: modify
  add: olcTLSCipherSuite
  olcTLSCipherSuite: NORMAL
  -
  add: olcTLSCRLCheck
  olcTLSCRLCheck: none
  -
  add: olcTLSVerifyClient
  olcTLSVerifyClient: never
  -
  add: olcTLSCACertificateFile
  olcTLSCACertificateFile: /opt/ssl/chain.pem
  -
  add: olcTLSCertificateFile
  olcTLSCertificateFile: /opt/ssl/cert.crt
  -
  add: olcTLSCertificateKeyFile
  olcTLSCertificateKeyFile: /opt/ssl/cert.key
  -
  add: olcTLSProtocolMin
  olcTLSProtocolMin: 3.3

• And apply it

• $> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif

• To enforce TLS create the following ldif file and apply it:

• dn: olcDatabase={1}mdb,cn=config
  changetype: modify
  add: olcSecurity
  olcSecurity: tls=1