*NIX

July 11, 2008, 8:20 a.m.
posted by whitehat

Configuring Encrypted LDAP Communication



Configuring Encrypted LDAP Communication

The secure tunnel (stunnel) utility can be used to intercept regular LDAP communications and encrypt them over an SSL tunnel using the TCP port of your choice. Fortunately, stunnel is installed by default on Fedora Linux, making it even easier to use.

Tip

Add the SSL encryption, only after basic LDAP has been proven to work without encryption. This makes troubleshooting much easier.


Here's how to encrypt LDAP with Fedora Linux.

Configuring the stunnel LDAP Client

First, you configure the LDAP client to use stunnel:

1.
Edit the ldap.conf file. You have to trick the LDAP client into thinking that the LDAP server is actually running locally as a daemon, so you need to set the HOST enTRy to localhost. You then configure the stunnel utility to intercept this traffic and relay it to the real LDAP server:

HOST localhost
BASE dc=example,dc=com

2.
Create an stunnel user with the useradd command:

[root@smallfry tmp]# useradd stunnel

3.
Edit the stunnel.conf configuration file in the /etc/stunnel directory, configuring it as shown:

#
# File: /etc/stunnel (LDAP Client)
#

# Configure stunnel to run as user "stunnel" placing temporary
# files in the /usr/var/run/stunnel/ directory
chroot = /home/stunnel
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel

# Configure logging
debug = 7
output = /var/log/messages

# Use it for client mode
client = yes

# Service-level configuration
[ldap]
accept  = 389
connect = 192.168.1.100:636

At the very end of the file, notice that traffic on the LDAP TCP port 389 is specifically redirected to the LDAP server on TCP port 636 over the secure tunnel.

4.
Start stunnel with the stunnel command:

[root@smallfry tmp]# stunnel

5.
Check the log files, especially the last 100 lines of the error log file /var/log/messages, to make sure there are no errors. If there are errors, double check your stunnel configuration file for mistakes.

[root@smallfry tmp]# tail -100 /var/log/messages

6.
Make sure stunnel runs on the next reboot. The script /etc/rc.local is run at the end of every boot sequence. Use the locate command to find out where the stunnel program is and then place your stunnel command in /etc/rc.local as shown:

# Run stunnel for LDAP (Fedora file location)
/usr/sbin/stunnel

Configuring the stunnel LDAP Server

After you configure the client, you're ready to set up stunnel on the LDAP server:

1.
Create an stunnel user using the useradd command:

[root@bigboy tmp]# useradd stunnel

2.
Edit the stunnel.conf configuration file located in the /etc/stunnel directory. Configure it as shown:

#
# File: /etc/stunnel (LDAP Server)
#

# Configure stunnel to run as user "stunnel" placing temporary
# files in the /usr/var/run/stunnel/ directory
chroot = /home/stunnel/
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel

# Some debugging stuff
debug = 7
output = /var/log/messages

# Use it for client mode
client = no
cert = /usr/share/ssl/certs/stunnel.pem
key =  /usr/share/ssl/certs/stunnel.pem

# Service-level configuration
[ldap]
accept  = 636
connect = 389

There are a few differences between the client and server stunnel.conf files. The very bottom of the file shows that all traffic received on the secure LDAP port of 636 is redirected to the application listening on LDAP port 389. The file is configured for server mode and a special SSH certificate has been defined for the encryption process. You'll create the certificates next.

3.
Go to the /usr/share/ssl/certs directory and create the certificate using the make command. Use all the defaults when prompted, but make sure you use the server's IP address when prompted for your server's Common Name or hostname.

[root@bigboy tmp]# cd /usr/share/ssl/certs
[root@bigboy certs]# make stunnel.pem
...
Common Name (eg, your name or your server's hostname) []:
192.168.1.100
...
[root@bigboy certs]#

Note

The certificate created only has a 365 day lifetime. Remember to repeat this process next year.


4.
Modify certificate file permissions. The certificate needs to be read by root and the stunnel user. Use the chmod and chgrp commands to do this:

[root@bigboy certs]# chmod 640 stunnel.pem
[root@bigboy certs]# chgrp stunnel stunnel.pem

[root@bigboy certs]# ll /usr/share/ssl/certs
-rw-r----- 1 root stunnel    1991 Jul 31 21:50 stunnel.pem
[root@bigboy certs]#

5.
Start stunnel with the stunnel command:

[root@bigboy tmp]# stunnel

6.
Check the last 100 lines of the error log file /var/log/messages to make sure there are no errors. If you find errors, double check your stunnel configuration file for mistakes.

[root@bigboy tmp]# tail -100 /var/log/messages

The key things to look for are the loading of the certificate, the binding of LDAP to the 636 secure LDAP port, and the creation of the temporary stunnel.pid file:

2004.08.02 08:50:18 LOG7[12102:3210052320]: Certificate:
/usr/share/ssl/certs/stunnel.pem
2004.08.02 08:50:18 LOG7[12102:3210052320]: Key file:
/usr/share/ssl/certs/stunnel.pem
2004.08.02 08:50:18 LOG7[12102:3210052320]: ldap bound to
0.0.0.0:636
2004.08.02 08:50:18 LOG7[12103:3210052320]: Created pid file
/stunnel.pid

7.
Make sure stunnel runs on the next reboot. The script /etc/rc.local is run at the end of every boot sequence. Use the locate command to find out where the stunnel program is and then place your stunnel command in /etc/rc.local:

#
# File : /etc/rc.local
#
# Run stunnel for LDAP (Fedora file location)
/usr/sbin/stunnel

The final step of the preparation is to create home directories for each user to use just like in the unencrypted LDAP example before this. After this is complete, you'll need to do some basic testing, which is covered in the troubleshooting section.

     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows