Friday, August 25, 2017

Setting up OpenBSD's LDAP Server (ldapd) with StartTLS and SASL

OpenBSD has its own LDAP server, ldapd. Here's how to configure it for use with StartTLS and SASL authentication

I don't cover common LDAP operations, like adding users, as that's covered well elsewhere

Server (ldapserver /

1. Create a self-signed TLS certificate

# cd /etc/ldap/certs
# openssl genrsa -out ldapserver.key 2048
# openssl req -x509 -new -key ldapserver.key -out ldapserver.crt -days 365
# `# enter ldapserver as the canonical name`

Configure ldapd:

# touch /etc/ldapd.conf
# chmod o-r /etc/ldapd.conf 
# cat /etc/ldapd.conf

schema "/etc/ldap/core.schema"
schema "/etc/ldap/inetorgperson.schema"
schema "/etc/ldap/nis.schema"

listen on lo0 tls certificate ldapserver  
listen on em0 tls certificate ldapserver
listen on "/var/run/ldapi" 

Check your configuration:

# /usr/sbin/ldapd -n
configuration ok

Enable and start ldapd:

# rcctl enable ldapd
# rcctl start ldapd

Copy the cert to /tmp so we can scp it as not root from the client:

cp /etc/ldap/certs/ldapserver.crt /tmp

Need to debug ldapd?

# /usr/sbin/ldapd -d -vv
# ldapctl log verbose


Trust the server's certificate:

# echo '    ldapserver' >> /etc/hosts
# scp notRoot@ldapserver:/tmp/ldapserver.crt >> /etc/ssl/trusted.crt

Install openldap-client (this installs cyrus-sasl as well):

# pkg_add openldap-client

Configure it:

# cat /etc/openldap/ldap.conf
TLS_CACERT    /etc/ssl/trusted.crt

Start saslauthd

# rcctl enable saslauthd
# rcctl start saslauthd

Connect to ldapd (-ZZ means force TLS, use -H to specify URI):

# ldapsearch -H ldap://ldapserver -ZZ
SASL/PLAIN authentication started
Please enter your password:

Need to debug saslauthd?

# /usr/local/sbin/saslauthd -a getpwent  -d

Need to debug OpenLDAP client?

# ldapsearch -d1 -v -ZZ
# ldapadd -d1 -v -ZZ


rjc said...

It looks like append ('>>') snuck into the scp command.

Kamil Monticolo said...

It should be:
scp notRoot@ldapserver:/tmp/ldapserver.crt /tmp/trusted.crt

and then
cat /tmp/trusted.crt >> /etc/ssl/trusted.crt