If you want to have SSL-support in openldap/slapd, you need to specify the certificate & key and let slapd listen on appropriate port.

Make sure you have cert & key in place and prepare following ldif file:

dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert.pem

dn: cn=config
changetype: modify
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/key.key

ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v

If you fail at this step with

ldap_modify: Other (e.g., implementation specific) error (80)

check the following things:

  • Can the openldap-user read both files and can the directory itself be accessed?
  • does the cert and key really match? REALLY!.

Both output must be the same:

# openssl rsa -noout -modulus -in /etc/ldap/key.key | openssl md5
(stdin)= 45b4165df200817a20857fb453acd33e
# openssl x509 -noout -modulus -in /etc/ldap/cert.pem | openssl md5
(stdin)= 45b4165df200817a20857fb453acd33e

  • is the key and cert-file really a key and cert?

# head -n2 /etc/ldap/cert.pem
—–BEGIN CERTIFICATE—–
MIIFmDCCBICgAwIBAgIQBFMR6HMGTGjQIjSj4sQX+TANBgkqhkiG9w0BAQsFADBu
# head -n2 /etc/ldap/key.key
—–BEGIN RSA PRIVATE KEY—–
MIIEowIBAAKCAQEAvrDddMwXoy10diqDpqd45jaC8HiGKz7KC5X3W0ZLvCshylu0

a successful import looks like the following:

ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v

ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcTLSCertificateFile:
/etc/ldap/cert.pem
modifying entry „cn=config“
modify complete

add olcTLSCertificateKeyFile:
/etc/ldap/key.key
modifying entry „cn=config“
modify complete

Categories: Blog