If you want to have SSL-support in openldap/slapd, you need to specify the certificate & key and let slapd listen on appropriate port.
Make sure you have cert & key in place and prepare following ldif file:
dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert.pem
dn: cn=config
changetype: modify
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/key.key
ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v
If you fail at this step with
ldap_modify: Other (e.g., implementation specific) error (80)
check the following things:
- Can the openldap-user read both files and can the directory itself be accessed?
- does the cert and key really match? REALLY!.
Both output must be the same:
# openssl rsa -noout -modulus -in /etc/ldap/key.key | openssl md5
(stdin)= 45b4165df200817a20857fb453acd33e
# openssl x509 -noout -modulus -in /etc/ldap/cert.pem | openssl md5
(stdin)= 45b4165df200817a20857fb453acd33e
- is the key and cert-file really a key and cert?
# head -n2 /etc/ldap/cert.pem
—–BEGIN CERTIFICATE—–
MIIFmDCCBICgAwIBAgIQBFMR6HMGTGjQIjSj4sQX+TANBgkqhkiG9w0BAQsFADBu
# head -n2 /etc/ldap/key.key
—–BEGIN RSA PRIVATE KEY—–
MIIEowIBAAKCAQEAvrDddMwXoy10diqDpqd45jaC8HiGKz7KC5X3W0ZLvCshylu0
a successful import looks like the following:
ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcTLSCertificateFile:
/etc/ldap/cert.pem
modifying entry „cn=config“
modify completeadd olcTLSCertificateKeyFile:
/etc/ldap/key.key
modifying entry „cn=config“
modify complete