LDAP Authentication with TLS

LDAP Authentication with TLS

CAT-5 Network CableI've been using LDAP for central authentication, but I hadn't added encryption until recently. With the advent of network switches, on a cabled network it has become very difficult to "sniff" or listen in on other network traffic. With wireless though it's much easier, so encrypting all traffic is a good idea.

OpenLDAP allows two methods of encryption - both are essentially equal. The older method is called "ldaps" and you'll see the URL's for the directory in the form of "ldaps://". This uses a separate network port and encrypts it much like an SSH connection. The more modern method is called "TLS" sometimes referred to as "STARTTLS". TLS lets you use the normal LDAP:// port and the client starts encrypting when and where it feels like it.

With TLS, you run the risk of still allowing non-encrypted traffic to and from your LDAP servers, but there is a way to restrict some or all of your directory tree to require TLS - for instance anything accessing a password property may be set on the server to require TLS for communication.

In Ubuntu desktops, it's pretty easy to switch to using TLS. Due to bugs in the standard LDAP client you will need to switch to using something called "nslcd". nslcd is a newer LDAP client that runs a separate daemon or process for managing the LDAP queries.

Here's the main packs you'll want to ensure are installed on the client:

apt-get install libnss-ldapd nss-updatedb libnss-db ldap-auth-client libpam-ldapd
nslcd places a config file at /etc/nslcd.conf that you use to tell it about your LDAP configuration. You'll need to set a few things there. For self-signed encryption certificates, you'll need:
ssl start_tls
tls_reqcert never

If you are running your own CA or have a signed certificate key, you'll need to ensure that it can verify your certificate instead of using "never" above.

In addition, I lock down authentication with LDAP to just the organizational units that contain my users and groups - this prevents any other LDAP entries from accidentally authenticating someone:

base ou=people,dc=mydomain,dc=com
base ou=groups,dc=mydomain,dc=com
scope base

Notice you can specify the base DN to search multiple times, and nslcd will use both of them, ignoring the rest of your LDAP tree. The "scope base" tells it not to descend into any sub branches, but you may need to change that to "subtree" or "one" depending on your needs.

On the server side, you can specify that TLS is required for all access to passwords by something like the following:

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
        by tls_ssl=128 ssf=128 dn="cn=replicate,dc=mydomain,dc=com" write
        by tls_ssl=128 ssf=128 dn="uid=administrator,ou=people,dc=mydomain,dc=com" write
        by tls_ssl=128 ssf=128 group/groupOfNames/member="cn=LDAP Admins,ou=groups,dc=mydomain,dc=com" write
        by tls_ssl=128 ssf=128 anonymous auth
        by tls_ssl=128 ssf=128 self write
        by * none

The "tls_ssl=128 ssf=128" tells the server it will require a secure connection to perform those functions.

Posted by Tony on Mar 04, 2011 | Servers, Network Security