Open Directory: Enabling SSL for Open Directory with Replicas
Secure Sockets Layer (SSL) can be enabled to provide encrypted communications between an Open Directory Master, Replica, and the computers that access the LDAP directory domain. SSL uses a digital certificate to provide a certified identity for the servers. You can use a self-signed certificate or a certificate obtained from a certificate authority.
With your Open Directory Master and Replica computers in place:
Ensure both Open Directory Master and Replica computers support SSL connections.
Enable SSL encryption on the Open Directory Master using a self signed certificate with the common name set to the hostname of the Master.
Enable SSL on all Replica computers: Create a self signed certificate on the Replica computers using Server Admin with the same common name as the hostname of that computer.
In Terminal, execute this command:
Mac OS X Server 10.5:
sudo slapconfig -setldapconfig -ssl on -sslkey [path to SSL key] -sslcert [path to SSL cert] -ssldomain [name of the certificate]
Mac OS X Server 10.6:
sudo slapconfig -setldapconfig -ssl on -sslkey [path to SSL key] -sslcert [path to SSL cert]
(By default, Server Admin stores the certificates under /etc/certificates. Also be sure to include file names in the path)
Install certificates from the Open Directory Master and Replicas
In order for client computers to be able to use SSL, the certificate from each server in the directory cluster needs to be copied to the client computers. To install the certificates from the Open Directory Master and Replica computers:
1. On each client computer, create the /etc/openldap/certs directory.
2. On a client computer open Terminal and execute this command to get the certificate from the server:
openssl s_client -connect [hostname of the server]:636
3. Copy the lines between "---BEGIN CERTIFICATE---" and "---END CERTIFICATE---" into a file named "hostname".
4. Place the new hostname file here:/etc/openldap/certs/
5. You can test the certificate using this command:
openssl s_client -connect [hostname of the server]:636 -CAfile /etc/openldap/certs/hostname
This should display output similar to before, with the following change to the last line: verify return code:0(ok) instead of the 18 or 19 you received previously
6. If you have just one certificate (for example, a single LDAP server with SSL enabled) add the following to the /etc/openldap/ldap.conf file
TLS_CACERT /etc/openldap/certs/[hostname of the server]
If you have multiple LDAP servers with SSL enabled
You will need to specify the servers individually, or put them all in the same directory and point ldap.conf towards them using the following steps:
1. For each server in the LDAP cluster you will need to obtain the certificates as before using the openssl s_client command:
openssl s_client -connect [hostname of the server]:636
2. Once you have obtained the certificates, use c_hash (an OpenSSL utility) to get the certificates into a hashed format. For each certificate, c_hash will give you a name that will be used to rename the certificate file in /etc/openldap/certs:
/System/Library/OpenSSL/misc/c_hash /etc/openldap/certs/hostname
The output should resemble the following: 03be8eb2.0 => /etc/openldap/certs/hostname
3. Once you have received the hash name, manually rename the existing cert file.
Example:
mv /etc/openldap/certs/hostname /etc/openldap/certs/03be8eb2.0
4. Once you have run all certificates through c_hash, edit the /etc/openldap/ldap.conf file with:
TLS_CACERTDIR /etc/openldap/certs/
5. Remove any earlier TLS_CACERTDIR entries that may be in the ldap.conf file.
6. Verify with the ldapsearch command:
ldapsearch -v -x -H ldaps://[hostname of the server] -b [searchbase]
7. You may need to restart Directory Services if you have already attempted to set up the LDAP server:
sudo killall DirectoryService
