11.7. Configuring LDAP Clients to Use SSL

11.7. Configuring LDAP Clients to Use SSL

For all the users of the Directory Server to use TLS/SSL or certificate-based authentication when they connect using LDAP client applications, they must perform the following tasks:

These operations are sufficient if to ensure that LDAP clients recognize the server's certificate. However, to require the LDAP clients to use their own certificate to authenticate to the directory, make sure that all the directory users obtain and install a personal certificate.

NOTE

Some client applications do not verify that the server has a trusted certificate.

  1. On the client system, obtain a client certificate from the CA.

  2. Install the client certificate on the client system.

    Regardless of how the certificate is sent (either in email or on a web page), there should be a link to click to install the certificate.

    Record the certificate information that is sent from the CA, especially the subject DN of the certificate because the server must be configured to map it to an entry in the directory. The client certificate resembles the following:

    -----BEGIN CERTIFICATE----- 
    MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBh 
    MCVVMxIzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0w 
    GwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdC 
    BUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3 
    WhcNOTgwMzI2MDIzMzU3WjBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTm 
    V0c2NhcGUgRGlyZWN0b3 
    ------END CERTIFICATE-----
    
  3. Convert the client certificate into binary format using the certutil utility.

    certutil -L -d certdbPath -n userCertName -r > userCert.bin
    

    certdbPath is the directory which contains the certificate database; for example, a user certificate for Mozilla Thunderbird is stored in $HOME/.thunderbird. userCertName is the name of the certificate, and userCert.bin is the name of the output file for binary format.

  4. On the server, map the subject DN of the certificate to the appropriate directory entry by editing the certmap.conf file.

    NOTE

    Do not map a certificate-based authentication certificate to a distinguished name under cn=monitor. Mapping a certificate to a DN under cn=monitor causes the bind operation to fail. Map the certificate to a target located elsewhere in the directory information tree. Make sure that the verifyCert parameter is set to on in the certmap.conf file. If this parameter is not set to on, Directory Server simply searches for an entry in the directory that matches the information in the certmap.conf file. If the search is successful, it grants access without actually checking the value of the userCertification and userCertificate;binary attributes.

  5. In the Directory Server, modify the directory entry for the user who owns the client certificate to add the userCertificate attribute.

    1. Select the Directory tab, and navigate to the user entry.

    2. Double-click the user entry, and use the Property Editor to add the userCertificate attribute, with the binary subtype.

      When adding this attribute, instead of an editable field, the server provides a Set Value button.

    3. Click Set Value.

      A file selector opens. Use it to select the binary file created in Section 11.7, “Configuring LDAP Clients to Use SSL”.

    For information on using the Directory Server Console to edit entries, refer to Section 2.1.3, “Modifying Directory Entries”.

Now TLS/SSL and client authentication can be used with the LDAP clients. For information on how to use TLS/SSL with ldapmodify, ldapdelete, and ldapsearch, see the Directory Server Configuration, Command, and File Reference.


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.