Install Cygwin and OpenLDAP package
Install Cygwin on the server. For download details, see http://www.cygwin.com
Install OpenLDAP package from http://www.openldap.org/software/download
Setup the slapd.conf file and verify LDAP server is running
Modify the slapd.conf file and add details similar to the following:
database bdb suffix "dc=openldap,dc=com" rootdn "cn=Manager,dc=openldap,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/openldap/openldap-data # Indices to maintain index objectClass eq
Enusre that LDAP server is up and running by executing the following command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
Create an LDIF file and add it to the directory
Create an .ldif file using any text editor and add the following lines:
dn: dc=openldap,dc=com objectclass: dcObject objectclass: organization o: protocom dc: openldap dn: cn=Manager,dc=openldap,dc=com objectclass: organizationalRole cn: Manager
Save this file to home/admin folder.
Add this .ldif file to the OpenLDAP directory by executing the following command from the /Cygwin/bin folder:
./ldapadd -x -D "cn=Manager,dc=openldap,dc=com" -W -f <name of the ldif file created in Step 5>
Specify the password declared in the slapd.conf file in Step 1?
Create O, OU and Users
Create an LDIF file titled o.ldif and add the following details:
################################################## dn: o=protocom,dc=openldap,dc=com o: protocom objectClass: organization ##################################################
Save this file to the home directory.
Add this file to the directory by executing the following command:
./ldapadd -x -D "cn=Manager,dc=openldap,dc=com" -W -f o.ldif
Specify the password frm the slapd.conf file
Create an LDIF file titled ou.ldif and add the following details:
dn: ou=users,o=protocom,dc=openldap,dc=com ou: users objectClass: organizationalUnit
Save this file to the home directory.
Add this file to the directory by executing the following command:
./ldapadd -x -D "cn=Manager,dc=openldap,dc=com" -W -f ou.ldif
Specify the password frm the slapd.conf file
Create an LDIF file titled user.ldif and add the following details:
dn: cn=tu3,ou=users,o=protocom,dc=openldap,dc=com cn: tu3 sn: tu3 objectClass: person userPassword: abc
Save this file to the home directory.
Add this file to the directory by executing the following command:
./ldapadd -x -D "cn=Manager,dc=openldap,dc=com" -W -f user.ldif,
Specify the password frm the slapd.conf file
Now we want to see if everything is up and running, so start your LDAP browser and connect to your LDAP server.
Setting up SSL and Creating Certificates
Create a server certificate by using the following command:
openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365
This creates a certificate named server.pem
Create a CA by using the following command:
./usr/share/ssl/misc/CA.sh –newca
Create a certificate signing request (CSR) by using the following command:
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Have the CA sign the CSR by specifying the following command:
/usr/share/ssl/misc/CA.sh –sign
Edit the slapd.conf file and add the following lines:
#include /etc/openldap/schema/core.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/openldap.schema
IMPORTANT:Verify the path to the schema files before adding the details to the slapd.conf file
Specify the CA signed certificate and server certificate entries by adding the following lines to the slapd.conf file
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/var/openldap-data/cacert.pem TLSCertificateFile /usr/var/openldap-data/servercrt.pem TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem # Use the following if client authentication is required #TLSVerifyClient demand # ... or not desired at all TLSVerifyClient never
Add the following lines to the ldap.conf file:
HOST openldap.com PORT 636 TLS_CACERT /ssl/certs/cacert.pem TLS_REQCERT demand
Testing the setup
Test the setup by using the following command:
/usr/sbin/slapd -d1 -h "ldap:/// ldaps:///"
Connect to the LDAP Browser using SSL and create DER file
Specify the username, context and accept the certificate.
Create DER file for client authentication by using the following command:
openssl.exe x509 -in cacert.pem -outform DER -out cacert.der