Introduction: Encrypt Communication of LDAP Authentication Between Raspberry Pi Devices Using Transport Layer Security (TLS)

About: Systems Administrator and Software Programmer.


The LDAP authentication can be made secure by encrypting the communication between LDAP server and client. Encrypting the communication may sound unnecessary if your two devices are in a private network such as a home network. However, your son, daughter, sister, brother or parents might be an evil genius and scheming to steal your password. So it may be worth your time to encrypt the communication of the LDAP authentication.


Complete the following instructables:

"Make Raspberry Pi into a LDAP Server to Store User Account Data and Password" instructable

"Make Raspberry Pi do LDAP Authentication" instructable;


We need to have at least 2 Raspberry Pi runnung Raspbian OS. For simplicity, I will call the 2 Raspberry Pi as Rpi1 and Rpi2:

Rpi1 will have:

  • LDAP server with user account database and automounter maps
  • NFSv4 server sharing home directories

Rpi2 will have:

  • Automounter mount users' home directory located in Rpi1's NFSv4 server but now it looks up autofs maps in LDAP server of Rpi1
  • LDAP authentication using Rpi1's LDAP server


This instructable will show how to:

  • Install CA certificate
  • Create and install certificate for LDAP server
  • Configure client to do TLS authentication
  • Test


The following are data of the 2 Raspberry Pi:

Distributor ID: Debian

Description: Debian GNU/Linux 7.8 (wheezy)

Release: 7.8

Codename: wheezy

Linux 3.18.9+ #767 PREEMPT Sat Mar 7 21:41:13 GMT 2015 armv6l GNU/Linux


LDAP authentication with nss-pam-ldapd

Debian - Configuring LDAP Authentication

Debian - Setting up an LDAP server with OpenLDAP

Ubuntu - OpenLDAP Server

Step 1: Make Raspberry Pi Into a LDAP Server to Store User Account Data and Password

Step 2: Make Raspberry Pi Do Unsecured LDAP Authentication

Complete he steps in the "Make Raspberry Pi do LDAP Authentication" instructable.

Ensure that this step is successful before moving to the next step. The reason being if LDAP client failed to authenticate in unsecured communication, it will also failed to authenticate in secured communication.

Step 3: Install Transport Layer Security (TLS)

Open terminal in Rpi1

Install the gnutls-bin and ssl-cert packages:

sudo apt-get install gnutls-bin ssl-cert

Step 4: Install a Certificate Authority (CA)

Certificate Authority is needed to sign subsequent X.509 certificates.

Open terminal in Rpi1

Create a private key for the Certificate Authority:

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"

Create the template file /etc/ssl/ to define the CA:

sudo vi /etc/ssl/<br>
cn = Example Company

Create the self-signed CA certificate:

sudo certtool --generate-self-signed \<br>--load-privkey /etc/ssl/private/cakey.pem \ 
--template /etc/ssl/ \
--outfile /etc/ssl/certs/cacert.pem

Step 5: Install a Certificate for the LDAP Server

Open terminal in Rpi1

Make a private key for the LDAP server:

sudo certtool --generate-privkey \
--bits 1024 \
--outfile /etc/ssl/private/ldap01_slapd_key.pem

Create the /etc/ssl/ info file containing:

vi /etc/ssl/

organization = Example Company
cn =
expiration_days = 3650

Create the LDAP server's certificate:

sudo certtool --generate-certificate \
--load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template /etc/ssl/ \
--outfile /etc/ssl/certs/ldap01_slapd_cert.pem

Step 6: Add the Certificates Into Config Database of LDAP Server

Open terminal in Rpi1

Create the file certinfo.ldif with the following contents:

vi ~/certinfo.ldif

dn: cn=config
add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Add the certificates to LDAP server so that slapd recognize the certificates via the slapd-config database:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/home/certinfo.ldif

Check that the certificates are acutally in LDAP config database:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcTLSCACertificateFile=*

Output of above command:

dn: cn=config

objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/
olcToolThreads: 1
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Configure ownership and permissions:

sudo adduser openldap ssl-cert

sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem

Check that openldap user belongs to group ssl-cert:

id openldap
uid=107(openldap) gid=110(openldap) groups=116(ssl-cert),110(openldap)

Open a new window in terminal emulator

Monitor syslog file to see if the server has started properly.

tail -f /var/log/syslog

Restart OpenLDAP and quickly monitor syslog in the other window:

sudo service slapd restart

Step 7: Install CA Certificate on Client(s)

Recall that CA certificate was created in Rpi1.

Open terminal emulator on rpi1

Copy CA Cert in rpi1 to rpi2 (192.x.x.x is your Rpi2 ip address)

sudo scp /etc/ssl/certs/cacert.pem pi@192.x.x.x:/home/pi

Open terminal emulator on Rpi2 or ssh into Rpi2

Copy the CA Cert to a more appropriate directory

sudo cp /home/pi/cacert.pem /etc/ssl/certs/

Step 8: Turn on TLS in Nss-pam-ldapd

Open terminal emulator on rpi2 or ssh into Rpi2

Configure connection daemon like the following:

sudo cp /etc/nslcd.conf /etc/nslcd.conf.pristine<br>
sudo vi /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://
base dc=example,dc=com
ldap_version 3
#Choose TLS to encrypt connection
ssl start_tls
tls_reqcert demand
# Set the path to the CA certificate that was obtained from Rpi1 tls_cacertfile /etc/ssl/certs/cacert.pem

Step 9: Configure Ip Address Lookup of LDAP Server

Open terminal emulator on rpi2 or ssh into Rpi2

Configure ip address lookup of

sudo cp /etc/hosts /etc/hosts.pristine
sudo vi /etc/hosts 192.x.x.x #192.x.x.x is the ip address of Rpi1

Save the file

Step 10: Test

Reboot Rpi2

Enter name and password into login screen. Use our test user, john:

user: john
password: johnldap

If the desktop is loaded, then the LDAP authentication using TLS is successful.