Introduction: Encrypt Communication of LDAP Authentication Between Raspberry Pi Devices Using Transport Layer Security (TLS)

By
About: Systems Administrator and Software Programmer.

Introduction

The LDAP authentication can be made secure by encrypting the communication between LDAP server and client. Encrypting the communication may sound unnecessary if your two devices are in a private network such as a home network. However, your son, daughter, sister, brother or parents might be an evil genius and scheming to steal your password. So it may be worth your time to encrypt the communication of the LDAP authentication.

Prerequisite

Complete the following instructables:

"Make Raspberry Pi into a LDAP Server to Store User Account Data and Password" instructable

"Make Raspberry Pi do LDAP Authentication" instructable;

Solution

We need to have at least 2 Raspberry Pi runnung Raspbian OS. For simplicity, I will call the 2 Raspberry Pi as Rpi1 and Rpi2:

Rpi1 will have:

  • LDAP server with user account database and automounter maps
  • NFSv4 server sharing home directories

Rpi2 will have:

  • Automounter mount users' home directory located in Rpi1's NFSv4 server but now it looks up autofs maps in LDAP server of Rpi1
  • LDAP authentication using Rpi1's LDAP server

Scope

This instructable will show how to:

  • Install CA certificate
  • Create and install certificate for LDAP server
  • Configure client to do TLS authentication
  • Test

Environment

The following are data of the 2 Raspberry Pi:

Distributor ID: Debian

Description: Debian GNU/Linux 7.8 (wheezy)

Release: 7.8

Codename: wheezy

Linux rpipro.example.com 3.18.9+ #767 PREEMPT Sat Mar 7 21:41:13 GMT 2015 armv6l GNU/Linux

References

LDAP authentication with nss-pam-ldapd http://arthurdejong.org/nss-pam-ldapd/setup

Debian - Configuring LDAP Authentication https://wiki.debian.org/LDAP/NSS

Debian - Setting up an LDAP server with OpenLDAP https://wiki.debian.org/LDAP/OpenLDAPSetup

Ubuntu - OpenLDAP Server https://help.ubuntu.com/12.04/serverguide/openlda...

Step 1: Make Raspberry Pi Into a LDAP Server to Store User Account Data and Password

Complete the steps in the "Make Raspberry Pi into a LDAP Server to Store User Account Data and Password" instructable.

Step 2: Make Raspberry Pi Do Unsecured LDAP Authentication

Complete he steps in the "Make Raspberry Pi do LDAP Authentication" instructable.

Ensure that this step is successful before moving to the next step. The reason being if LDAP client failed to authenticate in unsecured communication, it will also failed to authenticate in secured communication.

Step 3: Install Transport Layer Security (TLS)

Open terminal in Rpi1

Install the gnutls-bin and ssl-cert packages:

sudo apt-get install gnutls-bin ssl-cert

Step 4: Install a Certificate Authority (CA)

Certificate Authority is needed to sign subsequent X.509 certificates.

Open terminal in Rpi1

Create a private key for the Certificate Authority:

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"

Create the template file /etc/ssl/ca.info to define the CA:

sudo vi /etc/ssl/ca.info<br>
cn = Example Company
ca
cert_signing_key

Create the self-signed CA certificate:

sudo certtool --generate-self-signed \<br>--load-privkey /etc/ssl/private/cakey.pem \ 
--template /etc/ssl/ca.info \
--outfile /etc/ssl/certs/cacert.pem

Step 5: Install a Certificate for the LDAP Server

Open terminal in Rpi1

Make a private key for the LDAP server:

sudo certtool --generate-privkey \
--bits 1024 \
--outfile /etc/ssl/private/ldap01_slapd_key.pem

Create the /etc/ssl/ldap01.info info file containing:

vi /etc/ssl/ldap01.info

organization = Example Company

cn = ldap01.example.com

tls_www_server

encryption_key

signing_key

expiration_days = 3650

Create the LDAP server's certificate:

sudo certtool --generate-certificate \
--load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template /etc/ssl/ldap01.info \
--outfile /etc/ssl/certs/ldap01_slapd_cert.pem

Step 6: Add the Certificates Into Config Database of LDAP Server

Open terminal in Rpi1

Create the file certinfo.ldif with the following contents:

vi ~/certinfo.ldif

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem 
- 
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem 
- 
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Add the certificates to LDAP server so that slapd recognize the certificates via the slapd-config database:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/home/certinfo.ldif

Check that the certificates are acutally in LDAP config database:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcTLSCACertificateFile=*

Output of above command:

dn: cn=config

objectClass: olcGlobal

cn: config

olcArgsFile: /var/run/slapd/slapd.args

olcLogLevel: none

olcPidFile: /var/run/slapd/slapd.pid

olcToolThreads: 1

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem

olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Configure ownership and permissions:

sudo adduser openldap ssl-cert

sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem

sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem

sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem

Check that openldap user belongs to group ssl-cert:

id openldap
Output:
uid=107(openldap) gid=110(openldap) groups=116(ssl-cert),110(openldap)

Open a new window in terminal emulator

Monitor syslog file to see if the server has started properly.

tail -f /var/log/syslog

Restart OpenLDAP and quickly monitor syslog in the other window:

sudo service slapd restart

Step 7: Install CA Certificate on Client(s)

Recall that CA certificate was created in Rpi1.

Open terminal emulator on rpi1

Copy CA Cert in rpi1 to rpi2 (192.x.x.x is your Rpi2 ip address)

sudo scp /etc/ssl/certs/cacert.pem pi@192.x.x.x:/home/pi

Open terminal emulator on Rpi2 or ssh into Rpi2

Copy the CA Cert to a more appropriate directory

sudo cp /home/pi/cacert.pem /etc/ssl/certs/

Step 8: Turn on TLS in Nss-pam-ldapd

Open terminal emulator on rpi2 or ssh into Rpi2

Configure connection daemon like the following:

sudo cp /etc/nslcd.conf /etc/nslcd.conf.pristine<br>
sudo vi /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://ldap01.example.com
base dc=example,dc=com
ldap_version 3
#Choose TLS to encrypt connection
ssl start_tls
tls_reqcert demand
# Set the path to the CA certificate that was obtained from Rpi1
tls_cacertfile /etc/ssl/certs/cacert.pem

Step 9: Configure Ip Address Lookup of LDAP Server

Open terminal emulator on rpi2 or ssh into Rpi2

Configure ip address lookup of ldap01.example.com

sudo cp /etc/hosts /etc/hosts.pristine
sudo vi /etc/hosts

ldap01.example.com  192.x.x.x #192.x.x.x is the ip address of Rpi1

Save the file

Step 10: Test

Reboot Rpi2

Enter name and password into login screen. Use our test user, john:

user: john
password: johnldap

If the desktop is loaded, then the LDAP authentication using TLS is successful.