OpenLDAP with LetsEncrypt certificates on Linux Mint 21.1 (Ubuntu)

OpenLDAP with LetsEncrypt certificates on Linux Mint 21.1 (Ubuntu)

I spent so many hours over the last couple of weeks reading articles all over Stack, blogs, and forums, and finally I found a combination of changes that made it work for me. Hoping this will help others.

If any of you find a mistake anywhere, please, do comment so it can be improved.
If it helped you, upvote it over on serverfault.

Based off of this blog post and so many others.

Requirements:

  • Working OpenLDAP/slapd without ssl.
  • Working LetsEncrypt (certs in /etc/letsencrypt structure).

Set the correct access permissions for the LetsEncrypt directories and files in two steps.

setfacl

$ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/live
$ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/archive

apparmor

Create /etc/apparmor.d/local/usr.sbin.slapd with the following content.

/etc/letsencrypt/live/your.domain.here r,
/etc/letsencrypt/archive/your.domain.here r,
/etc/letsencrypt/archive/your.domain.here/** r,

Restart apparmor.

sudo service apparmor restart 

These TLS settings may be necessary to add, or you may already have set them.

# /root/add_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

If you want/need them add them with:

ldapmodify -Y EXTERNAL -H ldapi:/// -f add_ssl_options.ldif

Add the LetsEncrypt certificates to your openldap by adding the following information to add_letsencrypt_ssl.ldif.

# /etc/ldap/add_letsencrypt_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/your.domain.here/privkey.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/your.domain.here/fullchain.pem

and run this to import it:

ldapmodify -Y EXTERNAL -H ldapi:/// -f add_letsencrypt_ssl.ldif

If you haven't already enabled ldaps in /etc/default/slapd do that now.

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

Restart openldap

sudo service slapd restart

Reload certificates when they are renewed

Put this in the /etc/ldap directory, so we can re-use it when the LetsEncrypt certificate is renewed).

# /etc/ldap/add_letsencrypt_ssl.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/your.domain.here/privkey.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/your.domain.here/fullchain.pem

Then put this in /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd.
The name of the script can be whatever you want.

#!/bin/sh
do
        if [ "$RENEWED_LINEAGE" = your.domain.here ]
        then
                ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/add_letsencrypt_ssl.ldif
        fi
done

Make it executable.

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd

slapd should now auto-reload the certs after the certificates have been renewed, but not actually need to restart the daemon itself. So no noticeable downtime.

I don't really need any help with this, as it is now working, but feel free to comment and let me know if I could do something better/smarter.

2 Likes

I would rename /etc/ldap/add_letsencrypt_ssl.ldif to /etc/ldap/reload_letsencrypt_ssl.ldif or something similar, just to make it easier for anyone else who is maintaining that server to understand what is going on.

3 Likes