Open in app

Sign in

Write

Sign in

Setup LDAP for SSL communication

Ivan Slavka
6 min readMay 19, 2023

--

Table of Contents

Introduction

I don’t know about you, but SSL communication has always been a thorn in my side. Usually as developers we don’t care much about security, when we are developing new features, and if you work in corporation, most of the time, it’s a matter of only changing a flag to enable SSL communication in Production environment.

However, there are times when, SSL communication stops behaving as it should. For those times, this guide will show you how to quickly setup your own local LDAP server with enabled SSL.

Prepare Docker container

In my example, I’ll be using Apache DS in Docker container.

Dockerfile:

FROM ubuntu:20.04

ARG APACHE_DS_PACKAGE=apacheds-2.0.0.AM26-amd64.deb
ARG APACHE_DS_URL=https://dlcdn.apache.org//directory/apacheds/dist/2.0.0.AM26/$APACHE_DS_PACKAGE

RUN export DEBIAN_FRONTEND=noninteractive \
      && apt-get update -y \
      && apt-get install -y --no-install-recommends \
        bash \
        bc \
        coreutils \
        curl \
        debianutils \
        findutils \
        gawk \
        grep \
        libc-bin \
        mount \
        passwd \
        procps \
        sed \
        tar \
        util-linux \
        default-jre \
      && mkdir -p /tmp/apache \
      && cd /tmp/apache \
      && curl -LO $APACHE_DS_URL \
      && chmod +x $APACHE_DS_PACKAGE  \
      && dpkg -i $APACHE_DS_PACKAGE

CMD ["/bin/bash"]

Build it and run it:

docker build --tag=your-docker-username/your-docker-repository:apache-ds .
docker run -dt --name apache-ds your-docker-username/your-docker-repository:apache-ds

In case you didn’t do it, I recommend create a Docker network and connecting your container to it.

docker network create my-network
docker network connect my-network apache-ds

In addition, let’s check the IP address of our running container.

docker network inspect my-network
...
"Containers": {
            "870adf8c10af4c9927c9eb6df5586ebd64e4e294f3a6aa1ce9a82d41ddb5b700": {
                "Name": "apache-ds",
                "EndpointID": "043a4147537d45f315caf79a16f998037d881dca8da8dd3defc22535117fd7d0",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            }
        }

In my case, it’s 172.18.0.2.

Unfortunately, simply running the container does not start Apache DS service. So we need to do it ourselves.

Enter the apache-ds container.

docker exec -ti apache-ds bash

Check the name of your Apache DS service, and run it.

service --status-all

Output:

root@870adf8c10af:/# service --status-all
 [ - ]  apacheds-2.0.0.AM26-default
 [ ? ]  hwclock.sh
 [ - ]  procps
 [ - ]  x11-common

In my case, its name is apacheds-2.0.0.AM26-default, in addition you can see [ — ], which means that service is stopped. Let’s run it.

service apacheds-2.0.0.AM26-default start

Once the service is started, the sign next to the service name will change to [ + ].

Output:

root@870adf8c10af:/# service apacheds-2.0.0.AM26-default start
Starting ApacheDS - default...
root@870adf8c10af:/# service --status-all
 [ + ]  apacheds-2.0.0.AM26-default
 [ ? ]  hwclock.sh
 [ - ]  procps
 [ - ]  x11-common

If you’ll ever need to see the logs of Apache DS server, execute this command.

tail -f /var/lib/apacheds-2.0.0.AM26/default/log/wrapper.log

Configuration and Testing without SSL

Let’s test it with Apache Directory Studio. You can download it from official page here. Once downloaded, run it. You will be welcomed with empty dialog windows, so let’s first create our NO SSL connection.

You can click Check Network Parameter, in order to make sure the connection is working.

On the next window enter uid=admin,ou=system, for Bind DN, and secret for Bind password. These are default values for Apache DS, you can read more on how to change it here.

You can click Check Authentication, to make sure you have correct credentials.

After successful connection, you should see exampe.com domain in your Apache Directory Studio.

Configuring SSL

Before connecting via SSL, let’s prepare our LDAP keystore. For detailed information on SSL commands, you can read my post LinkedIn here.

openssl genrsa -des3 -out CAPrivate.key 2048
openssl req -x509 -new -nodes -key CAPrivate.key -sha256 -days 3650 -out CAPrivate.pem -subj "/CN=my-ca"
openssl genrsa -out LdapPrivate.key 2048
openssl req -new -key LdapPrivate.key -out LdapRequest.csr -subj "/CN=my-apache-ds"
openssl x509 -req -in LdapRequest.csr -CA CAPrivate.pem -CAkey CAPrivate.key -CAcreateserial -out LdapCertificate.crt -days 3650 -sha256
openssl pkcs12 -export -out LdapCertificate.pfx -inkey LdapPrivate.key -in LdapCertificate.crt
keytool -importkeystore -srckeystore LdapCertificate.pfx -destkeystore keystore.jks -srcstoretype pkcs12

If everything went fine, you should have the following files in your folder.

Let’s copy the keystore we have created with our certificates.

docker cp keystore.jks apache-ds:/var/lib/apacheds-2.0.0.AM26/default/conf

This path /var/lib/apacheds-2.0.0.AM26/default/conf, may change depending on the version of Apache DS you will be running.

In the Apache Directory Studio, let’s open the configuration window. Right-click on our created apache-ds-no-ssl connection to open context menu.

Once the configuration window is open, expand SSL/Start TLS Keystore section. !!! IMPORTANT !!! Please do, not use Browse button, as it has access only to your local machine. Instead, you need to write the path where the keystore is located inside your container (/var/lib/apacheds-2.0.0.AM26/default/conf/keystore.jks). In addition, don’t forget to pass the password you used while creating keystore. Finally don’t forget to hit Ctrl + S, to save the configuration.

Now that the keystore is configured, it’s necessary to restart Apache DS service inside the container.

service apacheds-2.0.0.AM26-default restart

Output:

root@870adf8c10af:/# service apacheds-2.0.0.AM26-default restart
Stopping ApacheDS - default...
Stopped ApacheDS - default.
Starting ApacheDS - default...
root@870adf8c10af:/# service --status-all
 [ + ]  apacheds-2.0.0.AM26-default
 [ ? ]  hwclock.sh
 [ - ]  procps
 [ - ]  x11-common

Testing SSL communication

Once again, let’s go back to Apache Directory Studio and create a new connection.

Before clicking the Next button, click the Certificate Validation, and on the following window click Add…

Here we have two options. Either to choose only LDAP certificate or CA certificate we created. Unless it’s required, it’s good practice to go with CA certificate.

Verify that the CN of the certificate matcher is the one we created (CN=my-ca), and click Apply and Close.

Once the certificate is in place. Change Encryption method to Use SSL encryption, click Check Network Parameter to verify connection and then Next.

Check Network Parameter window should show TLS protocol and cipher suite.

On the next window, let’s use the same credentials as we did without SSL…

You can click Check Authentication, to make sure you have correct credentials.

Congratulations, you have LDAP over SSL server set up on your local machine running in docker container.

Ssl
Ldap
Docker
Containers
Development

--

--

Ivan Slavka

Written by Ivan Slavka

129 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams