Habilitar TLS Openldap

Como Habilitar o TLS no Openldap

Depois de instalado do Openldap sem a criptografia, proceda com as seguinte modificações:

1 - Edite o arquivo:

vim slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif

2 - Coloque as informações a seguir no final do arquivo:

########################CONFIG TLS SLAPD ##############################
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
olcAccess: to attrs=userPassword
      by self write
      by anonymous auth
      by dn.base="cn=admin,dc=des-brazil,dc=org" write
      by * none
olcAccess: to *
      by self write
      by dn.base="cn=admin,dc=des-brazil,dc=org" write
      by * read

3 - Edita o /etc/sysconfig/ldap, descomenta SLAPD_LDAPS e troca de‘no’ para ‘yes’.

4 - Criar os certificados com o comando:

[root@as01 openldap]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 3650

Veja saida da Tela:

Generating a 2048 bit RSA private key
...........+++
.............................................................................................................+++
writing new private key to '/etc/pki/tls/certs/slapdkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:Rio de Janeiro
Locality Name (eg, city) [Default City]:Rio de Janeiro
Organization Name (eg, company) [Default Company Ltd]:LIneA
Organizational Unit Name (eg, section) []:POPRJ
Common Name (eg, your name or your server's hostname) []:ldap.linea.gov.br
Email Address []:machado@slacam.com.br
[root@as01 openldap]# 

Obs - Repara que criei o certificado para 10 anos ;)