Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 1. Securing Red Hat Directory Server

Improve the security of your LDAP service with Red Hat Directory Server. For example, you can encrypt the connection between a client and the Directory Server and store encrypted attributes in the Directory Server database. You can also encrypt the replication changelog, configure authentication, and perform other security tasks.

1.1. Enabling TLS-encrypted connections to Directory Server
Link kopieren

By default, Red Hat Directory Server provides the LDAP service without encryption. To improve the security, you can configure TLS in Directory Server to enable your clients or other hosts in a replication environment to use encrypted connections. They can then use the STARTTLS command on port 389 or the LDAPS protocol on port 636 for secure connections.

You can use TLS with simple authentication using a bind Distinguished Name (DN) and password, or using certificate-based authentication.

Directory Server’s cryptographic services are provided by Mozilla network security services (NSS), a library of TLS and base cryptographic functions. NSS includes a software-based cryptographic token which is Federal Information Processing Standard (FIPS) 140-2 certified.

1.1.1. Different options for encrypted connections to Directory Server
Link kopieren

To connect to Directory Server with an encrypted connection, you can use the following protocols and framework:

LDAPS
When you use the LDAPS protocol, the connection starts using encryption and either succeeds or fails. However, no unencrypted data is ever sent over the network. For this reason, prefer LDAPS instead of using STARTTLS over unencrypted LDAP.
STARTTLS over LDAP

Clients establish an unencrypted connection over the LDAP protocol and then send the STARTTLS command. If the command succeeds, all further communication is encrypted.

Warning

If the STARTTLS command fails and the client does not cancel the connection, all further data, including authentication information, is sent unencrypted over the network.

SASL
The Simple Authentication and Security Layer (SASL) framework enables you to authenticate a user using external authentication methods, such as Kerberos.

1.1.2. How Directory Server unlocks the NSS database
Link kopieren

Directory Server stores certificate signing requests (CSR), private keys, and certificates in a network security services (NSS) database. When you install a new instance, the installer automatically creates the NSS database and protects it with a random password. The installer stores this password in the following files:

  • /etc/dirsrv/slapd-<instance_name>/pwdfile.txt: The dsconf tls command uses this file to access the NSS database.

  • /etc/dirsrv/slapd-<instance_name>/pin.txt: This file contains the token and password to automatically unlock the NSS database when Directory Server starts.

    • If you want Directory Server to prompt for the NSS database password each time you start the instance, remove this file.
    • If you want the instance to start automatically without prompting for the password, keep this file and update it when you change the NSS database password.

If the /etc/dirsrv/slapd-<instance_name>/pin.txt file does not exist, you start Directory Server with encryption enabled and set a password on the NSS database, the the behavior is as follows:

  • If the systemctl or dsctl utilities start the ns-slapd Directory Server process, the systemd service prompts for the password and automatically passes the input to the systemd-tty-ask-password-agent utility: 

    # dsctl <instance_name> start
Enter PIN for Internal (Software) Token: (press TAB for no echo)
    Copy to Clipboard Toggle word wrap

  • In rare cases, when the ns-slapd Directory Server process is not started by the systemctl or dsctl utilities, and the process is detached from the terminal, ns-slapd sends a message to all terminals using the wall command: 

    Broadcast message from root@server (Fri 2021-01-01 06:00:00 CET):

Password entry required for 'Enter PIN for Internal (Software) Token:' (PID 1234).
Please enter password with the systemd-tty-ask-password-agent tool!
    Copy to Clipboard Toggle word wrap

    To enter the password: 

    # systemd-tty-ask-password-agent
Enter PIN for Internal (Software) Token:
    Copy to Clipboard Toggle word wrap

To use TLS encryption or certificate-based authentication, you must manage the certificates in a network security services (NSS) database. When you created the instance, the dscreate utility automatically created this database in the /etc/dirsrv/slapd-<instance_name>/ directory and protected it with a strong password.

Procedure

  1. Create a private key and a certificate signing request (CSR). Skip this step if you want to create them using an external utility.

    • If your host is reachable only by one name, enter: 

      # dsctl <instance_name> tls generate-server-cert-csr -s "CN=server.example.com,O=example_organization"
      Copy to Clipboard Toggle word wrap

    • If your host is reachable by multiple names: 

      # dsctl <instance_name> tls generate-server-cert-csr -s "CN=server.example.com,O=example_organization" server.example.com server.example.net
      Copy to Clipboard Toggle word wrap

      If you specify the host names as the last parameter, the command adds the Subject Alternative Name (SAN) extension with the DNS:server.example.com, DNS:server.example.net entries to the CSR.

    The string specified in the -s subject parameter must be a valid subject name according to RFC 1485. The CN field in the subject is required, and you must set it to one of the fully-qualified domain names (FQDN) of the server. The command stores the CSR in the /etc/dirsrv/slapd-<instance_name>/Server-Cert.csr file.

  2. Submit the CSR to the certificate authority (CA) to get a certificate issued. For further details, see your CA’s documentation.

  3. Import the server certificate issued by the CA to the NSS database:

    • If you created the private key using the dsctl tls generate-server-cert-csr command, enter: 

      # dsconf <instance_name> security certificate add --file /root/instance_name.crt --name "server-cert" --primary-cert
      Copy to Clipboard Toggle word wrap

      Remember the name of the certificate you set in the --name _certificate_nickname parameter. You require it in a later step.

    • If you created the private key using an external utility, import the server certificate and the private key: 

      # dsctl <instance_name> tls import-server-key-cert /root/server.crt /root/server.key
      Copy to Clipboard Toggle word wrap

      Note that the command requires you to specify the path to the server certificate first and then the path to the private key. This method always sets the nickname of the certificate to Server-Cert.

  4. Import the CA certificate to the NSS database: 

    # dsconf <instance_name> security ca-certificate add --file /root/ca.crt --name "Example CA"
    Copy to Clipboard Toggle word wrap

  5. Set the trust flags of the CA certificate: 

    # dsconf <instance_name> security ca-certificate set-trust-flags "Example CA" --flags "CT,,"
    Copy to Clipboard Toggle word wrap

    This configures Directory Server to trust the CA for TLS encryption and certificate-based authentication.

  6. Enable TLS and set the LDAPS port: 

    # dsconf <instance_name> config replace nsslapd-securePort=636 nsslapd-security=on
    Copy to Clipboard Toggle word wrap

  7. Open the LDAPS port in the firewalld service: 

    # firewall-cmd --permanent --add-port=636/tcp
# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  8. Enable the RSA cipher family, set the NSS database security device, and the server certificate name: 

    # dsconf <instance_name> security rsa set --tls-allow-rsa-certificates on --nss-token "internal (software)" --nss-cert-name Server-Cert
    Copy to Clipboard Toggle word wrap

    By default, the name of the security device in the NSS database is internal (software).

  9. Optional: Disable the plain text LDAP port: 

    # dsconf <instance_name> security disable_plain_port
    Copy to Clipboard Toggle word wrap

  10. Restart the instance 

    # dsctl <instance_name> restart
    Copy to Clipboard Toggle word wrap

Verification

  • Establish a connection to Directory Server using the LDAPS protocol. For example, run a query: 

    # ldapsearch -H ldaps://server.example.com:636 -D "cn=Directory Manager" -W -b "dc=example,dc=com" -x -s base
    Copy to Clipboard Toggle word wrap

    If the command fails, with an ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1) error, re-run the command with debug level 1: 

    # ldapsearch -H ldaps://server.example.com:636 -D "cn=Directory Manager" -W -b "dc=example,dc=com" -x -s base -d 1
    Copy to Clipboard Toggle word wrap

Next steps

You can configure TLS encryption using the web console.

Prerequisites

  • You are logged in to the instance in the web console.

Procedure

  1. Navigate to Server Security Certificate Management Certificate Signing Request, and click Create Certificate Signing Request.

  2. Set a name for certificate signing request (CSR), common name (CN), and organization (O):

    security add csr
    View larger image
    security add csr

    If your host is reachable by multiple names, set the alternative names in the Subject Alternative Names filed.

  3. Click Create Certificate Signing Request.

  4. View the CSR text and copy it:

    1. Click Node options icon for the CSR you want to view and select View CSR.
    2. Copy the CSR content.
  5. Submit the CSR file to the certificate authority (CA) to get a certificate issued. For further details, see your CA’s documentation.
  6. When you get the certificate from your CA, navigate to Server Security Certificate Management TLS Certificates, and click Add Server Certificate.

  7. Set a unique nickname for the server certificate, upload the issued certificate, and click Add Certificate.

    Remember the certificate nickname, because a later step requires it.

  8. Navigate to Server Security Certificate Management Trusted Certificate Authorities, and click Add CA Certificate.
  9. Set a unique nickname for the CA certificate, upload the CA certificate file, and click Add Certificate.

  10. Optional: If you did not enable TLS encryption during the Directory Server instance installation, enable it:

    1. Navigate to Server Security Settings, and enable the security switch.
    2. On the pop-up window, click Enable Security.
    3. Click Save Configuration on the Security Setting page.

  11. Configure the Server Certificate Name on the Security Configuration page:

    1. Navigate to Server Security Security Configuration.
    2. Select the server certificate nickname in the Server Certificate Name drop-down list, and click Save Configuration.
    3. Optional: If you do not see the certificate nickname in the drop-down list, refresh the Security Settings page and perform the previous step again.
  12. Optional: If you want to use an LDAPS port other than 636, navigate to the Server Server Settings, set the LDAPS port, and click Save.

  13. Open the LDAPS port in the firewalld service: 

    # firewall-cmd --permanent --add-port=636/tcp
# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  14. Optional: Navigate to Server Security Security Configuration, check Require Secure Connections checkbox, and click Save Configuration.

    Directory Server disables the plain text LDAP port.

  15. Click Actions in the top right corner, and select Restart Instance.

Next steps

By default, if encryption is enabled and the certificate has expired, Directory Server logs a warning and the service starts. To change this behavior, set the nsslapd-validate-cert parameter. You can set it to the following values:

  • warn: Directory Server starts and logs a warning about the expired certificate into the /var/log/dirsrv/slapd-<instance_name>/error log file. This is the default setting.
  • on: Directory Server validates the certificate. If the certificate has expired, the instance fails to start.
  • off: Directory Server does not validate the certificate expiration date. The instance starts and no warning will be logged.

Prerequisites

  • You configured TLS encryption.

Procedure

  • Use the following command to change the nsslapd-validate-cert parameter: 

    # dsconf <instance_name> config replace nsslapd-validate-cert=<value>
    Copy to Clipboard Toggle word wrap

1.1.6. Changing the password of the NSS database
Link kopieren

You can change the password of the network security services (NSS) database. For example, change it when the password becomes known to unauthorized persons.

Prerequisites

  • You know the current NSS database password.

    If you use a password file to automatically unlock the database when Directory Server starts, the password is stored non-encrypted in plain text in the /etc/dirsrv/slapd-<instance_name>/pin.txt file.

Procedure

  1. Use the following command to change the NSS database password: 

    # certutil -d /etc/dirsrv/slapd-<instance_name>/ -W

Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
Password changed successfully.
    Copy to Clipboard Toggle word wrap

  2. If you use a password file to start Directory Server automatically without prompting for the NSS database password, replace the old password with the new one in the /etc/dirsrv/slapd-<instance_name>/pin.txt:

    • If you use the NSS software cryptography module, which is the default: 

      Internal (Software) Token:password
      Copy to Clipboard Toggle word wrap

    • If you use a Hardware Security Module (HSM): 

      name_of_the_token:password
      Copy to Clipboard Toggle word wrap

Verification

  • Perform an operation on the NSS database that requires entering the password. For example, list the private keys of your instance: 

    # certutil -d /etc/dirsrv/slapd-<instance_name>/ -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      72cb03f87381abfbb6b9e78234e2e4502ad1bfc0   NSS Certificate DB:Server-Cert
    Copy to Clipboard Toggle word wrap

    If the command displays the expected output after you entered the new password, changing the password was successful.

When you create a new instance, the installer automatically creates the /etc/dirsrv/slapd-instance_name/pin.txt file to enable Directory Server to start without prompting for the network security services (NSS) password. However, if you remove this file, you can recreate it.

Warning

The password is stored in plain text. Do not use a password file if the server is running in an unsecured environment.

Prerequisites

  • You know the NSS database password.

Procedure

  1. Create the /etc/dirsrv/slapd-<instance_name>/pin.txt file with the following content:

    • If you use the NSS software cryptography module, which is the default: 

      Internal (Software) Token:password
      Copy to Clipboard Toggle word wrap

    • If you use a Hardware Security Module (HSM): 

      name_of_the_token:password
      Copy to Clipboard Toggle word wrap

  2. Set the file permissions: 

    # chown dirsrv:root /etc/dirsrv/slapd-<instance_name>/pin.txt
# chmod 400 /etc/dirsrv/slapd-<instance_name>/pin.txt
    Copy to Clipboard Toggle word wrap

Verification

  • Restart the instance: 

    # dsctl <instance_name> restart
    Copy to Clipboard Toggle word wrap

    If the system does not prompt for the NSS database password, Directory Server uses the password file.

When you enable TLS encryption in Directory Server, you configure the instance to use a certificate issued by a CA. If a client now establishes a connection to the server using the LDAPS protocol or the STARTTLS command over LDAP, Directory Server uses this certificate to encrypt the connection. Client utilities use the CA certificate to verify if the server’s certificate is valid. By default, these utilities cancel the connection if they do not trust the certificate of the server.

Example 1.1. Possible connection errors if client utilities do not use the CA certificate

  • dsconf 

    # dsconf -D "cn=Directory Manager" ldaps://server.example.com:636 config get
Error: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}
    Copy to Clipboard Toggle word wrap

  • ldapsearch 

    # ldapsearch -H ldaps://server.example.com:636 -D "cn=Directory Manager" -W -b "dc=example,dc=com" -x
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    Copy to Clipboard Toggle word wrap

To enable client utilities on Red Hat Enterprise Linux to verify the certificate Directory Server uses, add the CA certificate to the trust store of the operating system.

Prerequisites

  • You know the password of the network security services (NSS) database.

    If you still use the password that was generated during the installation of the Directory Server instance, you find this password in plain text in the /etc/dirsrv/slapd-<instance_name>/pwdfile.txt file.

Procedure

  1. If you do not have a local copy of the CA certificate used by Directory Server:

    1. List the certificates in the server’s network security services (NSS) database: 

      # certutil -d /etc/dirsrv/slapd-<instance_name>/ -L

Certificate Nickname                       Trust Attributes
                                           SSL,S/MIME,JAR/XPI

Example CA                                 C,,
Server-Cert                                u,u,u
      Copy to Clipboard Toggle word wrap

    2. Use the nickname of the CA certificate in the NSS database to export the CA certificate: 

      # certutil -d /etc/dirsrv/slapd-<instance_name>/ -L -n "Example CA" -a > /tmp/ds-ca.crt
      Copy to Clipboard Toggle word wrap

  2. Copy the CA certificate to the /etc/pki/ca-trust/source/anchors/ directory: 

    # cp /tmp/ds-ca.crt /etc/pki/ca-trust/source/anchors/
    Copy to Clipboard Toggle word wrap

  3. Rebuild the CA trust database: 

    # update-ca-trust
    Copy to Clipboard Toggle word wrap

Verification

  • Establish a connection to Directory Server using the LDAPS protocol. For example, run a query: 

    # ldapsearch -H ldaps://server.example.com:636 -D "cn=Directory Manager" -W -b "dc=example,dc=com" -x -s base
    Copy to Clipboard Toggle word wrap

1.2. Configuring the supported TLS protocol versions
Link kopieren

In Red Hat Enterprise Linux 9, all system-wide crypto policy profiles define TLS 1.2 as the minimum. Therefore, this TLS version is also the minimum in Directory Server. However, if you only have clients which support a newer TLS version, you can set a higher protocol version as minimum to increase the security.

You can set both the minimum and maximum TLS protocol using the command line.

Warning

Do not set a maximum TLS protocol. If you do so, your clients might have to use a weaker TLS protocol than their default standard. If you do not set a maximum TLS version, Directory Server always uses the strongest version that is supported.

Prerequisites

  • You enabled TLS encryption in Directory Server.

Procedure

  1. Optional: Display the TLS protocols that are currently enabled in Directory Server: 

    # dsconf <instance_name> security get | egrep -i "sslVersionMin|sslVersionMax"
sslversionmin: TLS1.2
sslversionmax: TLS1.3
    Copy to Clipboard Toggle word wrap

  2. Set the minimum TLS protocol. For example, to set it to TLS 1.3, enter: 

    # dsconf <instance_name> security set --tls-protocol-min="TLS1.3"
    Copy to Clipboard Toggle word wrap

    Note that you cannot set the parameter to a value lower than TLS 1.2, which is the minimum of all RHEL system-wide crypto policy profiles.

  3. Not recommended: Set the highest supported TLS protocol: 

    # dsconf <instance_name> security set --tls-protocol-max="TLS1.3"
    Copy to Clipboard Toggle word wrap

    If you set --tls-protocol-max to a value lower than in --tls-protocol-min, then Directory Server sets the maximum protocol to the same value as the minimum.

    To always use the strongest supported encryption protocol as the maximum supported TLS version, do not set --tls-protocol-max.

  4. Restart the instance: 

    # dsctl <instance_name> restart
    Copy to Clipboard Toggle word wrap

Verification

  1. Display the supported TLS protocols: 

    # dsconf <instance_name> security get | egrep -i "sslVersionMin|sslVersionMax"
sslversionmin: TLS1.3
sslversionmax: TLS1.3
    Copy to Clipboard Toggle word wrap

  2. Use the openssl utility to establish a secure client connection using a specific TLS protocol: 

    # echo | openssl s_client -connect server.example.com:636 -tls1_3
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
...
    Copy to Clipboard Toggle word wrap

You can set both the minimum and maximum TLS protocol using the web console

Warning

Do not set a maximum TLS protocol. If you do so, your clients might have to use a weaker TLS protocol than their default standard. If you do not set a maximum TLS version, Directory Server always uses the strongest version that is supported.

Prerequisites

  • You enabled TLS encryption in Directory Server.
  • You are logged in to the Directory Server instance in the web console.

Procedure

  1. Navigate to Server Security.
  2. Set the minimum TLS protocol in the Minimum TLS Version field.
  3. Not recommended: Set the highest supported TLS protocol in the Maximum TLS Version field.
  4. Click Save Settings.
  5. Click Actions in the top right corner, and select Restart Instance.

Verification

  • Use the openssl utility to establish a secure client connection using a specific TLS protocol: 

    # echo | openssl s_client -connect server.example.com:636 -tls1_3
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
...
    Copy to Clipboard Toggle word wrap

1.3. Requiring LDAPS or STARTTLS for encrypted connections
Link kopieren

To prevent sending unencrypted passwords over the network, you can configure Directory Server to require users to use LDAPS or STARTTLS encryption when connecting to the server.

By default, Directory Server allows authentication using a bind DN and a password over unencrypted connections, which is a security risk. Suppose you cannot use an alternative secure mechanism, such as certificate-based authentication or SASL. In that case, you can configure Directory Server to require an encrypted connection when authenticating to the server using TLS or STARTTLS.

Note

Requiring a secure connection for bind operations only applies to authenticated binds. Bind operations without a password, such as anonymous and unauthenticated binds, can proceed over standard connections.

Prerequisites

  • You configured existing server-to-server connections, such as replication agreements, to use secure binds.

Procedure

  1. Set the nsslapd-require-secure-binds configuration parameter to on: 

    # dsconf <instance_name> config replace nsslapd-require-secure-binds=on
    Copy to Clipboard Toggle word wrap

  2. Optional: If you want to use LDAPS, disable the plain text LDAP port: 

    # dsconf <instance_name> security disable_plain_port

Disabling plaintext ldap port - you must have ldaps configured:
Type 'Yes I am sure' to continue: Yes I am sure
    Copy to Clipboard Toggle word wrap

  3. Restart the instance: 

    # dsctl <instance_name> restart
    Copy to Clipboard Toggle word wrap
Important

When you enable this feature, it is required for all connections. For example, this includes replication agreements, synchronization, and database chaining.

By default, Directory Server allows authentication using a bind DN and a password over unencrypted connections, which is a security risk. Suppose you cannot use an alternative secure mechanism, such as certificate-based authentication or SASL. In that case, you can configure Directory Server to require an encrypted connection when authenticating to the server using TLS or STARTTLS.

Note

Requiring a secure connection for bind operations only applies to authenticated binds. Bind operations without a password, such as anonymous and unauthenticated binds, can proceed over standard connections.

Prerequisites

  • You configured existing server-to-server connections, such as replication agreements, to use secure binds.
  • You are logged in to the instance in the web console.

Procedure

  1. Navigate to Server Security Security Configuration, select the Require Secure Connections option, and click Save Configuration.
  2. Optional: If you want to use LDAPS, navigate to Server Server Settings General Settings, and set LDAP Port to 0 to disable the plain text LDAP port. Click Save.
  3. Click Actions in the top right corner, and select Restart Instance.
Important

When you enable this feature, it is required for all connections. For example, this includes replication agreements, synchronization, and database chaining.

1.4. Updating the list of ciphers Directory Server supports
Link kopieren

To establish an encrypted connection, both Directory Server and the client need at least one common cipher. For example, if a legacy application requires a cipher that is not enabled by default in Directory Server, you can enable it.

1.4.1. Difference between default ciphers and available ciphers
Link kopieren

Instead of listing individual ciphers in the configuration, you can use one of the following keywords in the nsSSL3Ciphers parameter:

  • default: Refers to the default ciphers enabled in the network security services (NSS). To display the list, enter: 

    # /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"
    Copy to Clipboard Toggle word wrap

    The default keyword is the default value of the nsSSL3Ciphers parameter.

  • all: Refers to all supported ciphers in Directory Server. To display the list, enter: 

    # dsconf <instance_name> security ciphers list --supported
    Copy to Clipboard Toggle word wrap

    Use the all keyword when you want to enable only specific ciphers. For example, setting nsSSL3Ciphers to -all,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 configures Directory Server to disable all ciphers and enable only TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

1.4.2. Weak ciphers
Link kopieren

By default, Directory Server rejects weak ciphers and you must configure Directory Server to support them.

Ciphers are considered weak, if:

  • They are exportable.

    Exportable ciphers are labeled EXPORT in the cipher name. For example, in TLS_RSA_EXPORT_WITH_RC4_40_MD5.

  • They are symmetrical and weaker than the 3DES algorithm.

    Symmetrical ciphers use the same cryptographic keys for both encryption and decryption.

  • The key length is shorter than 128 bits.

To update the list of supported ciphers in Directory Server, update the nsSSL3Ciphers parameter.

Prerequisites

  • You enabled TLS encryption in Directory Server.

Procedure

  1. Display the list of enabled ciphers: 

    # dsconf <instance_name> security ciphers list --enabled
    Copy to Clipboard Toggle word wrap

  2. If you need to enable weak ciphers, enter: 

    # dsconf <instance_name> security set --allow-insecure-ciphers on
    Copy to Clipboard Toggle word wrap

  3. Update the nsSSL3Ciphers parameter. For example, to enable only the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers, enter: 

    # dsconf <instance_name> security ciphers set -- "-all,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
    Copy to Clipboard Toggle word wrap

    Use -- to avoid that the shell interprets the - character in -all as an option to the command. Do not use a \ character to escape -all because it can create an error and this results in a different cipher selection.

  4. Restart the instance: 

    # dsctl <instance_name> restart
    Copy to Clipboard Toggle word wrap

Verification

  • Display the list of enabled ciphers: 

    # dsconf <instance_name> security ciphers list
default
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    Copy to Clipboard Toggle word wrap

1.4.4. Setting ciphers Directory Server supports using the web console
Link kopieren

You can configure the cipher settings in the Cipher Preferences menu of the Directory Server web console.

Prerequisites

  • You enabled TLS encryption in Directory Server.
  • You are logged in to the instance in the web console.

Procedure

  1. If you need to enable weak ciphers:

    1. Navigate to Server Security Security Configuration.
    2. Select Allow Weak Ciphers.
    3. Click Save Settings.
  2. Navigate to Server Security Cipher Preferences.

  3. Update the cipher settings. For example, to enable only the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers:

    1. Select No Ciphers in the Cipher Suite field.
    2. Enter TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 in the Allow Specific Ciphers field.
  4. Click Save Settings.
  5. Click Actions Restart Instance.

Verification

  • Navigate to Server Security Cipher Preferences. The Enabled Ciphers list displays the ciphers that are enabled.

1.5. Changing the CA trust flags
Link kopieren

The certificate authority (CA) trust flags define for which scenarios Directory Server trusts a CA certificate. For example, you set the flags to trust the certificate for TLS connections to the server and for certificate-based authentication.

1.5.1. Changing the CA trust flags using the command line
Link kopieren

You can set the following trust flags on a certificate authority (CA) certificate:

  • C: Trusted CA
  • T: Trusted CA client authentication
  • c: Valid CA
  • P: Trusted peer
  • p: Valid peer
  • u: Private key

You specify the trust flags comma-separated in three categories: TLS, email, object signing

For example, to trust the CA for TLS encryption and certificate-based authentication, set the trust flags to CT,,.

Prerequisites

  • You imported a CA certificate to the network security services (NSS) database.

Procedure

  1. Use the following command to change the trust flags of a CA certificate: 

    # dsconf <instance_name> security ca-certificate set-trust-flags "Example CA" --flags "trust_flags"
    Copy to Clipboard Toggle word wrap

Verification

  • Display all certificates in the NSS database: 

    # certutil -d /etc/dirsrv/slapd-<instance_name>/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Example CA                                                   CT,,
    Copy to Clipboard Toggle word wrap

1.5.2. Changing the CA trust flags using the web console
Link kopieren

You can use the web console to change the CA trust flags.

Prerequisites

  • You imported a CA certificate to the network security services (NSS) database.

Procedure

  1. Navigate to Server Security Certificate Management Trusted Certificate Authorities.
  2. Click the Options menu (⋮) next to the CA certificate, and select Edit Trust Flags.

  3. Select the trust flags.

    security ca cert set trust flags
    View larger image
    security ca cert set trust flags
  4. Click Save Flags

Verification

  1. Navigate to Server Security Certificate Management Trusted Certificate Authorities.
  2. Click > next to the CA certificate to display the trust flags.

1.6. Renewing a TLS certificate
Link kopieren

TLS certificates have an expiration date and time. To continuously provide secure connections, renew the server certificate in Directory Server before it expires.

1.6.1. Renewing a TLS certificate using the command line
Link kopieren

TLS certificates have an expiration date and time. To continuously provide secure connections, renew the server certificate in Directory Server before it expires.

Follow this procedure before the TLS server certificate expires to renew it.

Prerequisites

  • Attribute encryption is not configured.
  • The TLS certificate will expire in the near future.

Procedure

  1. Create a private key and a certificate signing request (CSR). Skip this step if you want to create them using an external utility.

    • If your host is reachable only by one name, enter: 

      # dsctl <instance_name> tls generate-server-cert-csr -s "CN=server.example.com,O=example_organization"
      Copy to Clipboard Toggle word wrap

    • If your host is reachable by multiple names: 

      # dsctl <instance_name> tls generate-server-cert-csr -s "CN=server.example.com,O=example_organization" server.example.com server.example.net
      Copy to Clipboard Toggle word wrap

      If you specify the host names as the last parameter, the command adds the Subject Alternative Name (SAN) extension with the DNS:server.example.com, DNS:server.example.net entries to the CSR.

    The string specified in the -s subject parameter must be a valid subject name according to RFC 1485. The CN field in the subject is required, and you must set it to one of the fully-qualified domain names (FQDN) of the server. The command stores the CSR in the /etc/dirsrv/slapd-<instance_name>/Server-Cert.csr file.

  2. Submit the CSR to the certificate authority (CA) to get a certificate issued. For further details, see your CA’s documentation.
  3. Store both the CA certificate and the server certificate in the /root/ directory.

  4. Import the server certificate issued by the CA to the NSS database, using one of the following options:

    • If you created the private key using the dsctl tls generate-server-cert-csr command, enter: 

      # dsconf -D "cn=Directory Manager" ldap://server.example.com security certificate add --file /root/instance_name.crt --name "server-cert" --primary-cert
      Copy to Clipboard Toggle word wrap

      Remember the name of the certificate you set in the --name _certificate_nickname parameter. You require it in a later step.

    • If you created the private key using an external utility, import the server certificate and the private key: 

      # dsctl <instance_name> tls import-server-key-cert /root/server.crt /root/server.key
      Copy to Clipboard Toggle word wrap

      Note that the command requires you to specify the path to the server certificate first and then the path to the private key. This method always sets the nickname of the certificate to Server-Cert.

  5. Import the CA certificate to the NSS database: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ca-certificate add --file /root/ca.crt --name "Example CA"
    Copy to Clipboard Toggle word wrap

  6. Set the trust flags of the CA certificate: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ca-certificate set-trust-flags "Example CA" --flags "CT,,"
    Copy to Clipboard Toggle word wrap

    This configures Directory Server to trust the CA for TLS encryption and certificate-based authentication.

  7. Stop the instance: 

    # dsctl <instance_name> stop
    Copy to Clipboard Toggle word wrap

  8. Edit the /etc/dirsrv/slapd-<instance_name>/dse.ldif file, and remove the following entries including their attributes:

    • cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
    • cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
    Important

    Remove the entries for all databases. If any entry that contains the nsSymmetricKey attribute is left in the /etc/dirsrv/slapd-<instance_name>/dse.ldif file, Directory Server will fail to start.

  9. Start the instance: 

    # dsctl <instance_name> start
    Copy to Clipboard Toggle word wrap

1.7. Configuring certificate-based authentication
Link kopieren

Directory Server supports certificate-based authentication of LDAP clients and server-to-server connections, such as in replication topologies.

Depending on the configuration, clients can or must authenticate using a certificate. After verifying the certificate, based on the attributes in the subject field of the certificate, the server searches for the user in the directory. If the search return exactly one user entry, Directory Server uses this user for all further operations. Optionally, you can configure that the certificate used for authentication must match the Distinguished Encoding Rules (DER)-formatted certificate stored in the userCertificate attribute of the user entry.

Benefits of using certificate-based authentication:

  • Improved efficiency: Authenticating with the certificate database password and then using that certificate for all subsequent bind or authentication operations is more efficient than repeatedly providing a bind distinguished name (DN) and password.
  • Improved security: The use of certificate-based authentication is more secure than non-certificate bind operations because certificate-based authentication uses public-key cryptography. Attackers cannot intercept bind credentials across the network. If the certificate or device is lost, it is useless without the PIN, so it is immune to third-party interference such as phishing attacks.

1.7.1. Setting up certificate-based authentication
Link kopieren

Prerequisites

  • You enabled TLS encryption in Directory Server.
  • You set the CT flags for the certificate authority (CA) certificate in the network security services (NSS) database.

Procedure

  1. Create a /etc/dirsrv/slapd-<instance_name>/certmap.conf file to map information from the certificate to Directory Server users: 

    certmap default         default
default:DNComps         dc
default:FilterComps     mail,cn
default:VerifyCert      on

certmap example         cn=Example CA
example:DNComps
    Copy to Clipboard Toggle word wrap

    With this configuration, for certificates issued by cn=Example CA, Directory Server does not generate a base DN from the subject of the certificate because the DNComps parameter is set empty for this issuer. Additionally, the settings for the FilterComps and VerifyCert are inherited from the default entry.

    Certificates that have a different issuer DN than cn=Example CA will use the settings from the default entry and generate the base DN based on the cn attributes in the subject of the certificate. This enables Directory Server to start the search under a specific DN, without searching the whole directory.

    For all certificates, Directory Server generates the search filter using the mail and the cn attribute from the certificate’s subject. However, if the mail attribute does not exist in the subject, Directory Server will automatically use the value of the certificate’s e attribute in the subject.

  2. Enable certificate-based authentication. For example, to configure certificate-based authentication as optional, enter: 

    # dsconf <instance_name> security set --tls-client-auth="allowed"
    Copy to Clipboard Toggle word wrap

    Use the --tls-client-auth=required option to configure certificate-based authentication as mandatory.

  3. Optional: If you configured certificate-based authentication as required, enable the nsslapd-require-secure-binds parameter: 

    # dsconf <instance_name> config replace nsslapd-require-secure-binds=on
    Copy to Clipboard Toggle word wrap

    This setting ensures that users cannot bypass the certificate-based authentication by using an unencrypted connection.

  4. Optional: If Directory Server should use the identity from the certificate instead of the credentials in the bind request, configure Directory Server to use the EXTERNAL simple authentication and security layer (SASL) mechanism: 

    # dsconf <instance_name> config replace nsslapd-force-sasl-external=on
    Copy to Clipboard Toggle word wrap

    With this setting, Directory Server ignores any other bind method than the identity in the certificate.

  5. Restart the instance: 

    # dsctl <instance_name> restart
    Copy to Clipboard Toggle word wrap

Next steps:

  • If you have configured Directory Server so that the authenticating certificate must match the one stored in the userCertificate attribute of the user, add the certificates to the user entries.

    For details, see Section 1.7.2, “Adding a certificate to a user”

1.7.2. Adding a certificate to a user
Link kopieren

When you set up certificate-based authentication, you can configure the server so that the certificate used to authenticate must match the one stored in the userCertificate binary attribute of the user. If you enabled this feature, you must add the certificate of the affected users to their directory entry.

Prerequisites

  • You enabled certificate-based authentication in Directory Server.
  • You have a client certificate issued by a certificate authority (CA) that is trusted by the server.
  • The client certificate is in distinguished encoding rules (DER)-formatted.
  • The client certificate meets the requirements set in /etc/dirsrv/slapd-<instance_name>/certmap.conf on the server.

Procedure

  1. If the certificate is not in DER format, convert it. For example, to convert a certificate from privacy enhanced mail (PEM) to DER, enter: 

    # openssl x509 -in /home/user_name/certificate.pem -out /home/user_name/certificate.der -outform DER
    Copy to Clipboard Toggle word wrap

  2. Add the certificate to the user’s userCertificate attribute: 

    # ldapmodify -D "cn=Directory Manager" -W -H ldaps://server.example.com -x

dn: uid=user_name,ou=People,dc=example,dc=com
changetype: modify
add: userCertificate
userCertificate:< file:///home/user_name/example.der
    Copy to Clipboard Toggle word wrap

Verification

  1. Authenticate as the user using certificate-based authentication:

    1. Set the following environment variables to the corresponding paths to the CA certificate, the user key, and the user certificate: 

      LDAPTLS_CACERT=/home/user_name/CA.crt
LDAPTLS_KEY=/home/user_name/user.key
LDAPTLS_CERT=/home/user_name/user.der
      Copy to Clipboard Toggle word wrap

      Alternatively, set the TLS_CACERT, TLS_KEY, and TLS_CERT parameters in the ~/.ldaprc file of the current user.

    2. Connect to the server: 

      # ldapwhoami -H ldaps://server.example.com -Y EXTERNAL
dn: uid=example,ou=people,dc=example,dc=com
      Copy to Clipboard Toggle word wrap

For more details, see Configuring multi-supplier replication with certificate-based authentication in the Configuring and managing replication documentation.

1.9. Encrypting the replication changelog
Link kopieren

For details, how to encrypt the replication changelog, see Encrypting the replication changelog in the Configuring amd managing replication documentation.

1.12. Enabling the FIPS mode
Link kopieren

Directory Server fully supports the Federal Information Processing Standard (FIPS) 140-2. When you run Directory Server run in FIPS mode, security-related settings change. For example, SSL is automatically disabled and only TLS 1.2 and 1.3 encryption is used.

To use Directory Server in Federal Information Processing Standard (FIPS) mode, enable the mode in RHEL and Directory Server.

Prerequisites

  • You enabled the FIPS mode in RHEL.

Procedure

  1. Enable the FIPS mode for the network security services (NSS) database: 

    # modutil -dbdir /etc/dirsrv/slapd-<instance_name>/ -fips true
    Copy to Clipboard Toggle word wrap

  2. Restart the instance: 

    # dsctl <instance_name> restart
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that FIPS mode is enabled for the NSS database: 

    # modutil -dbdir /etc/dirsrv/slapd-<instance_name>/ -chkfips true
FIPS mode enabled.
    Copy to Clipboard Toggle word wrap

    The command returns FIPS mode enabled, if the module is in FIPS mode.

1.13. Setting access control on the Directory Manager account
Link kopieren

Having an unconstrained administrative user makes sense from a maintenance perspective. The Directory Manager requires a high level of access in order to perform maintenance tasks and to respond to incidents.

However, because of the power of the Directory Manager user, a certain level of access control can be advisable to prevent damages from attacks being performed as the administrative user.

1.13.1. About access controls on the Directory Manager account
Link kopieren

Directory Server applies regular access control instructions only to the directory tree. The privileges of the Directory Manager account are hard-coded, and you cannot use this account in bind rules. To limit access to the Directory Manager account, use the RootDN Access Control plug-in.

This plug-in’s features are different from standard access control instructions (ACI). For example, certain information, such as the target (the Directory Manager entry) and the allowed permissions (all of them) is implied. The purpose of the RootDN Access Control plug-in is to provide a level of security by limiting who can log in as Directory Manager based on their location or time, not to restrict what this user can do.

For this reason, the settings of the plug-in only support:

  • Time-based access controls, to allow or deny access on certain days and specific time ranges
  • IP address rules, to allow or deny access from defined IP addresses, subnets, and domains
  • Host access rules, to allow or deny access from specific hosts, domains, and subdomains

There is only one access control rule you can set for the Directory Manager. It is in the plug-in entry, and it applies to the entire directory.

Same as in regular ACIs, deny rules have a higher priority than allow rules.

Important

Ensure that the Directory Manager account has an appropriate level of access. This administrative user might need to perform maintenance operations in off-hours or to respond to failures. In this case, setting a too restrictive time or day rule can prevent the Directory Manager user from adequately manage the directory.

By default, the RootDN Access Control plug-in is disabled. To limit permissions of the Directory Manager account, enable and configure the plug-in.

Procedure

  1. Enable the RootDN Access Control plug-in: 

    # dsconf <instance_name> plugin root-dn enable
    Copy to Clipboard Toggle word wrap

  2. Set the bind rules. For example, to allow the Directory Manager account to only log in between 6am and 9pm from the host with IP address 192.0.2.1, enter: 

    # dsconf <instance_name> plugin root-dn set --open-time=0600 --close-time=2100 --allow-ip="192.0.2.1"
    Copy to Clipboard Toggle word wrap

    For the full list of parameters you can set and their descriptions, enter: 

    # dsconf <instance_name> plugin root-dn set --help
    Copy to Clipboard Toggle word wrap

  3. Restart the instance: 

    # *dsctl <instance_name> restart`
    Copy to Clipboard Toggle word wrap

Verification

  • Perform a query as cn=Directory Manager from a host that is not allowed or outside of the allowed time range: 

    [user@192.0.2.2]$ ldapsearch -D "cn=Directory Manager" -W -H ldap://server.example.com -x -b "dc=example,dc=com"
Enter LDAP Password:
ldap_bind: Server is unwilling to perform (53)
	additional info: RootDN access control violation
    Copy to Clipboard Toggle word wrap

    If Directory Server denies access, the plug-in works as expected.

By default, the RootDN Access Control plug-in is disabled. To limit permissions of the Directory Manager account, enable and configure the plug-in.

Prerequisites

  • You are logged in to the instance in the web console.

Procedure

  1. Navigate to Plugins RootDN Access Control.
  2. Enable the plug-in.

  3. Fill the fields according to your requirements.

    security rootdn access control
    View larger image
    security rootdn access control
  4. Click Save.
  5. Click Actions in the top right corner, and select Restart Instance.

Verification

  • Perform a query as cn=Directory Manager from a host that is not allowed or outside of the allowed time range: 

    [user@192.0.2.2]$ ldapsearch -D "cn=Directory Manager" -W -H ldap://server.example.com -x -b "dc=example,dc=com"
Enter LDAP Password:
ldap_bind: Server is unwilling to perform (53)
        additional info: RootDN access control violation
    Copy to Clipboard Toggle word wrap

    If Directory Server denies access, the plug-in works as expected.

1.14. Managing attribute encryption
Link kopieren

Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat