You have, of course, set up TLS via ?letsencrypt for or the server itself, so we already have a TLS certificate for the hostnames FQDN, which we will use for the slapd service.
Only root has access to the certificates, so we make copies into
/etc/ldap/ssl, which are updated, every time certbot
renews them.
Requirements
Directory setup
?shnippet:
sudo -i
# Create /etc/ldap/ssl
install -d -m 2750 -o root -g openldap /etc/ldap/ssl
# Create Makefile for certificate maintenance
cd /etc/ldap/ssl || cat >&2
sed -n 's/^ */\t/;wMakefile' <<EOF
# $SUDO_USER $(date -uIs)
#
# Create ldap TLS certificate files
# Fix file permissions
# Update them from hosts letsencrypt certificate files
all: cert.pem fullchain.pem privkey.pem
%.pem: /etc/letsencrypt/live/\$(shell hostname -f)/%.pem
touch \$@
chown root:openldap \$@
chmod 640 \$@
cat \$^ > \$@
EOF
# Create update script for certbot
cat > update-certs <<EOF
#!/bin/sh
# $SUDO_USER $(date -uIs)
EOF
cat >> update-certs <<'EOF'
if [ x"$RENEWED_LINEAGE" != x ] && \
[ x"$RENEWED_LINEAGE" != x/etc/letsencrypt/live/"$(hostname -f)" ]; then
echo ldap update-certs: not me: $(hostname -f) ne $RENEWED_LINEAGE >&2
exit
fi
set -e
cd /etc/ldap/ssl
make -qr && { echo slapd certs are up to date >&2; exit; }
make -r
service slapd restart
EOF
make
Renew Hook in certbot cron job
See: certbot
sudo true
cd /etc/cron.weekly || cat >&2
sudo sed -i '/# last line/i\ --renew-hook /etc/ldap/ssl/update-certs \\' certbot
Configure slapd to use the certificates
Open the cn=config LDAP tree as LDIF file in your default
editor with:
ldapvi -Y EXTERNAL -b cn=config
Append the following lines to the cn=config entry.
olcTLSCACertificateFile: /etc/ldap/ssl/fullchain.pem
olcTLSCertificateFile: /etc/ldap/ssl/cert.pem
olcTLSCertificateKeyFile: /etc/ldap/ssl/privkey.pem
olcTLSVerifyClient: allow
Disable insecure access
As root edit /etc/default/slapd, so that SLAPD_SERVICES read:
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
# SLAPD_SERVICES="ldap:/// ldapi:///"
# SLAPD_SERVICES="ldaps:/// ldapi:///"
Then service slapd restart