You have, of course, set up TLS via ?letsencrypt for or the server itself, so we already have a TLS certificate for the hostnames FQDN, which we will use for the slapd service.

Only root has access to the certificates, so we make copies into /etc/ldap/ssl, which are updated, every time certbot renews them.


Directory setup


sudo -i

# Create /etc/ldap/ssl
install -d -m 2750 -o root -g openldap /etc/ldap/ssl

# Create Makefile for certificate maintenance
cd /etc/ldap/ssl  || cat >&2
sed -n 's/^  */\t/;wMakefile' <<EOF
# $SUDO_USER $(date -uIs)
# Create ldap TLS certificate files
# Fix file permissions
# Update them from hosts letsencrypt certificate files

all: cert.pem fullchain.pem privkey.pem 

%.pem: /etc/letsencrypt/live/\$(shell hostname -f)/%.pem
    touch \$@
    chown root:openldap \$@
    chmod 640 \$@
    cat \$^ > \$@

# Create update script for certbot
cat > update-certs <<EOF
# $SUDO_USER $(date -uIs)

cat >> update-certs <<'EOF'
if [ x"$RENEWED_LINEAGE" != x ] && \
   [ x"$RENEWED_LINEAGE" != x/etc/letsencrypt/live/"$(hostname -f)" ]; then
    echo ldap update-certs: not me: $(hostname -f) ne $RENEWED_LINEAGE >&2

set -e
cd /etc/ldap/ssl

make -qr && { echo slapd certs are up to date >&2; exit; }
make -r

service slapd restart


Renew Hook in certbot cron job

See: certbot

sudo true

cd /etc/cron.weekly || cat >&2
sudo sed -i '/# last line/i\    --renew-hook /etc/ldap/ssl/update-certs \\' certbot

Configure slapd to use the certificates

Open the cn=config LDAP tree as LDIF file in your default editor with:

ldapvi -Y EXTERNAL -b cn=config

Append the following lines to the cn=config entry.

olcTLSCACertificateFile: /etc/ldap/ssl/fullchain.pem
olcTLSCertificateFile: /etc/ldap/ssl/cert.pem
olcTLSCertificateKeyFile: /etc/ldap/ssl/privkey.pem
olcTLSVerifyClient: allow

Disable insecure access

As root edit /etc/default/slapd, so that SLAPD_SERVICES read:

SLAPD_SERVICES="ldap:// ldaps:/// ldapi:///"
# SLAPD_SERVICES="ldap:/// ldapi:///"
# SLAPD_SERVICES="ldaps:/// ldapi:///"

Then service slapd restart