Implement Openldap TLS on YunoHost

To implement ldap authentication for Mastodon, it needs TLS.
Actually YunoHost OpenLDAP doesn’t support TLS
After hours, I found the way to enable TLS.

Based on https://www.nicolas-housset.fr/mise-en-place-dun-serveur-openldap-securise-avec-tls/ and https://wiki.debian.org/LDAP/OpenLDAPSetup#Configuring_TLS.2FSSL

Informations:
1.YunoHost use Let’s encrypt CA
2. Yunohost already have a certificate and a private key signed by Let’s Encrypt CA, it can be found in /etc/ssl/private/yunohost_crt.pem and /etc/ssl/private/yunohost_key.pem
4. /etc/ssl/private/yunohost_crt.pem contain the whole certificate chain + the YunoHost server certificate

To Implement TLS on OpenLDAP

  1. Add in /etc/ldap/slapd.conf :
olcTLSCertificateKeyFile: /etc/ssl/private/yunohost_key.pem
olcTLSCertificateFile: /etc/ssl/private/yunohost_crt.pem
  1. As we made manual modification on /etc/ldap/slapd.conf we need to update the value of CRC32 in the file using the result of crc32 <(cat /etc/ldap/slapd.d/cn=config.ldif | tail -n +3)
  2. Add the user openldap to group ssl-cert usermod -a -G ssl-cert openldap
  3. Restart sldap service : service slapd restart

Ready to be use.

You can test if the certificate is OK doing: openssl s_client -connect localhost:636 -showcerts

LDAP authentication tested with mastodon_ynh ldap branch using LDAP_PORT=389 LDAP_METHOD=start_tls and using LDAP_PORT=636 LDAP_METHOD=simple_tls

Link to the issue https://github.com/YunoHost/issues/issues/1379

1 Like

Uh sorry but this looks very much like something which should go on the issue tracker instead :sob: (this forum post is just gonna get lost in 2 weeks if something doesn’t do something right away with it :confused: )

lol well, I asked and @Bram says in matrix that the forum could be a good discussion point ^^

I will do a copy paste in the issue tracker