LDAPs

debian@croqueta:~$ sudo nano /usr/lib/ssl/openssl.cnf

[ CA_default ]

#dir            = ./demoCA              # Where everything is kept
dir             = /etc/ssl/openldap

debian@croqueta:~$ sudo apt install acl

debian@croqueta:/etc/ssl/openldap/certs$ sudo setfacl -m u:openldap:r-x /etc/ssl/openldap/certs
debian@croqueta:/etc/ssl/openldap/certs$ sudo setfacl -m u:openldap:r-x /etc/ssl/openldap/certs/ernesto.gonzalonazareno.org.key
debian@croqueta:/etc/ssl/openldap/certs$ sudo setfacl -m u:openldap:r-x /etc/ssl/openldap/certs
debian@croqueta:/etc/ssl/openldap/certs$ sudo setfacl -m u:openldap:r-x /etc/ssl/openldap/certs/gonzalonazareno.crt
debian@croqueta:/etc/ssl/openldap/certs$ sudo setfacl -m u:openldap:r-x /etc/ssl/openldap/certs/ernesto.gonzalonazareno.org.crt

debian@croqueta:~$ nano ldaps.ldif

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/gonzalonazareno.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ernesto.gonzalonazareno.org.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/certs/ernesto.gonzalonazareno.org.key

debian@croqueta:~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldaps.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config" 

debian@croqueta:~$ sudo slapcat -b "cn=config" | grep -E "olcTLS" 

olcTLSCACertificateFile: /etc/ssl/openldap/certs/gonzalonazareno.crt
olcTLSCertificateFile: /etc/ssl/openldap/certs/ernesto.gonzalonazareno.org.c
olcTLSCertificateKeyFile: /etc/ssl/openldap/certs/ernesto.gonzalonazareno.or

debian@croqueta:~$ sudo slaptest -u

config file testing succeeded

debian@croqueta:~$ sudo nano /etc/ldap/ldap.conf

# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
TLS_CACERT      /etc/ssl/openldap/certs/gonzalonazareno.crt

debian@croqueta:~$ sudo systemctl restart slapd