Another cn=config nightmare, yay! You might be wondering, with all this hate,
why I am still using OLC format. The answer is simple: still, it's more correct
than the classic slapd.conf.
cn=config bearableBut before getting into the details, there's a little hack that makes
cn=config slightly easier to handle:
slaptest -f slapd.conf -F config.d
This command reads the given config file, slapd.conf, translates the config
into OLC-format, and save it into the destination config.d. By using this,
you can figure out which keys are used, and how they are set. This is a huge
plus, because these names are all barely documented, and all you can get from
googling is fragmented tutorials, that might not work for your case.
snakeoil.keyDebian offers a package called ssl-cert. Upon being installed, the package
automatically generates a self-signed key, "SnakeOil" - it's not legit.
It's meant to be used during automated deployments or by local services which
wants encryption but no verification.
apt install ssl-certs
The key, by default, is owned by root:ssl-cert, and is group-readable. If a
service needs to access the key, it can do so by simply joining ssl-cert
group. This might have security implications, but nothing significant, since
using self-signed key is a risk by itself.
usermod -a -G ssl-certs openldap
Once you're done with keys, now it's time for slapd:
dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key
... applied through ...:
ldapmodify -H ldapi:// -Y EXTERNAL -f ssl-certs.ldif
And this is it. slapd automatically accepts STARTTLS without needing to set
any more values.