Configuring LDAP over SSL

You can secure your Lightweight Directory Access Protocol (LDAP) connection by using SSL (Secure Sockets Layer).

If LDAP over SSL (LDAPS) is not automatically configured in your cluster, complete these steps to manually configure the LDAPS connection.

You must prepare your product cluster for connecting with your LDAPS directory.

Before you begin, you must import the public or private SSL certificate that you used for setting up your LDAPS directory.

Retrieving the SSL certificate

If you have the SSL certificate of your LDAP server, proceed with Encoding the SSL certificate.

If you do not have the SSL certificate of your LDAP server, use one of the following approaches to retrieve the SSL certificate:

Option 1: Using the ldapsearch command

Note: You need the ldapsearch program to run these commands. You can install it by running apt install ldap-utils on Ubuntu and yum install openldap-clients on Red Hat Enterprise Linux (RHEL).

  1. Ensure that no SSL certificates are in the /etc/openldap/cacerts directory.

  2. Run the following ldapsearch command to retrieve the certificate name:

    ldapsearch -H <LDAP server URL> -d 1  -b <searchbase> -D "" -s base "(<filter>)"
    

    Where,

    • LDAP server URL is your LDAP directory domain name, and port. Format: ldaps://<LDAP server domain name or IP address>:<port>.
    • -d is the debugging level.
    • -b is the search base.
    • -D is the bind DN. This parameter is optional.
    • -s is the scope of search.
    • filter is the LDAP filter. Default filter: (objectClass=*).

    Sample command:

    ldapsearch -H ldaps://corp.example.com:636 -d 1  -b o=example.com -D "" -s base "(objectclass=*)"
    

    Sample output:

    ldap_url_parse_ext(ldaps://corp.example.com:636)
    ldap_create
    ldap_url_parse_ext(ldaps://corp.example.com:636/??base)
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_new_connection 1 1 0
    ldap_int_open_connection
    ldap_connect_to_host: TCP corp.example.com:636
    ldap_new_socket: 3
    ldap_prepare_socket: 3
    ldap_connect_to_host: Trying 9.17.186.253:636
    ldap_pvt_connect: fd: 3 tm: -1 async: 0
    attempting to connect:
    connect success
    TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)' certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly
    TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
    TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found.
    TLS: certificate [CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
    TLS: error: connect - force handshake failure: errno 2 - moznss error -8172
    TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
    ldap_err2string
    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    

    The certificate information is in the TLS: certificate [CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. section of the output.

  3. Locate the certificate in your web browser, export it to a file in a PEM format, and save the PEM file with a .crt extension.

    Note: If you have multiple certificates, export each certificate to a file in a PEM format and save the PEM file with a .crt extension.

  4. Copy the .crt file to the master node of your cluster.

Option 2: Using the openssl tool

  1. Run the following command:

    openssl s_client -connect <ldap-server-host>:636 -showcerts > ldap_server_certs.pem
    
  2. Edit the ldap_server_certs.pem file:

    1. Remove the unwanted lines.
    2. Retain the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

    Note: Ensure that final ldap_server_certs.pem certificate file is a valid PEM format and no empty lines are there in-between.

Preparing for a single LDAPS connection

If you are configuring a single LDAPS connection, complete the steps in the Encoding the SSL certificate section.

Encoding the SSL certificate

Complete the following steps to encode the certificate in base64:

  1. Log on to the master node of your cluster.
  2. Convert the certificate into PEM format.
    openssl x509 -in <cert>.cer -outform PEM -out <convertedCert>.pem
    
    If your LDAP server uses chain certificates (root CA and intermediate certificates), convert each certificate into PEM format. Then, combine them into one file. Use the following command to combine the converted certificates.
    cat <convertedFirstCert.pem> <convertedSecondCert.pem> ..<converted_n_Cert.pem> > <convertedCombinedCert>.pem
    
  3. Encode your certificate in base64.
    cat <LDAPS SSL certificate name>.pem | base64 -w 0
    
    The output resembles the following code:
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdDRENDQS9DZ
    0F3SUJBZ0lRS3k1dTZ0bDFObXdVaW03Ym8zeU1CekFOQmdrcWhraUc5
    ...
    lDOHg0OU9oZ1E9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KDQo=
    

Next, proceed with Preparing your cluster.

Preparing for multiple LDAPS connections

If you are configuring multiple LDAPS connections, first check if you already have a certificate in the "data" > "certificate" section of platform-auth-ldaps-ca-cert. If you have a certificate, then complete the steps in the following sections:

If no certificate exists, then complete the steps in Encoding the SSL certificate.

Retrieve the current certificate

You can retrieve the certificate by using the OpenShift Container Platform console or command line interface (CLI).

Option 1: Using the console

  1. Log on to the OpenShift Container Platform console as a cluster administrator.
  2. From the navigation menu, click Workloads > Secrets.
  3. Locate platform-auth-ldaps-ca-cert and click ... > Edit Secret. A window for editing displays.
  4. Copy the base64 encoded certificate value from "data" > "certificate" section.
    "data": {
     "certificate": "LS0tLS1...ASDFASDo="
    },
    
  5. Convert the existing encoded certificate and save to a file.
    echo "<copied_cert_value>" | base64 --decode > existing_cert.pem
    

Option 2: using the CLI

  1. Access the CLI of your master node. Install the Kubernetes CLI (kubectl). You need this tool to complete the following tasks.

  2. Get the base64 certificate.

    kubectl -n ibm-common-services get secret platform-auth-ldaps-ca-cert -o "jsonpath={.data[‘certificate’]}" | base64 --decode > existing_cert.pem
    

Next, proceed with Encode the SSL certificate.

Encode the SSL certificate

Complete the following steps to encode the certificate in base64:

  1. Log on to the master node of your cluster.
  2. Convert the new certificate into PEM format.
    openssl x509 -in <cert>.cer -outform PEM -out <convertedCert>.pem
    
    If your LDAP server uses chain certificates (root CA and intermediate certificates), convert each certificate into PEM format. Then, combine them into one file. Use the following command to combine the converted certificates.
    cat <convertedFirstCert.pem> <convertedSecondCert.pem> ..<converted_n_Cert.pem> > <convertedCombinedCert>.pem
    
  3. Add the existing certificate to the new certificate, or to the combined certificate if you use chain certificates.
    cat existing_cert.pem <new_cert.pem or convertedCombinedCert.pem> > final_combined_cert.pem
    
  4. Encode your certificate in base64.
    cat <LDAPS SSL certificate name>.pem | base64 -w 0
    
    The output resembles the following code:
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdDRENDQS9DZ
    0F3SUJBZ0lRS3k1dTZ0bDFObXdVaW03Ym8zeU1CekFOQmdrcWhraUc5
    ...
    lDOHg0OU9oZ1E9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KDQo=
    

Next, complete the steps in the Preparing your cluster section.

Preparing your cluster

You can prepare your cluster by using the OpenShift Container Platform console or CLI.

Option 1: Using the console

  1. Log on to the OpenShift Container Platform console as a cluster administrator.

  2. From the navigation menu, click Workloads > Secrets.

  3. Locate platform-auth-ldaps-ca-cert and click ... > Edit Secret. A window for editing displays.

  4. Paste the base64 certificate in the following section:

    "data": {
     "certificate": ""
    },
    

    The updated section resembles the following text:

    "data": {
     "certificate": "LS0tLS1<very_long_base64_string>ASDFASDo="
    },
    
  5. Click Save.

  6. From the navigation menu, click Workloads > Deployments.

  7. Locate auth-idp.

  8. Click ... > Edit Deployment. A window for editing displays.

  9. Click Save without making any change. This step is to reload the auth-idp pods with the latest ConfigMap values.

  10. Wait for a minute or two and then check whether the certificate is mounted on the pod.

    1. Get the auth-idp pods.

      kubectl -n ibm-common-services get pods | grep auth-idp
      
    2. Check whether the certificate is mounted on the pod.

      kubectl -n ibm-common-services exec -it auth-idp-<pod-id> -c platform-auth-service cat /opt/ibm/ldaps/ldaps-ca.crt
      

Option 2: Using the CLI

  1. Access the CLI of your master node. You need kubectl, the Kubernetes command line tool to complete the following tasks. For more information about installing kubectl, see Installing the Kubernetes CLI (kubectl).

  2. Copy the LDAPS CA certificate secret to a file:

    kubectl get secret platform-auth-ldaps-ca-cert -o yaml -n ibm-common-services > platform-auth-ldaps-ca-cert-secret.yaml
    
  3. Copy and paste the base64 certificate to the platform-auth-ldaps-ca-cert-secret.yaml file.

  4. Get the security service Deployment YAML file:

    kubectl -n ibm-common-services get deploy auth-idp -o yaml > auth-idp.yaml
    
  5. Apply the changes:

    1. Run the following command to apply the platform-auth-ldaps-ca-cert-secret.yaml file:
      kubectl apply -f platform-auth-ldaps-ca-cert-secret.yaml
      
    2. Run the following command to apply the auth-idp.yaml file:
      kubectl apply -f auth-idp.yaml
      

Next, complete the steps in the Connecting to your LDAP directory section.