Most modern Linux distributions will support OpenLDAP and TLS "out of the box". They'll all require generation of appropriate SSL certificates, and some will require additional configuration.
You'll want to create certificates. See SSLNotes to learn how.
When creating certificates, set the HostName (cn) to the name that you'll be connecting to the server on! It'll fail otherwise. For example, if you'll be using ldap+tls to ldap.wlug.org.nz, set the Common Name to ldap.wlug.org.nz, and only ever connect to that name. If you use another name that resolves to the same IP, it's not going to work.
It is important to have the permissions and ownership set right on your slapd.pem cert. If you don't slapd will fail to start and exit without displaying an error. The exact permissions will depend on your distribution.
Update your slapd.conf appropriately to point to your key files:
TLSCACertificateFile /etc/ssl/cacert.pem TLSCertificateFile /etc/ldap/certs/slapd-cert.pem TLSCertificateKeyFile /etc/ldap/certs/slapd-key.pem TLSRandFile /etc/ldap/certs/randfile TLSCipherSuite HIGH:MEDIUM:+SSLv2
Debian Woody ships with a version of slapd that doesn't have TLS support enabled. Check out the References section below for links to backports available for Debian Woody, or else rebuild the debian slapd package with TLS support yourself. Change the line in debian/rules from --without-tls to --with-tls.
You'll also need to change the init script: in /etc/init.d/slapd, change the line that says start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd to read start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd -- -h "ldaps:/// ldap:///". This starts slapd listening on ldaps and ldap. You can also use ldapi to use ldap over a Unix domain socket.
The package that comes with Sarge has TLS support enabled. Instead of hacking up the init script, edit /etc/default/slapd and change the SLAPD_SERVICES variable to suit your site, eg:
SLAPD_SERVICES="ldap://127.0.0.1/ ldaps:///"
Will cause slapd to listen on the localhost interface for ldap, and on any interface for ldaps.
RedHat 7.x supports TLS out of the box. All you have to do is recreate your slapd certificate & uncomment the TLS config lines in /etc/openldap/slapd.conf.
cd /usr/share/ssl/certs make slapd.pem ... answer some questions ...
Remember our advice about the Common Name here.
Use the following commands to set the permissions correctly for RH 7.x:
chmod u=rw,g=r,o= slapd.pem chown root.ldap slapd.pem
See LDAPAuthentication for a detailed example of this.
After I configured LDAP client auth, I also enabled nscd(8) to load at boot (in runlevels 2, 3, 4, & 5). nscd is the daemon which handles passwd and group lookups for running programs and caches the results for the next query. This is important if your using network name services such as LDAP or NIS. Without it your LDAP server gets hammered and clients are slower to respond. Using it also seemed to solve some seg faults I was having with tools like RPM. Weird, but true.
There are a few things to get tripped up on with LDAP.
OpenLDAP has a special root account that has root access to the LDAP tree, bypassing any ACLs that you have in place. This account is controlled through the rootdn and rootpw attributes in slapd.conf.
rootpw must be initialised from the output of the slappasswd command this isn't immediately obvious from any of the documentation and trying to bind as the rootdn will fail silently if you initialise it as a plaintext value.
Here are some useful apps to use with your LDAP system:
Contact management only tools:
Patches for LDAP support:
6 pages link to LDAPNotes: