Rob's web

LDAPS

SELinux

If SELinux is enabled, make sure it is configured to allow OpenLDAP to use the certificates and the LDAPS port.

# setsebool -P allow_ldap_tls=on
# semanage port -a -t ldap_port_t -p tcp 636
# semanage port -a -t ldap_port_t -p tcp 389
# semanage port -l | grep ldap

Adding TLS certificates

# vi certinfo.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/certs/example.com_ca-bundle.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/example.com.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/private/example.com.key

# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile

Also check if LDAP server is listening on port 636 or not:

ss -ntlp | grep :636

If in case in your environment if slapd is not configured to use ldaps then you can edit /usr/lib/systemd/system/slapd.service. Look for the ExecStart line and modify it to include the desired port:

# vi /usr/lib/systemd/system/slapd.service
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"

After editing the slapd.service file, reload the systemd configuration to apply the changes:

# systemctl daemon-reload
# systemctl restart slapd

Verify that OpenLDAP is now listening on the new ports using:

# ss -tulnp | grep slapd
tcp   LISTEN 0      2048                              0.0.0.0:636        0.0.0.0:*    users:(("slapd",pid=1376,fd=9))                                                                   
tcp   LISTEN 0      2048                              0.0.0.0:389        0.0.0.0:*    users:(("slapd",pid=1376,fd=7))                                                                   
tcp   LISTEN 0      2048                                 [::]:636           [::]:*    users:(("slapd",pid=1376,fd=10))                                                                  
tcp   LISTEN 0      2048                                 [::]:389           [::]:*    users:(("slapd",pid=1376,fd=8))

Firewall

# firewall-cmd --permanent --add-port=389/tcp
# firewall-cmd --permanent --add-port=636/tcp
# firewall-cmd --reload