Secure Open Directory LDAP

[areis]

I've successfully setup Kerberos principals for authentication

https://forums.freenas.org/index.ph...pen-directory-in-mac-os-x-environments.46493/

with my Mac mini server running MacOS (10.12.5) Server (5.3.1) and Open Directory. Everything seems to work great (thanks tigloo).

How do I secure LDAP with SSL/TLS? I am totally lost on importing/exporting certificates on both my MacOS server and FreeNAS server to make this work.

BTW I am using this setup in a simple home environment with a self signed certificate on my MacOS server. I understand this may be overkill, but I would like to understand the process before I purchase a third party certificate.

Thanks.

 

[dlavigne]

Once you import the certificate using the Certificates section of the FreeNAS UI, it will appear in the drop-down certificates menu in the LDAP section of the UI. Refer to those sections of the Guide and let us know if you encounter any errors.

 

[areis]

Once you import the certificate using the Certificates section of the FreeNAS UI, it will appear in the drop-down certificates menu in the LDAP section of the UI. Refer to those sections of the Guide and let us know if you encounter any errors.

I hate to sound stupid, but this is my problem. How do you (in detail) either:
a) export a certificate from the macOS server in the proper format (text) so that you can copy and paste the data (certificate, private key, passphrase, and serial number) into the appropriate import CA boxes on the FreeNAS server
b) create a CA on the FreeNAS server and export a certificate from the FreeNAS server to import it into the macOS server

I'm not sure which to do, how to do it, or if both of these methods are wrong and something else needs to be done.

 

[dlavigne]

Were you able to figure this out?

 

[areis]

Were you able to figure this out?

Not yet. I confess. I am a newbie (photographer storing images on FreeNAS server, Plex, and BTSync) still learning, but willing to try.:)

 

[blacs30]

In macOS use the Keychain Access tool to export the certificate(s).
Unfortunately my parts are still on the road and I don't have FreeNAS running here yet.
I will check back here once I have my FreeNAS running, should be hopefully end of next week.

 

[areis]

I finally got this to work by purchasing a third party certificate and using System->CAs->Import CA. You don't necessarily need a passcode. I left it blank and it works. Log entries look like:

Jun 25 05:30:00 SERVER ldaptool: [common.pipesubr:66] Popen()ing: klist
Jun 25 05:30:00 SERVER ldaptool: [common.pipesubr:66] Popen()ing: /usr/bin/kinit --renewable --password-file=/tmp/tmpxC9x1J diradmin@SERVER.EXAMPLE.COM

Everything seems to work. I don't think FreeNAS likes self signed certificates from my server CA, or I was importing/exporting it incorrectly.

 

[blacs30]

Slowly my FreeNAS is up and I was able to use the Open Directory server CA.

On the Server where Open Directory is running open the "Keychain Access" tool and export the Open Directory certificate as .p12 file.
- enter a password

Run this command to get the certificate information for FreeNAS:
openssl pkcs12 -info -in Certificate.p12
- enter the password from the previous step

Copy the complete part, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into the certificate field when importing a CA in FreeNAS.
- Enter the password.
- Leave the private key empty.
- Get the serial from the "Keychain Access" tool.

Then you can assign this certificate in the Directory part of FreeNAS and choose TLS as encryption mode.

 

[blacs30]

I finally got this to work by purchasing a third party certificate and using System->CAs->Import CA. You don't necessarily need a passcode. I left it blank and it works. Log entries look like:

Jun 25 05:30:00 SERVER ldaptool: [common.pipesubr:66] Popen()ing: klist
Jun 25 05:30:00 SERVER ldaptool: [common.pipesubr:66] Popen()ing: /usr/bin/kinit --renewable --password-file=/tmp/tmpxC9x1J diradmin@SERVER.EXAMPLE.COM

Everything seems to work. I don't think FreeNAS likes self signed certificates from my server CA, or I was importing/exporting it incorrectly.

Do you use Kerberos with Open Directory via TLS certificate? - For me it seems that in this case no ticket is generated, only when I don't use TLS.