The subject says it all. My Open Directory server (High Sierra + Server 5.6.3) provides LDAP but unencrypted. I never got around to fixing it, but it is time.
What do I need to do to make sure the server only accepts LDAPS connections? And can I use letsencrypt certificates for this?
Mac mini, macOS High Sierra (10.13.6), Server 5.6
SSL is a checkbox in Directory Utility. Use Network Utility or the command line to run a port scan after enabling SSL, this to confirm which ports are open. TCP and UDP ports used by Apple software products - Apple Support LDAP shouldn't use SSL on 389, and should use SSL on 636.
Whether LE certificates makes sense here depends on a few details... Such as whether the server is exposed to the 'net. LE certificates have to be renewed every three months, and which can get to be a bit of a periodic hassle for an internal-only server.
Existing discussions of using certificates with macOS with Server.app and Open Directory that might be useful:
As for LDAP via LE SSL cert, try it. The LE certs are free and do offer SSL, and you're either going to be doing this whole renewal process manually, or you're going to need some set-up to test with it all anyway.
As for an internal-only server, I'd be tempted to run a local certificate authority chain, and loading the root public cert into the clients. No need for LE or purchased cert, if the systems are entirely internal and all the clients are either under your control, or have a secure path to load the root public cert.
If you enable SSL, you're going to absolutely want to ensure your DNS configuration is exactly right on the server, or "fun" can ensue. On a NAT'd network, using remote/public DNS is not going to play very well. Your forward—name to address—translation must produce the same host name when the IP address is then run through the reverse—address to name—DNS translation. Among other tests...
$ sudo changeip -checkhostname
Password:
dirserv:success = "success"
$
I've not tried LE certs with LDAP. I'm running private servers with private CA chains. But it should work. Given the mass deprecation of services and the product shift away from a server and into an MDM role, I'm spending less time working with Server.app, though.
And as was mentioned over in your posting of this same question at SO, including just one question to a posting does tend to work better, too:
SSL is a checkbox in Directory Utility. Use Network Utility or the command line to run a port scan after enabling SSL, this to confirm which ports are open. TCP and UDP ports used by Apple software products - Apple Support LDAP shouldn't use SSL on 389, and should use SSL on 636.
Whether LE certificates makes sense here depends on a few details... Such as whether the server is exposed to the 'net. LE certificates have to be renewed every three months, and which can get to be a bit of a periodic hassle for an internal-only server.
Existing discussions of using certificates with macOS with Server.app and Open Directory that might be useful:
As for LDAP via LE SSL cert, try it. The LE certs are free and do offer SSL, and you're either going to be doing this whole renewal process manually, or you're going to need some set-up to test with it all anyway.
As for an internal-only server, I'd be tempted to run a local certificate authority chain, and loading the root public cert into the clients. No need for LE or purchased cert, if the systems are entirely internal and all the clients are either under your control, or have a secure path to load the root public cert.
If you enable SSL, you're going to absolutely want to ensure your DNS configuration is exactly right on the server, or "fun" can ensue. On a NAT'd network, using remote/public DNS is not going to play very well. Your forward—name to address—translation must produce the same host name when the IP address is then run through the reverse—address to name—DNS translation. Among other tests...
$ sudo changeip -checkhostname
Password:
dirserv:success = "success"
$
I've not tried LE certs with LDAP. I'm running private servers with private CA chains. But it should work. Given the mass deprecation of services and the product shift away from a server and into an MDM role, I'm spending less time working with Server.app, though.
And as was mentioned over in your posting of this same question at SO, including just one question to a posting does tend to work better, too:
Hi MrHoffman,
Thank you for replying. I'm actually quite aware of using lets encrypt certs on macOS High Sierra Server. I recently released an extended script that fully automates the deployment process (including cleaning up no longer used certificates after it has been renewed). See https://community.letsencrypt.org/t/released-script-to-automatically-deploy-lets encrypt-certs-on-macos-high-sierra-serve…
But to secure Open Directory, I run into two things.
PS. Much of what can be found on the net is often from very old versions of macOS Server (e.g. Snow Leopard) and it generally is manual work only (which is not really a good plan with certs that have to be renewed every 90 days).
If the server is not exposed, generate and use a private cert, or a private root cert if you want to go all-in.
There's no difference in provided security between a commercial cert, a LE cert, and a private cert or private CA, if you have a trusted path to load the root public cert into the clients. That trusted load path is a big part of what a purchased cert provides.
Why? You won't have to deal with any of this mess again, at least until your cert or CA root cert expires.
And there are ways to replace the root cert without clobbering the clients, if you're inclined:
I found a very simple solution to be able to use Letsencrypt certificates:
Instead of messing around with Apache, I just used the NAT on my router. I client on the outside trying to connect to port 80 of serverhost.mydomain.tld gets translated to my internal serverhost.mydomain.tld:8079 where a separate small web server is running that is there just for letsencrypt. Now, certbot can use the document root of that server. On the inside, going to port 80 of that server just gets you the Server admin.
I only wonder if OD must be restarted when the cert is renewed. For Apache, this isn't necessary as each request gets handled separately.
And having solved the letsencrypt install issue, I have to report that a letsencrypt cert for my OD doesn't seem to work (error -2100 on the client).
Using the Server-generated cert works (I get a working LDAPS).
How do I make sure Open Directory on macOS High Sierra Server only serves using SSL?
