RH423-6 LDAP开启ssl/tls认证

 LDAP启用SSL/TLS

一、利用redhat-idm-console控制台生成ssl证书请求文件

[root@station2 ~]#redhat-idm-console

1、选择Manager Certificates后点击Request，生存证书请求文件

2、选择Request Certificaate manually后在Requestor information输入CA中心要求相关信息

#红色部分为CA中心定义的必须匹配的信息，其他为ldap服务器自身信息

3、在弹出对话框中输入Token Passwd（该密码为证书保护密码）的密码redhat，输入密码后next，选择“save to file”

#save to file文件即位证书请求文件dirsrv.crt（文件名自己定义）

4、将证书请求文件dirsrv.csr发送给CA中心，并由CA中心生成证书

[root@station2 ~]# scp dirsrv.csr 192.168.32.31:/root/.

root@192.168.32.31's password:

dirsrv.csr                            100%  684     0.7KB/s   00:00

[root@server1 ~]# openssl ca -in dirsrv.csr -out dirsrv.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 7 (0x7)

        Validity

            Not Before: Apr 13 04:08:15 2011 GMT

            Not After : Apr 12 04:08:15 2012 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Beijing

            organizationName          = kvm,Inc.

            organizationalUnitName    = example.com

            commonName                = station2.example.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                F4:7A:1D:90:90:F2:AD:AF:F1:97:44:1B:23:C7:39:D0:B3:82:F5:D9

            X509v3 Authority Key Identifier:

                keyid:82:06:F6:4D:45:71:D8:0C:EC:14:DD:44:2C:CB:78:24:5E:9D:D0:C5

Certificate is to be certified until Apr 12 04:08:15 2012 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

#CA中心生成证书

[root@server1 ~]# scp dirsrv.crt 192.168.32.32:/root/.

root@192.168.32.32's password:

dirsrv.crt                              100% 3765     3.7KB/s   00:00   

[root@server1 ~]# scp /etc/pki/CA/my-ca.crt dirsrv.crt 192.168.32.32:/root/.      

root@192.168.32.32's password:

my-ca.crt                              100% 1533     1.5KB/s   00:00   

#将证书和CA公钥发送给ldap服务器

二、ldap服务器利用redhat-idm-console控制台导入公钥和ca中心公钥，并开启ssl/tls认证

1、导入公钥：选择install，在in this local file对话框中输入ldap服务器公钥

#CA中心公钥导入同上

2、开启ssl/tls认证

3、编辑证书保护密码存放文件，并重启ldap服务器

    [root@station2 ~]# vi /etc/dirsrv/slapd-station2/pin.txt

Internal (Software) Token:redhat

#redhat为证书保护密码

[root@station2 ~]# service dirsrv restart

Shutting down dirsrv:

station2...                                            [确定]

Starting dirsrv:

station2...                                            [确定]

  #如果证书生成过程中有任何错误，均不能启动dirsrv服务。

[root@station2 ~]# netstat -tunpl|grep 636

tcp        0      0 :::636            :::*        LISTEN   10753/ns-slapd 

  #636端口开启表示ldap已经开启ssl/tls认证

三、客户端开启ssl/tls认证

[root@station2 ~]# vi /etc/openldap/ldap.conf

TLS_CACERT /etc/pki/tls/certs/my-ca.crt

[root@station2 ~]# ldapsearch -x "uid=zhangsan123" -ZZ -LLL

dn: uid=zhangsan123,ou=People,dc=station2,dc=example,dc=com

cn: zhangsam 123

sn: zhang

givenName: Emanuel

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

ou: Product Testing

ou: People

l: Santa Clara

uid: zhangsan123

telephoneNumber: +1 408 555 0933

facsimileTelephoneNumber: +1 408 555 9752

roomNumber: 3906

manager: uid=jwalker, ou=People, dc=station2,dc=example,dc=com

userPassword:: e1NTSEF9ZGcvQWpjUmhyOHAyd05tNU5Kbmo5bTFwMkJoN1VqcWltSHI1TXc9PQ=

 =

#如果密码指定ca中心公钥，将无法利用-ZZ查询。客户端在从ldap服务器中获取数据时，会提示下载并导入ldap服务器的公钥。

本文转自netsword 51CTO博客，原文链接:http://blog.51cto.com/netsword/543773