LDAP模式是明文传输,为了安全起见,最好配置TLS加密方式传输。下面是配置过程(省略了LDAP SERVER的配置过程,前面的文档中有)
环境:
LDAP SERVER1 172.16.42.136
LDAP SERVER2 172.16.42.137
CA SERVER & LDAP Client 172.16.42.135
CA Server配置:
CA服务器创建私钥
|
1
2
3
|
#cd /etc/pki/CA
#(umask 077; openssl genrsa -out private/cakey.pem 2048)
|
修改/etc/pki/tls/openssl.conf配置文件,修改证书默认的相关设置
|
1
2
3
4
5
6
|
[ req_distinguished_name ]
countryName_default = CN
stateOrProvinceName_default = Shanghai
localityName_default = Shanghai
0.organizationName_default = beyondh
organizationalUnitName_default = OPS
|
生成自签署证书
|
1
|
openssl req -new -x509 -key private
/cakey
.pem -out cacert.pem -days 3650
|
|
1
2
3
4
5
6
7
|
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Shanghai]:
Locality Name (eg, city) [Shanghai]:
Organization Name (eg, company) [beyondh]:
Organizational Unit Name (eg, section) [OPS]:
Common Name (eg, your name or your server's
hostname
) []:ca.beyondh.org
Email Address []:451345726@qq.com
|
默认/etc/pki/CA路径下没有serial 和index.txt文件,需要手动创建
|
1
2
3
4
|
touch
index.txt
[root@mq02 CA]
# echo 01 > serial
[root@mq02 CA]
# ls
cacert.pem certs crl index.txt newcerts private serial
|
LDAP SERVER配置
生成私钥文件
|
1
2
3
4
5
6
7
8
9
|
pwd
/etc/pki/CA
[root@localhost CA]
# (umask 077; openssl genrsa 1024 > ldap.key)
Generating RSA private key, 1024 bit long modulus
............................++++++
.......++++++
e is 65537 (0x10001)
[root@localhost CA]
# ls
certs crl ldap.key newcerts private
|
生成证书请求文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
openssl req -new -key ldap.key -out ldap.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:beyondh
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server's
hostname
) []:ldap.beyondh.org
Email Address []:451345726@qq.com
Please enter the following
'extra'
attributes
to be sent with your certificate request
A challenge password []:
|
将证书请求文件拷贝到CA Server
|
1
|
scp
ldap.csr 172.16.42.135:
/tmp
|
登录CA Server,将ldap server的证书请求文件签署成证书文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
openssl ca -
in
/tmp/ldap
.csr -out ldap.crt -days 3650
Using configuration from
/etc/pki/tls/openssl
.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 24 07:18:05 2017 GMT
Not After : Mar 22 07:18:05 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = beyondh
organizationalUnitName = OPS
commonName = ldap.beyondh.org
emailAddress = 451345726@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
02:CF:80:2A:80:99:1D:FA:8A:AC:B2:52:B8:4F:21:ED:BF:A9:33:8F
X509v3 Authority Key Identifier:
keyid:E0:08:32:85:E9:45:AD:5B:BF:EB:42:15:EE:65:3C:80:56:00:24:93
Certificate is to be certified
until
Mar 22 07:18:05 2027 GMT (3650 days)
Sign the certificate? [y
/n
]:y
1 out of 1 certificate requests certified, commit? [y
/n
]y
Write out database with 1 new entries
Data Base Updated
|
将CA服务器自己的证书和LDAP SERVER的证书文件拷贝到 LDAP SERVER上
|
1
2
|
[root@mq02 tmp]
# scp /tmp/ldap.crt 172.16.42.137:/root
[root@mq02 CA]
# scp /etc/pki/CA/cacert.pem 172.16.42.137:/root
|
|
1
2
3
4
5
|
登录LDAP SERVER,修改
/etc/openldap/slapd
.conf配置文件
TLSCACertificatePath
/etc/openldap/certs
TLSCertificateFile
/etc/openldap/certs/ldap
.crt
TLSCertificateKeyFile
/etc/openldap/certs/ldap
.key
TLSVerifyClient allow
|
说明:
never:默认选项,不验证客户端证书。
allow:检查客户端证书,没有证书或证书错误,都允许连接。
try:检查客户端证书,没有证书(允许连接),证书错误(终止连接)。
demand | hard | true:检查客户端证书,没有证书或证书错误都将立即终止连接。
#修改ldap server 端/etc/sysconfig/ldap文件
|
1
2
|
SLAPD_LDAP=
yes
SLAPD_LDAPS=
yes
|
重新生成配置文件,并重启slapd服务
|
1
2
3
4
|
rm
-rf slapd.d/*
slaptest -f
/etc/openldap/slapd
.conf -F
/etc/openldap/slapd
.d
chown
-R ldap:ldap slapd.d
/etc/init
.d
/slapd
restart
|
客户端配置
安装openldap客户端
|
1
2
3
4
|
yum -y
install
nss-pam-ldapd setuptool
yum -y
install
openldap openldap-*
yum -y
install
openssh-ldap
/etc/init
.d
/nslcd
start
|
输入setup或者 authconfig-tui进行配置,也可以通过修改配置文件的方式修改。参考下面的连接
确认客户端配置文件/etc/openldap/ldap.conf
|
1
2
3
4
5
|
TLS_CACERTDIR
/etc/openldap/cacerts
URI ldaps:
//172
.16.42.137
BASE
dc
=beyondh,
dc
=org
TLS_REQCERT allow
TLS_CACERT
/etc/openldap/cacerts/cacert
.pem
//
将CA服务器的公钥拷贝到该路径下
|
客户端重启
|
1
|
[root@mq02 CA]
# /etc/init.d/nslcd restart
|
测试客户端是否能够连接服务器端
|
1
2
3
4
5
6
|
[root@mq02 openldap]
# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
ldap_start_tls: Operations error (1)
additional info: TLS already started
anonymous
Result: Success (0)
|
注意:
配置为TLS认证方式后,如果没有启动ldap方式,仅仅启用了ldaps认证方式,phpldapadmin web管理工具无法登陆了。原因不清楚。
另外做了mirrormode 的两台LDAP SERVER,如何使用TLS加密方式同步也不清楚。
本文转自 曾哥最爱 51CTO博客,原文链接:http://blog.51cto.com/zengestudy/1910142,如需转载请自行联系原作者
