OpenLDAP+freeradius+samba+802.1x实现无线和有线网络认证+动态vlan下发——openLDAP篇（一）

#/bin/bashecho "Enter your system information"###关闭防火墙、NetworkManager、SELinux###systemctl stop firewalld
systemctl disable firewalld
systemctl stop NetworkManager
systemctl disable NetworkManager
setenforce 0sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config###关闭防火墙、NetworkManager、SELinux#####安装一些常用的软件##yum -y install vim tree wget net-tools ntpdate###同步时间ntpdate ntp1.aliyun.comecho "* */1 * * * /usr/sbin/ntpdate ntp1.aliyun.com > /dev/null 2>&1" > /var/spool/cron/root##更改yum源为阿里云源mkdir /etc/yum.repos.d.bak ; mv /etc/yum.repos.d/* /etc/yum.repos.d.bak
wget -O /etc/yum.repos.d/aliyun-centos7-base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/aliyun-centos7-epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache####网卡配置m1=`ifconfig ens192 | grep "ether"| tr -s " " %|cut -d% -f3`cd /etc/sysconfig/network-scripts/echo "HWADDR=$m1" >> ifcfg-ens192
mv ifcfg-ens192 ifcfg-eth0
sed -i 's/ens192/eth0/g' ifcfg-eth0
cat > /etc/udev/rules.d/70-persistent-net.rules <<EOF
SUBSYSTEM=="net",ACTION=="add",DRIVERS=="?*",ATTR{address}=="$m1",ATTR{type}=="1",KERNEL=="eth*",NAME="eth0"EOF##创建几个需要的文件夹mkdir /data###PS1echo 'export PS1="\[\e[37;40m\][\[\e[31;40m\]\u\[\e[37;40m\]@\h \[\e[36;40m\](\t)\w\[\e[0m\]]\\$ "' >> /root/.bashrc

[root@lcp (13:49:35)~]# ping www.baidu.comPING www.a.shifen.com (61.135.169.125) 56(84) bytes of data.64 bytes from 61.135.169.125 (61.135.169.125): icmp_seq=1 ttl=128 time=3.11 ms
^C
--- www.a.shifen.com ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.111/3.111/3.111/0.000 ms

[root@ldap-master (11:21:26)~]# yum -y install openldap openldap-servers openldap-clients compat-openldap openldap-devel migrationtools samba* freeradius*

[root@ldap-master (11:21:26)~]# cd /etc/openldap/[root@ldap-master (11:25:33)/etc/openldap]# tree slapd.dslapd.d
├── cn=config
│   ├── cn=schema
│   │   └── cn={0}core.ldif     #核心配置文件│   ├── cn=schema.ldif      #schema配置文件│   ├── olcDatabase={0}config.ldif      #关于全局的配置文件│   ├── olcDatabase={-1}frontend.ldif   #关于前端的配置文件│   ├── olcDatabase={1}monitor.ldif     #关于监控的配置文件│   └── olcDatabase={2}hdb.ldif         #关于数据库的配置文件└── cn=config.ldif      #关于全局配置的文件2 directories, 7 files

[root@ldap-master (11:25:35)/etc/openldap]# mv slapd.d{,.bak}[root@ldap-master (11:26:16)/etc/openldap]# lscerts  check_password.conf  ldap.conf  schema  slapd.d.bak
[root@ldap-master (11:26:23)/etc/openldap]# mkdir slapd.d[root@ldap-master (11:26:30)/etc/openldap]# slappasswd New password: 123456Re-enter new password: 123456{SSHA}hnxiKpbSXyzF1sazYma5FBlkdD39dpU6        #复制保存好,一会要用到[root@ldap-master (11:26:43)/etc/openldap]# cp /usr/share/openldap-servers/slapd.ldif ./      #复制slapd.ldif配置文件到此目录下

cp /usr/share/doc/freeradius-3.0.13/schemas/ldap/openldap/freeradius.ldif /etc/openldap/schema/
cp /usr/share/doc/freeradius-3.0.13/schemas/ldap/openldap/freeradius.schema /etc/openldap/schema/
cp /usr/share/doc/samba-4.9.1/LDAP/samba.schema /etc/openldap/schema/
cp /usr/share/doc/samba-4.9.1/LDAP/samba.ldif /etc/openldap/schema/

[root@ldap-master (11:31:23)/etc/openldap]# cat slapd.ldif ## See slapd-config(5) for details on configuration options.# This file should NOT be world readable.#dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid## TLS settings#olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"olcTLSCertificateKeyFile: /etc/openldap/certs/password## Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.##olcReferral: ldap://root.openldap.org## Sample security restrictions#    Require integrity protection (prevent hijacking)#    Require 112-bit (3DES or better) encryption for updates#    Require 64-bit encryption for simple bind##olcSecurity: ssf=1 update_ssf=112 simple_bind=64## Load dynamic backend modules:# - modulepath is architecture dependent value (32/64-bit system)# - back_sql.la backend requires openldap-servers-sql package# - dyngroup.la and dynlist.la cannot be used at the same time##dn: cn=module,cn=config#objectClass: olcModuleList#cn: module#olcModulepath:    /usr/lib/openldap#olcModulepath:    /usr/lib64/openldap#olcModuleload: accesslog.la#olcModuleload: auditlog.la#olcModuleload: back_dnssrv.la#olcModuleload: back_ldap.la#olcModuleload: back_mdb.la#olcModuleload: back_meta.la#olcModuleload: back_null.la#olcModuleload: back_passwd.la#olcModuleload: back_relay.la#olcModuleload: back_shell.la#olcModuleload: back_sock.la#olcModuleload: collect.la#olcModuleload: constraint.la#olcModuleload: dds.la#olcModuleload: deref.la#olcModuleload: dyngroup.la#olcModuleload: dynlist.la#olcModuleload: memberof.la#olcModuleload: pcache.la#olcModuleload: ppolicy.la#olcModuleload: refint.la#olcModuleload: retcode.la#olcModuleload: rwm.la#olcModuleload: seqmod.la#olcModuleload: smbk5pwd.la#olcModuleload: sssvlv.la#olcModuleload: syncprov.la#olcModuleload: translucent.la#olcModuleload: unique.la#olcModuleload: valsort.la## Schema settings#dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif         #将/etc/openldap/schema/目录下以ldif为结尾的模块都添加进来include: file:///etc/openldap/schema/collective.ldif
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/pmi.ldif
include: file:///etc/openldap/schema/samba.ldif
include: file:///etc/openldap/schema/freeradius.ldif## Frontend settings#dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend## Sample global access control policy:#    Root DSE: allow anyone to read it#    Subschema (sub)entry DSE: allow anyone to read it#    Other DSEs:#        Allow self write access#        Allow authenticated users read access#        Allow anonymous users to authenticate##olcAccess: to dn.base="" by * read#olcAccess: to dn.base="cn=Subschema" by * read#olcAccess: to *#    by self write#    by users read#    by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn.  (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!### Configuration database#dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" manage by * none## Server status monitoring#dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=acadmin,dc=test,dc=net,dc=cn" read by * none  #这里把cn为管理员名称，dc为域名## Backend database definitions#dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=test,dc=net,dc=cn            #这里要和上面的cn和dc一样olcRootDN: cn=acadmin,dc=test,dc=net,dc=cn    #还有这里同上olcRootPW: {SSHA}hnxiKpbSXyzF1sazYma5FBlkdD39dpU6  #加上刚才设置的密码olcDbDirectory:    /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

[root@ldap-master (11:31:54)/etc/openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG[root@ldap-master (11:36:40)/etc/openldap]# chown -R ldap:ldap /var/lib/ldap

[root@ldap-master (11:43:16)/etc/openldap]# slapadd -n 0 -F slapd.d -l slapd.ldif_#################### 100.00% eta   none elapsed            none fast!         Closing DB...
[root@ldap-master (11:43:18)/etc/openldap]# chown -R ldap:ldap slapd.d

[root@ldap-master (11:45:35)/etc/openldap]# systemctl start slapd[root@ldap-master (11:45:41)/etc/openldap]# systemctl enable slapdCreated symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.

[root@ldap-master (14:54:54)/etc/openldap]# mkdir /var/log/slapd[root@ldap-master (14:55:04)/etc/openldap]# touch /var/log/slapd/slapd.log[root@ldap-master (14:55:15)/etc/openldap]# chown -R ldap:ldap /var/log/slapd

74 local4.*                                                /var/log/slapd/slapd.log

root@ldap-master (15:02:55)/etc/openldap]# vim /etc/logrotate.d/slapd/var/log/slapd/slapd.log{
    daily            #每天轮询一次
    rotate 5    #保存5个历史日志文件，超过的删除
    copytruncate    #复制源日志内容后，清空文件，而不是创建新文件
    dateext        #切割文件时，文件名带有日期
    missingok    #如果指定的目录不存在，会报错，此选项用来抑制报错}

[root@ldap-master (15:06:59)/etc/openldap]# ll /var/log/slapd/total 0-rw-r--r-- 1 ldap ldap 0 Nov 26 14:55 slapd.log
[root@ldap-master (15:07:11)/etc/openldap]# logrotate -f /etc/logrotate.d/slapd [root@ldap-master (15:07:49)/etc/openldap]# ll /var/log/slapd/total 0-rw-r--r-- 1 ldap ldap 0 Nov 26 15:07 slapd.log
-rw-r--r-- 1 ldap ldap 0 Nov 26 15:07 slapd.log-20191126

[root@ldap-master (11:45:47)/etc/openldap]# vim slapd.ldif
 11 olcLogLevel: stats

[root@ldap-master (15:12:48)/etc/openldap]# vim config_init.sh[root@ldap-master (15:17:23)/etc/openldap]# chmod +x config_init.sh #!/bin/bashrm -rf slapd.d/*
slapadd -n 0 -F slapd.d -l slapd.ldif
chown -R ldap:ldap slapd.d
systemctl restart slapd
[root@ldap-master (15:17:35)/etc/openldap]#

[root@ldap-master (15:18:04)/etc/openldap]# sh config_init.sh _#################### 100.00% eta   none elapsed            none fast!         Closing DB...
[root@ldap-master (15:19:02)/etc/openldap]# systemctl restart rsyslog[root@ldap-master (15:19:27)/etc/openldap]# systemctl restart slapd[root@ldap-master (15:19:38)/etc/openldap]# cat /var/log/slapd/slapd.logNov 26 15:19:38 ldap-master slapd[19478]: daemon: shutdown requested and initiated.
Nov 26 15:19:38 ldap-master slapd[19478]: slapd shutdown: waiting for 0 operations/tasks to finish
Nov 26 15:19:38 ldap-master slapd[19478]: slapd stopped.
Nov 26 15:19:38 ldap-master slapd[19533]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapdNov 26 15:19:38 ldap-master slapd[19535]: slapd starting
[root@ldap-master (15:19:39)/etc/openldap]#

yum -y install epel-release
yum -y install phpldapadmin

vim /etc/httpd/conf.d/phpldapadmin.conf
<VirtualHost *:80>
ServerName openldap.test.net.cn
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>    # Apache 2.4
    Require all granted
    Require local
  </IfModule>
  <IfModule !mod_authz_core.c>    # Apache 2.2
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
  </IfModule>
</Directory>
</VirtualHost>

[root@ldap-master (15:23:49)/etc/openldap]# vim /etc/phpldapadmin/config.php397 $servers->setValue('login','attr','dn');398 // $servers->setValue('login','attr','uid');

[root@ldap-master (15:26:10)/etc/openldap]# vim /etc/httpd/conf/httpd.conf
 96 ServerName localhost:80

[root@ldap-master (15:29:07)/etc/openldap]# systemctl start httpd[root@ldap-master (15:29:16)/etc/openldap]# systemctl enable httpdCreated symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

192.168.2.147   openldap.test.net.cn

[root@ldap-master (15:29:21)/etc/openldap]# vim /etc/phpldapadmin/config.php166 $config->custom->appearance['hide_template_warning'] = true;

[root@CA (15:41:08)~]# yum -y install openssl        #1.安装CA服务器[root@CA (15:42:04)~]# cd /etc/pki/CA/[root@CA (15:42:06)/etc/pki/CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)        #2.生成CA服务器自己的私钥Generating RSA private key, 2048 bit long modulus
....................+++
..................+++
e is 65537 (0x10001)
[root@CA (15:42:15)/etc/pki/CA]# [root@CA (15:42:15)/etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650    #3.生成自签名证书You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    #国家State or Province Name (full name) []:BeiJing    #省份Locality Name (eg, city) [Default City]:BeiJing        #城市Organization Name (eg, company) [Default Company Ltd]:test.net.cn    #域名Organizational Unit Name (eg, section) []:internet    #类型Common Name (eg, your name or your server's hostname) []:ca.test.net.cn    #填写ca服务器的域名
Email Address []:
[root@CA (15:44:01)/etc/pki/CA]# 
[root@CA (15:44:01)/etc/pki/CA]# echo "ca.test.net.cn" >> /etc/hostname     #补一下主机名
[root@CA (15:46:11)/etc/pki/CA]# hostname
CA
[root@CA (15:46:17)/etc/pki/CA]# cat /etc/hostname 
CA
ca.test.net.cn
[root@CA (15:46:25)/etc/pki/CA]# 
[root@CA (15:46:25)/etc/pki/CA]# touch index.txt
[root@CA (15:46:49)/etc/pki/CA]# echo 01 >serial
[root@CA (15:47:19)/etc/pki/CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial
4 directories, 4 files

[root@ldap-master (15:34:48)/etc/openldap]# cd /etc/openldap/certs/   [root@ldap-master (15:50:13)/etc/openldap/certs]# (umask 077;openssl genrsa -out openldapkey147.pem 2048)  #生成LDAP服务器的私钥Generating RSA private key, 2048 bit long modulus
..................................+++
.....................................................................................................+++
e is 65537 (0x10001)
[root@ldap-master (15:50:26)/etc/openldap/certs]# openssl req -new -key openldapkey147.pem -out openldap147.csr -days 3650 -subj "/C=CN/ST=BeiJing/L=BeiJing/O=test.net.cn/OU=internet/CN=192.168.2.147"
 # 使用私钥生成申请CA证书的文件 这里的CN指的是本机ip[root@ldap-master (15:50:56)/etc/openldap/certs]# scp openldap147.csr root@192.168.2.148:/root    #使用scp将申请文件传送到CA服务器The authenticity of host '192.168.2.148 (192.168.2.148)' can't be established.
ECDSA key fingerprint is SHA256:qE6NS65QCbFIKWl80AiHPtYYZE8aH3PctGvUpMSLzaA.
ECDSA key fingerprint is MD5:13:74:3e:e1:49:1c:4c:9d:08:d4:eb:b5:e8:92:e7:a1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.148' (ECDSA) to the list of known hosts.
root@192.168.2.148's password: 
Permission denied, please try again.
root@192.168.2.148's password: 
Permission denied, please try again.
root@192.168.2.148's password: 
openldap147.csr                                                                                      100% 1021   114.2KB/s   00:00

[root@CA (15:53:44)/etc/pki/CA]# openssl ca -in /root/openldap147.csr -out /etc/pki/CA/certs/openldapcert147.crt -days 3650    #同意ldap的证书，并下发证书Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 26 07:53:50 2019 GMT
            Not After : Nov 23 07:53:50 2029 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = test.net.cn
            organizationalUnitName    = internet
            commonName                = 192.168.2.147
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                1A:9B:B1:28:A7:57:F7:28:CE:69:F6:C5:07:4B:E2:D2:5E:6F:A4:95
            X509v3 Authority Key Identifier: 
                keyid:AA:5C:0E:BC:87:05:14:5B:DC:23:9D:74:5B:E1:23:B9:05:E1:71:A9
Certificate is to be certified until Nov 23 07:53:50 2029 GMT (3650 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CA (15:53:54)/etc/pki/CA]# tree.
├── cacert.pem
├── certs
│   └── openldapcert147.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old4 directories, 9 files
[root@CA (15:54:31)/etc/pki/CA]# scp cacert.pem certs/openldapcert147.crt root@192.168.2.147:/root    #使用scp将证书和验证文件传到ldap服务器中The authenticity of host '192.168.2.147 (192.168.2.147)' can't be established.
ECDSA key fingerprint is SHA256:4pvEkT1xlxD1JbHjJQBRyMOEmoiPfh51jKOJpgZn/3U.
ECDSA key fingerprint is MD5:12:f9:57:f8:40:ac:d9:4b:ab:6c:1c:10:f8:ed:2b:59.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.147' (ECDSA) to the list of known hosts.
root@192.168.2.147's password: 
cacert.pem                                                                                           100% 1367     1.3MB/s   00:00    openldapcert147.crt                                                                                  100% 4528     2.6MB/s   00:00

[root@ldap-master (15:53:08)/etc/openldap/certs]# cd[root@ldap-master (15:56:34)~]# lsanaconda-ks.cfg  cacert.pem  init.sh  openldapcert147.crt
[root@ldap-master (15:56:34)~]# cp openldapcert147.crt cacert.pem /etc/openldap/certs/ #ldap服务器将这两个文件导入到证书存放目录，并赋予目录权限[root@ldap-master (15:56:48)~]# chown -R ldap.ldap /etc/openldap/certs[root@ldap-master (15:56:58)~]# chmod -R 0400 /etc/openldap/certs/openldap*[root@ldap-master (15:57:05)~]# chmod -R 0400 /etc/openldap/certs/cacert.pem

[root@ldap-master (16:19:19)/etc/openldap]# vim slapd.ldif
 15 olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem 16 olcTLSCertificateFile: /etc/openldap/certs/openldapcert130.crt 17 olcTLSCertificateKeyFile: /etc/openldap/certs/openldapkey130.pem 18 olcTLSVerifyClient: never

[root@ldap-master (14:07:20)/etc/openldap]# vim /etc/sysconfig/slapd
  9 SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

## LDAP Defaults## See ldap.conf(5) for details# This file should be world readable but not world writable.BASE    dc=test,dc=net,dc=cn#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666URI     ldaps://192.168.2.147#SIZELIMIT      12#TIMELIMIT      15#DEREF          neverTLS_REQCERT hard#TLS_CACERTDIR  /etc/openldap/certsTLS_CACERT      /etc/openldap/certs/cacert.pem# Turning this off breaks GSSAPI used with krb5 when rdns = falseSASL_NOCANON    on

[root@ldap-master (14:08:31)/etc/openldap]# systemctl restart slapd[root@ldap-master (14:09:58)/etc/openldap]# ss -tunlp | grep 636tcp    LISTEN     0      128       *:22                    *:*                   users:(("sshd",pid=6366,fd=3))
tcp    LISTEN     0      128       *:636                   *:*                   users:(("slapd",pid=7237,fd=10))
tcp    LISTEN     0      128      :::80                   :::*                   users:(("httpd",pid=6504,fd=4),("httpd",pid=6503,fd=4),("httpd",pid=6501,fd=4),("httpd",pid=6500,fd=4),("httpd",pid=6498,fd=4),("httpd",pid=6367,fd=4))
tcp    LISTEN     0      128      :::22                   :::*                   users:(("sshd",pid=6366,fd=4))
tcp    LISTEN     0      128      :::636                  :::*                   users:(("slapd",pid=7237,fd=11))

[root@ldap-master (14:14:25)~]# mkdir /etc/httpd/certs[root@ldap-master (14:14:34)~]# cd /etc/httpd/certs/[root@ldap-master (14:14:39)/etc/httpd/certs]# (umask 077;openssl genrsa -out openldapadmin.key 2048)Generating RSA private key, 2048 bit long modulus
...............................................................+++
....................................................................................................................+++
e is 65537 (0x10001)
[root@ldap-master (14:14:49)/etc/httpd/certs]# openssl req -new -key openldapadmin.key -out openldapadmin.csr -days 3650 -subj "/C=CN/ST=BeiJing/L=BeiJing/O=test.net.cn/OU=Internet/CN=openldap.test.net.cn"[root@ldap-master (14:15:01)/etc/httpd/certs]# scp openldapadmin.csr root@192.168.6.143:/rootThe authenticity of host '192.168.6.143 (192.168.6.143)' can't be established.
ECDSA key fingerprint is SHA256:OCxk4wtcCVaYZR+NKD3xrJSgQwUAwT2WeTQ69JGhmjM.
ECDSA key fingerprint is MD5:88:57:6d:72:36:6f:58:1c:36:84:8a:19:91:54:5b:d0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.6.143' (ECDSA) to the list of known hosts.
root@192.168.6.143's password: 
openldapadmin.csr                                     100% 1037     1.2MB/s   00:00    [root@ldap-master (14:15:25)/etc/httpd/certs]#

[root@ca (14:19:25)/etc/pki/CA]# openssl ca -in /root/openldapadmin.csr -out /etc/pki/CA/certs/openldapadmin.crt -days 3650Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  2 06:19:56 2019 GMT
            Not After : Nov 29 06:19:56 2029 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = test.net.cn
            organizationalUnitName    = Internet
            commonName                = openldap.test.net.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                CD:8A:3F:06:B8:FA:DC:E1:FE:A4:0D:81:D3:66:21:95:47:E5:32:AC
            X509v3 Authority Key Identifier: 
                keyid:B5:68:D1:D2:61:0B:13:E1:4B:6D:C2:2A:AE:31:39:97:72:F5:80:B9
Certificate is to be certified until Nov 29 06:19:56 2029 GMT (3650 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ca (14:19:59)/etc/pki/CA]# scp /etc/pki/CA/certs/openldapadmin.crt root@192.168.2.147:/rootThe authenticity of host '192.168.2.147 (192.168.2.147)' can't be established.
ECDSA key fingerprint is SHA256:4pvEkT1xlxD1JbHjJQBRyMOEmoiPfh51jKOJpgZn/3U.
ECDSA key fingerprint is MD5:12:f9:57:f8:40:ac:d9:4b:ab:6c:1c:10:f8:ed:2b:59.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.147' (ECDSA) to the list of known hosts.
root@192.168.2.147's password: 
openldapadmin.crt                                     100% 4550     2.9MB/s   00:00    [root@ca (14:20:25)/etc/pki/CA]#

[root@ldap-master (14:15:25)/etc/httpd/certs]# cp /root/openldapadmin.crt ./[root@ldap-master (14:22:08)/etc/httpd/certs]# chown -R apache:apache /etc/httpd/certs[root@ldap-master (14:22:14)/etc/httpd/certs]# chmod -R 0400 /etc/httpd/certs/*[root@ldap-master (14:22:21)/etc/httpd/certs]# yum -y install mod_ssl

[root@ldap-master (14:23:50)/etc/httpd/certs]# vim /etc/httpd/conf.d/phpldapadmin.conf
  1 #
  2 #  Web-based tool for managing LDAP servers
  3 #
  4 <VirtualHost *:443>  5 ServerName openldap.test.net.cn  6 DocumentRoot "/usr/share/phpldapadmin/htdocs"
  7 SSLEngine on  8 SSLCertificateFile "/etc/httpd/certs/openldapadmin.crt"
  9 SSLCertificateKeyFile "/etc/httpd/certs/openldapadmin.key" 
 10 Alias /phpldapadmin /usr/share/phpldapadmin/htdocs 11 Alias /ldapadmin /usr/share/phpldapadmin/htdocs 12
 13 <Directory /usr/share/phpldapadmin/htdocs> 14   <IfModule mod_authz_core.c> 15     # Apache 2.4
 16     Require all granted 17     Require local 18   </IfModule> 19   <IfModule !mod_authz_core.c> 20     # Apache 2.2
 21     Order Deny,Allow 22     Deny from all 23     Allow from 127.0.0.1
 24     Allow from ::1
 25   </IfModule> 26 </Directory> 27 </VirtualHost>

[root@ldap-master (14:25:20)/etc/httpd/certs]# systemctl restart httpd[root@ldap-master (14:25:38)/etc/httpd/certs]# ss -tunlp | grep 443tcp    LISTEN     0      128      :::443                  :::*                   users:(("httpd",pid=7421,fd=6),("httpd",pid=7420,fd=6),("httpd",pid=7419,fd=6),("httpd",pid=7418,fd=6),("httpd",pid=7417,fd=6),("httpd",pid=7416,fd=6))
[root@ldap-master (14:25:47)/etc/httpd/certs]#