一、环境准备
1.服务器环境信息
| 名称 | 系统版本 | 配置 | ip地址 |
| ldap-master | CentOS 7.6(core) | 2c 2g 50g | 192.168.2.147 |
| ldap-slave | CentOS 7.6(core) | 2c 2g 50g | 192.168.2.150 |
| redius-master | CentOS 7.6(core) | 2c 2g 50g | 192.168.3.140 |
| redius-slave | CentOS 7.6(core) | 2c 2g 50g | 192.168.3.141 |
| CA服务器 | CentOS 7.6(core) | 1c 1g 16g | 192.168.2.148 |
| 客户机 | Windows7 | 2c 2g 50g | 192.168.3.150 |
2.初始化服务器配置
(脚本里的网卡名称要注意)
#/bin/bashecho "Enter your system information"###关闭防火墙、NetworkManager、SELinux###systemctl stop firewalld systemctl disable firewalld systemctl stop NetworkManager systemctl disable NetworkManager setenforce 0sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config###关闭防火墙、NetworkManager、SELinux#####安装一些常用的软件##yum -y install vim tree wget net-tools ntpdate###同步时间ntpdate ntp1.aliyun.comecho "* */1 * * * /usr/sbin/ntpdate ntp1.aliyun.com > /dev/null 2>&1" > /var/spool/cron/root##更改yum源为阿里云源mkdir /etc/yum.repos.d.bak ; mv /etc/yum.repos.d/* /etc/yum.repos.d.bak wget -O /etc/yum.repos.d/aliyun-centos7-base.repo http://mirrors.aliyun.com/repo/Centos-7.repo wget -O /etc/yum.repos.d/aliyun-centos7-epel.repo http://mirrors.aliyun.com/repo/epel-7.repo yum clean all yum makecache####网卡配置m1=`ifconfig ens192 | grep "ether"| tr -s " " %|cut -d% -f3`cd /etc/sysconfig/network-scripts/echo "HWADDR=$m1" >> ifcfg-ens192 mv ifcfg-ens192 ifcfg-eth0 sed -i 's/ens192/eth0/g' ifcfg-eth0 cat > /etc/udev/rules.d/70-persistent-net.rules <<EOF SUBSYSTEM=="net",ACTION=="add",DRIVERS=="?*",ATTR{address}=="$m1",ATTR{type}=="1",KERNEL=="eth*",NAME="eth0"EOF##创建几个需要的文件夹mkdir /data###PS1echo 'export PS1="\[\e[37;40m\][\[\e[31;40m\]\u\[\e[37;40m\]@\h \[\e[36;40m\](\t)\w\[\e[0m\]]\\$ "' >> /root/.bashrc
3.保存快照防止误操作导致系统崩溃
重启后开始部署ldap环境
二、LDAP环境搭建
1.确保已联网
[root@lcp (13:49:35)~]# ping www.baidu.comPING www.a.shifen.com (61.135.169.125) 56(84) bytes of data.64 bytes from 61.135.169.125 (61.135.169.125): icmp_seq=1 ttl=128 time=3.11 ms ^C --- www.a.shifen.com ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.111/3.111/3.111/0.000 ms
2.安装所需软件包
[root@ldap-master (11:21:26)~]# yum -y install openldap openldap-servers openldap-clients compat-openldap openldap-devel migrationtools samba* freeradius*
3.LDAP配置文件存放目录
[root@ldap-master (11:21:26)~]# cd /etc/openldap/[root@ldap-master (11:25:33)/etc/openldap]# tree slapd.dslapd.d ├── cn=config │ ├── cn=schema │ │ └── cn={0}core.ldif #核心配置文件│ ├── cn=schema.ldif #schema配置文件│ ├── olcDatabase={0}config.ldif #关于全局的配置文件│ ├── olcDatabase={-1}frontend.ldif #关于前端的配置文件│ ├── olcDatabase={1}monitor.ldif #关于监控的配置文件│ └── olcDatabase={2}hdb.ldif #关于数据库的配置文件└── cn=config.ldif #关于全局配置的文件2 directories, 7 files
4.配置LDAP
1.备份配置文件目录
[root@ldap-master (11:25:35)/etc/openldap]# mv slapd.d{,.bak}[root@ldap-master (11:26:16)/etc/openldap]# lscerts check_password.conf ldap.conf schema slapd.d.bak [root@ldap-master (11:26:23)/etc/openldap]# mkdir slapd.d[root@ldap-master (11:26:30)/etc/openldap]# slappasswd New password: 123456Re-enter new password: 123456{SSHA}hnxiKpbSXyzF1sazYma5FBlkdD39dpU6 #复制保存好,一会要用到[root@ldap-master (11:26:43)/etc/openldap]# cp /usr/share/openldap-servers/slapd.ldif ./ #复制slapd.ldif配置文件到此目录下
2.复制需要的schema到/etc/openldap/schema目录下
这里把samba和radius的schema都复制过来。
cp /usr/share/doc/freeradius-3.0.13/schemas/ldap/openldap/freeradius.ldif /etc/openldap/schema/ cp /usr/share/doc/freeradius-3.0.13/schemas/ldap/openldap/freeradius.schema /etc/openldap/schema/ cp /usr/share/doc/samba-4.9.1/LDAP/samba.schema /etc/openldap/schema/ cp /usr/share/doc/samba-4.9.1/LDAP/samba.ldif /etc/openldap/schema/
3.编辑配置文件
[root@ldap-master (11:31:23)/etc/openldap]# cat slapd.ldif ## See slapd-config(5) for details on configuration options.# This file should NOT be world readable.#dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid## TLS settings#olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: "OpenLDAP Server"olcTLSCertificateKeyFile: /etc/openldap/certs/password## Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.##olcReferral: ldap://root.openldap.org## Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 64-bit encryption for simple bind##olcSecurity: ssf=1 update_ssf=112 simple_bind=64## Load dynamic backend modules:# - modulepath is architecture dependent value (32/64-bit system)# - back_sql.la backend requires openldap-servers-sql package# - dyngroup.la and dynlist.la cannot be used at the same time##dn: cn=module,cn=config#objectClass: olcModuleList#cn: module#olcModulepath: /usr/lib/openldap#olcModulepath: /usr/lib64/openldap#olcModuleload: accesslog.la#olcModuleload: auditlog.la#olcModuleload: back_dnssrv.la#olcModuleload: back_ldap.la#olcModuleload: back_mdb.la#olcModuleload: back_meta.la#olcModuleload: back_null.la#olcModuleload: back_passwd.la#olcModuleload: back_relay.la#olcModuleload: back_shell.la#olcModuleload: back_sock.la#olcModuleload: collect.la#olcModuleload: constraint.la#olcModuleload: dds.la#olcModuleload: deref.la#olcModuleload: dyngroup.la#olcModuleload: dynlist.la#olcModuleload: memberof.la#olcModuleload: pcache.la#olcModuleload: ppolicy.la#olcModuleload: refint.la#olcModuleload: retcode.la#olcModuleload: rwm.la#olcModuleload: seqmod.la#olcModuleload: smbk5pwd.la#olcModuleload: sssvlv.la#olcModuleload: syncprov.la#olcModuleload: translucent.la#olcModuleload: unique.la#olcModuleload: valsort.la## Schema settings#dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///etc/openldap/schema/core.ldif #将/etc/openldap/schema/目录下以ldif为结尾的模块都添加进来include: file:///etc/openldap/schema/collective.ldif include: file:///etc/openldap/schema/corba.ldif include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/duaconf.ldif include: file:///etc/openldap/schema/dyngroup.ldif include: file:///etc/openldap/schema/inetorgperson.ldif include: file:///etc/openldap/schema/java.ldif include: file:///etc/openldap/schema/misc.ldif include: file:///etc/openldap/schema/nis.ldif include: file:///etc/openldap/schema/openldap.ldif include: file:///etc/openldap/schema/ppolicy.ldif include: file:///etc/openldap/schema/pmi.ldif include: file:///etc/openldap/schema/samba.ldif include: file:///etc/openldap/schema/freeradius.ldif## Frontend settings#dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend## Sample global access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate##olcAccess: to dn.base="" by * read#olcAccess: to dn.base="cn=Subschema" by * read#olcAccess: to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!### Configuration database#dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c n=auth" manage by * none## Server status monitoring#dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: monitor olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c n=auth" read by dn.base="cn=acadmin,dc=test,dc=net,dc=cn" read by * none #这里把cn为管理员名称,dc为域名## Backend database definitions#dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcSuffix: dc=test,dc=net,dc=cn #这里要和上面的cn和dc一样olcRootDN: cn=acadmin,dc=test,dc=net,dc=cn #还有这里同上olcRootPW: {SSHA}hnxiKpbSXyzF1sazYma5FBlkdD39dpU6 #加上刚才设置的密码olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
简单说一下这里的cn和dc, cn相当于名字,dc相当与域名,有几级域名就写几个dc。
这里slapd.ldif的初始文件就配置完成了。
4.设置数据库
[root@ldap-master (11:31:54)/etc/openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG[root@ldap-master (11:36:40)/etc/openldap]# chown -R ldap:ldap /var/lib/ldap
数据库这里就简单了,直接拷贝过来加上权限即可。
5.使用slapd.ldif初始化配置文件
这里如果导入错误,请检查slapd.ldif文件内容,注意每行后面不能有空格。
检查完后,删除slapd.d文件夹内的文件重新执行导入命令。
[root@ldap-master (11:43:16)/etc/openldap]# slapadd -n 0 -F slapd.d -l slapd.ldif_#################### 100.00% eta none elapsed none fast! Closing DB... [root@ldap-master (11:43:18)/etc/openldap]# chown -R ldap:ldap slapd.d
6.启动服务
如果这里启动失败,请检查上面关于文件夹权限的设置。
[root@ldap-master (11:45:35)/etc/openldap]# systemctl start slapd[root@ldap-master (11:45:41)/etc/openldap]# systemctl enable slapdCreated symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
使用LDAP Admin软件来测试ldap服务
7.开启日志功能
创建日志存放目录,并授权给ldap用户。
[root@ldap-master (14:54:54)/etc/openldap]# mkdir /var/log/slapd[root@ldap-master (14:55:04)/etc/openldap]# touch /var/log/slapd/slapd.log[root@ldap-master (14:55:15)/etc/openldap]# chown -R ldap:ldap /var/log/slapd
在/etc/rsyslog.conf的74行添加如下内容:
74 local4.* /var/log/slapd/slapd.log
设置日志切割(因为日志存放越久,日志文件占用的空间就越大,开启日志切割,只保留最近的日志)
root@ldap-master (15:02:55)/etc/openldap]# vim /etc/logrotate.d/slapd/var/log/slapd/slapd.log{ daily #每天轮询一次 rotate 5 #保存5个历史日志文件,超过的删除 copytruncate #复制源日志内容后,清空文件,而不是创建新文件 dateext #切割文件时,文件名带有日期 missingok #如果指定的目录不存在,会报错,此选项用来抑制报错}
测试日志切割功能
[root@ldap-master (15:06:59)/etc/openldap]# ll /var/log/slapd/total 0-rw-r--r-- 1 ldap ldap 0 Nov 26 14:55 slapd.log [root@ldap-master (15:07:11)/etc/openldap]# logrotate -f /etc/logrotate.d/slapd [root@ldap-master (15:07:49)/etc/openldap]# ll /var/log/slapd/total 0-rw-r--r-- 1 ldap ldap 0 Nov 26 15:07 slapd.log -rw-r--r-- 1 ldap ldap 0 Nov 26 15:07 slapd.log-20191126
重新编辑slapd.ldif,添加支持日志功能的模块。
在配置文件的第10行下面,紧跟一行添加如下内容,注意不要有空格。
[root@ldap-master (11:45:47)/etc/openldap]# vim slapd.ldif 11 olcLogLevel: stats
这里有人会说,为什么不用ldif文件热添加呢,因为我们是新建的ldap服务,直接使用初始化文件去配置,以后出现问题就可以把配置文件copy走,在另一个服务器上继续开启服务而不丢配置。
然后重新生成配置文件,来测试是否生成日志。
这里我们创建一个初始化用的脚本,为后面一步步添加功能做下简化,
[root@ldap-master (15:12:48)/etc/openldap]# vim config_init.sh[root@ldap-master (15:17:23)/etc/openldap]# chmod +x config_init.sh #!/bin/bashrm -rf slapd.d/* slapadd -n 0 -F slapd.d -l slapd.ldif chown -R ldap:ldap slapd.d systemctl restart slapd [root@ldap-master (15:17:35)/etc/openldap]#
测试日志功能
[root@ldap-master (15:18:04)/etc/openldap]# sh config_init.sh _#################### 100.00% eta none elapsed none fast! Closing DB... [root@ldap-master (15:19:02)/etc/openldap]# systemctl restart rsyslog[root@ldap-master (15:19:27)/etc/openldap]# systemctl restart slapd[root@ldap-master (15:19:38)/etc/openldap]# cat /var/log/slapd/slapd.logNov 26 15:19:38 ldap-master slapd[19478]: daemon: shutdown requested and initiated. Nov 26 15:19:38 ldap-master slapd[19478]: slapd shutdown: waiting for 0 operations/tasks to finish Nov 26 15:19:38 ldap-master slapd[19478]: slapd stopped. Nov 26 15:19:38 ldap-master slapd[19533]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapdNov 26 15:19:38 ldap-master slapd[19535]: slapd starting [root@ldap-master (15:19:39)/etc/openldap]#
5.安装phpldapadmin管理软件
该软件可以在web上对ldap进行管理,有中文的,方便一些。
1.安装所需依赖包
yum -y install epel-release yum -y install phpldapadmin
2.编辑/etc/httpd/conf.d/phpldapadmin.conf用来允许所有网段访问:
vim /etc/httpd/conf.d/phpldapadmin.conf <VirtualHost *:80> ServerName openldap.test.net.cn Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 Require all granted Require local </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory> </VirtualHost>
3.修改 /etc/phpldapadmin/config.php文件,将397行取消注释,并注释398行,用来开启使用dn登录。
[root@ldap-master (15:23:49)/etc/openldap]# vim /etc/phpldapadmin/config.php397 $servers->setValue('login','attr','dn');398 // $servers->setValue('login','attr','uid');
编辑httpd的配置文件,在96行添加ServerName localhost:80
[root@ldap-master (15:26:10)/etc/openldap]# vim /etc/httpd/conf/httpd.conf 96 ServerName localhost:80
开启http服务,查看phpldapadmin是否可登录
[root@ldap-master (15:29:07)/etc/openldap]# systemctl start httpd[root@ldap-master (15:29:16)/etc/openldap]# systemctl enable httpdCreated symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
4.在主机的hosts文件中添加一条解析记录
192.168.2.147 openldap.test.net.cn
5.测试登录
访问http://IP/ldapadmin/
这里我们看见没有任何信息,这是因为我们还没有初始化域。
6.取消phpldapadmin警告信息
在初始化域之前,我们修改一下phpldapadmin的警告信息,取消掉警告。
修改 /etc/phpldapadmin/config.php的第166行为如下内容
[root@ldap-master (15:29:21)/etc/openldap]# vim /etc/phpldapadmin/config.php166 $config->custom->appearance['hide_template_warning'] = true;
三、加固LDAP(ssl和https)
我们先不初始化域,先把ldap变得更安全一下—添加tls(这里是内网使用,所以用的是自签的证书,这个证书不要设置密码!否则ldap会不识别证书)
1.ldap配置ssl
这里我们使用自己的CA服务器
CA服务器:
[root@CA (15:41:08)~]# yum -y install openssl #1.安装CA服务器[root@CA (15:42:04)~]# cd /etc/pki/CA/[root@CA (15:42:06)/etc/pki/CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #2.生成CA服务器自己的私钥Generating RSA private key, 2048 bit long modulus ....................+++ ..................+++ e is 65537 (0x10001) [root@CA (15:42:15)/etc/pki/CA]# [root@CA (15:42:15)/etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #3.生成自签名证书You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家State or Province Name (full name) []:BeiJing #省份Locality Name (eg, city) [Default City]:BeiJing #城市Organization Name (eg, company) [Default Company Ltd]:test.net.cn #域名Organizational Unit Name (eg, section) []:internet #类型Common Name (eg, your name or your server's hostname) []:ca.test.net.cn #填写ca服务器的域名 Email Address []: [root@CA (15:44:01)/etc/pki/CA]# [root@CA (15:44:01)/etc/pki/CA]# echo "ca.test.net.cn" >> /etc/hostname #补一下主机名 [root@CA (15:46:11)/etc/pki/CA]# hostname CA [root@CA (15:46:17)/etc/pki/CA]# cat /etc/hostname CA ca.test.net.cn [root@CA (15:46:25)/etc/pki/CA]# [root@CA (15:46:25)/etc/pki/CA]# touch index.txt [root@CA (15:46:49)/etc/pki/CA]# echo 01 >serial [root@CA (15:47:19)/etc/pki/CA]# tree . ├── cacert.pem ├── certs ├── crl ├── index.txt ├── newcerts ├── private │ └── cakey.pem └── serial 4 directories, 4 files
LDAP服务器:
[root@ldap-master (15:34:48)/etc/openldap]# cd /etc/openldap/certs/ [root@ldap-master (15:50:13)/etc/openldap/certs]# (umask 077;openssl genrsa -out openldapkey147.pem 2048) #生成LDAP服务器的私钥Generating RSA private key, 2048 bit long modulus ..................................+++ .....................................................................................................+++ e is 65537 (0x10001) [root@ldap-master (15:50:26)/etc/openldap/certs]# openssl req -new -key openldapkey147.pem -out openldap147.csr -days 3650 -subj "/C=CN/ST=BeiJing/L=BeiJing/O=test.net.cn/OU=internet/CN=192.168.2.147" # 使用私钥生成申请CA证书的文件 这里的CN指的是本机ip[root@ldap-master (15:50:56)/etc/openldap/certs]# scp openldap147.csr root@192.168.2.148:/root #使用scp将申请文件传送到CA服务器The authenticity of host '192.168.2.148 (192.168.2.148)' can't be established. ECDSA key fingerprint is SHA256:qE6NS65QCbFIKWl80AiHPtYYZE8aH3PctGvUpMSLzaA. ECDSA key fingerprint is MD5:13:74:3e:e1:49:1c:4c:9d:08:d4:eb:b5:e8:92:e7:a1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.148' (ECDSA) to the list of known hosts. root@192.168.2.148's password: Permission denied, please try again. root@192.168.2.148's password: Permission denied, please try again. root@192.168.2.148's password: openldap147.csr 100% 1021 114.2KB/s 00:00
CA服务器:
[root@CA (15:53:44)/etc/pki/CA]# openssl ca -in /root/openldap147.csr -out /etc/pki/CA/certs/openldapcert147.crt -days 3650 #同意ldap的证书,并下发证书Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 26 07:53:50 2019 GMT Not After : Nov 23 07:53:50 2029 GMT Subject: countryName = CN stateOrProvinceName = BeiJing organizationName = test.net.cn organizationalUnitName = internet commonName = 192.168.2.147 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:9B:B1:28:A7:57:F7:28:CE:69:F6:C5:07:4B:E2:D2:5E:6F:A4:95 X509v3 Authority Key Identifier: keyid:AA:5C:0E:BC:87:05:14:5B:DC:23:9D:74:5B:E1:23:B9:05:E1:71:A9 Certificate is to be certified until Nov 23 07:53:50 2029 GMT (3650 days) Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@CA (15:53:54)/etc/pki/CA]# tree. ├── cacert.pem ├── certs │ └── openldapcert147.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old4 directories, 9 files [root@CA (15:54:31)/etc/pki/CA]# scp cacert.pem certs/openldapcert147.crt root@192.168.2.147:/root #使用scp将证书和验证文件传到ldap服务器中The authenticity of host '192.168.2.147 (192.168.2.147)' can't be established. ECDSA key fingerprint is SHA256:4pvEkT1xlxD1JbHjJQBRyMOEmoiPfh51jKOJpgZn/3U. ECDSA key fingerprint is MD5:12:f9:57:f8:40:ac:d9:4b:ab:6c:1c:10:f8:ed:2b:59. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.147' (ECDSA) to the list of known hosts. root@192.168.2.147's password: cacert.pem 100% 1367 1.3MB/s 00:00 openldapcert147.crt 100% 4528 2.6MB/s 00:00
LDAP 服务器:
[root@ldap-master (15:53:08)/etc/openldap/certs]# cd[root@ldap-master (15:56:34)~]# lsanaconda-ks.cfg cacert.pem init.sh openldapcert147.crt [root@ldap-master (15:56:34)~]# cp openldapcert147.crt cacert.pem /etc/openldap/certs/ #ldap服务器将这两个文件导入到证书存放目录,并赋予目录权限[root@ldap-master (15:56:48)~]# chown -R ldap.ldap /etc/openldap/certs[root@ldap-master (15:56:58)~]# chmod -R 0400 /etc/openldap/certs/openldap*[root@ldap-master (15:57:05)~]# chmod -R 0400 /etc/openldap/certs/cacert.pem
编辑ldap的配置文件slapd.ldif
指明证书文件的路径和验证级别
[root@ldap-master (16:19:19)/etc/openldap]# vim slapd.ldif 15 olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem 16 olcTLSCertificateFile: /etc/openldap/certs/openldapcert130.crt 17 olcTLSCertificateKeyFile: /etc/openldap/certs/openldapkey130.pem 18 olcTLSVerifyClient: never
在slapd的配置文件中修改模式:添加ldaps:///
[root@ldap-master (14:07:20)/etc/openldap]# vim /etc/sysconfig/slapd 9 SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
将ldap.conf文本修改成如下内容:
## LDAP Defaults## See ldap.conf(5) for details# This file should be world readable but not world writable.BASE dc=test,dc=net,dc=cn#URI ldap://ldap.example.com ldap://ldap-master.example.com:666URI ldaps://192.168.2.147#SIZELIMIT 12#TIMELIMIT 15#DEREF neverTLS_REQCERT hard#TLS_CACERTDIR /etc/openldap/certsTLS_CACERT /etc/openldap/certs/cacert.pem# Turning this off breaks GSSAPI used with krb5 when rdns = falseSASL_NOCANON on
重启服务
[root@ldap-master (14:08:31)/etc/openldap]# systemctl restart slapd[root@ldap-master (14:09:58)/etc/openldap]# ss -tunlp | grep 636tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=6366,fd=3)) tcp LISTEN 0 128 *:636 *:* users:(("slapd",pid=7237,fd=10)) tcp LISTEN 0 128 :::80 :::* users:(("httpd",pid=6504,fd=4),("httpd",pid=6503,fd=4),("httpd",pid=6501,fd=4),("httpd",pid=6500,fd=4),("httpd",pid=6498,fd=4),("httpd",pid=6367,fd=4)) tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=6366,fd=4)) tcp LISTEN 0 128 :::636 :::* users:(("slapd",pid=7237,fd=11))
再次使用ldapadmin软件来测试
这里使用ldapadmin测试ssl的时候,会提示证书无效等提示,这里我们把ca的根证书(cacert.pem,在ca服务器上)导入到本地就可以了。
导入方法:使用Google浏览器,打开设置→高级→证书管理→受信任的根证书→导入→选择所有文件→选择cacert.pem→导入成功
2.http配置https
ldap-master:
[root@ldap-master (14:14:25)~]# mkdir /etc/httpd/certs[root@ldap-master (14:14:34)~]# cd /etc/httpd/certs/[root@ldap-master (14:14:39)/etc/httpd/certs]# (umask 077;openssl genrsa -out openldapadmin.key 2048)Generating RSA private key, 2048 bit long modulus ...............................................................+++ ....................................................................................................................+++ e is 65537 (0x10001) [root@ldap-master (14:14:49)/etc/httpd/certs]# openssl req -new -key openldapadmin.key -out openldapadmin.csr -days 3650 -subj "/C=CN/ST=BeiJing/L=BeiJing/O=test.net.cn/OU=Internet/CN=openldap.test.net.cn"[root@ldap-master (14:15:01)/etc/httpd/certs]# scp openldapadmin.csr root@192.168.6.143:/rootThe authenticity of host '192.168.6.143 (192.168.6.143)' can't be established. ECDSA key fingerprint is SHA256:OCxk4wtcCVaYZR+NKD3xrJSgQwUAwT2WeTQ69JGhmjM. ECDSA key fingerprint is MD5:88:57:6d:72:36:6f:58:1c:36:84:8a:19:91:54:5b:d0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.6.143' (ECDSA) to the list of known hosts. root@192.168.6.143's password: openldapadmin.csr 100% 1037 1.2MB/s 00:00 [root@ldap-master (14:15:25)/etc/httpd/certs]#
CA:
[root@ca (14:19:25)/etc/pki/CA]# openssl ca -in /root/openldapadmin.csr -out /etc/pki/CA/certs/openldapadmin.crt -days 3650Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 2 06:19:56 2019 GMT Not After : Nov 29 06:19:56 2029 GMT Subject: countryName = CN stateOrProvinceName = BeiJing organizationName = test.net.cn organizationalUnitName = Internet commonName = openldap.test.net.cn X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: CD:8A:3F:06:B8:FA:DC:E1:FE:A4:0D:81:D3:66:21:95:47:E5:32:AC X509v3 Authority Key Identifier: keyid:B5:68:D1:D2:61:0B:13:E1:4B:6D:C2:2A:AE:31:39:97:72:F5:80:B9 Certificate is to be certified until Nov 29 06:19:56 2029 GMT (3650 days) Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ca (14:19:59)/etc/pki/CA]# scp /etc/pki/CA/certs/openldapadmin.crt root@192.168.2.147:/rootThe authenticity of host '192.168.2.147 (192.168.2.147)' can't be established. ECDSA key fingerprint is SHA256:4pvEkT1xlxD1JbHjJQBRyMOEmoiPfh51jKOJpgZn/3U. ECDSA key fingerprint is MD5:12:f9:57:f8:40:ac:d9:4b:ab:6c:1c:10:f8:ed:2b:59. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.147' (ECDSA) to the list of known hosts. root@192.168.2.147's password: openldapadmin.crt 100% 4550 2.9MB/s 00:00 [root@ca (14:20:25)/etc/pki/CA]#
ldap
[root@ldap-master (14:15:25)/etc/httpd/certs]# cp /root/openldapadmin.crt ./[root@ldap-master (14:22:08)/etc/httpd/certs]# chown -R apache:apache /etc/httpd/certs[root@ldap-master (14:22:14)/etc/httpd/certs]# chmod -R 0400 /etc/httpd/certs/*[root@ldap-master (14:22:21)/etc/httpd/certs]# yum -y install mod_ssl
编辑phpldapadmin.conf配置文件
[root@ldap-master (14:23:50)/etc/httpd/certs]# vim /etc/httpd/conf.d/phpldapadmin.conf 1 # 2 # Web-based tool for managing LDAP servers 3 # 4 <VirtualHost *:443> 5 ServerName openldap.test.net.cn 6 DocumentRoot "/usr/share/phpldapadmin/htdocs" 7 SSLEngine on 8 SSLCertificateFile "/etc/httpd/certs/openldapadmin.crt" 9 SSLCertificateKeyFile "/etc/httpd/certs/openldapadmin.key" 10 Alias /phpldapadmin /usr/share/phpldapadmin/htdocs 11 Alias /ldapadmin /usr/share/phpldapadmin/htdocs 12 13 <Directory /usr/share/phpldapadmin/htdocs> 14 <IfModule mod_authz_core.c> 15 # Apache 2.4 16 Require all granted 17 Require local 18 </IfModule> 19 <IfModule !mod_authz_core.c> 20 # Apache 2.2 21 Order Deny,Allow 22 Deny from all 23 Allow from 127.0.0.1 24 Allow from ::1 25 </IfModule> 26 </Directory> 27 </VirtualHost>
重启服务并查看443端口
[root@ldap-master (14:25:20)/etc/httpd/certs]# systemctl restart httpd[root@ldap-master (14:25:38)/etc/httpd/certs]# ss -tunlp | grep 443tcp LISTEN 0 128 :::443 :::* users:(("httpd",pid=7421,fd=6),("httpd",pid=7420,fd=6),("httpd",pid=7419,fd=6),("httpd",pid=7418,fd=6),("httpd",pid=7417,fd=6),("httpd",pid=7416,fd=6)) [root@ldap-master (14:25:47)/etc/httpd/certs]#
点击不安全,点击证书
