标签:ldap tls
LDAP模式是明文传输,为了安全起见,最好配置TLS加密方式传输。下面是配置过程(省略了LDAP SERVER的配置过程,前面的文档中有)
环境:
LDAP SERVER1 172.16.42.136
LDAP SERVER2 172.16.42.137
CA SERVER & LDAP Client 172.16.42.135
CA Server配置:
CA服务器创建私钥
#cd /etc/pki/CA #(umask 077; openssl genrsa -out private/cakey.pem 2048)
修改/etc/pki/tls/openssl.conf配置文件,修改证书默认的相关设置
[ req_distinguished_name ] countryName_default = CN stateOrProvinceName_default = Shanghai localityName_default = Shanghai 0.organizationName_default = beyondh organizationalUnitName_default = OPS
生成自签署证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
Country Name (2 letter code) [CN]: State or Province Name (full name) [Shanghai]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [beyondh]: Organizational Unit Name (eg, section) [OPS]: Common Name (eg, your name or your server‘s hostname) []:ca.beyondh.org Email Address []:451345726@qq.com
默认/etc/pki/CA路径下没有serial 和index.txt文件,需要手动创建
touch index.txt [root@mq02 CA]# echo 01 > serial [root@mq02 CA]# ls cacert.pem certs crl index.txt newcerts private serial
LDAP SERVER配置
生成私钥文件
pwd /etc/pki/CA [root@localhost CA]# (umask 077; openssl genrsa 1024 > ldap.key) Generating RSA private key, 1024 bit long modulus ............................++++++ .......++++++ e is 65537 (0x10001) [root@localhost CA]# ls certs crl ldap.key newcerts private
生成证书请求文件
openssl req -new -key ldap.key -out ldap.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:beyondh Organizational Unit Name (eg, section) []:OPS Common Name (eg, your name or your server‘s hostname) []:ldap.beyondh.org Email Address []:451345726@qq.com Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []:
将证书请求文件拷贝到CA Server
scp ldap.csr 172.16.42.135:/tmp
登录CA Server,将ldap server的证书请求文件签署成证书文件
openssl ca -in /tmp/ldap.csr -out ldap.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 24 07:18:05 2017 GMT Not After : Mar 22 07:18:05 2027 GMT Subject: countryName = CN stateOrProvinceName = Shanghai organizationName = beyondh organizationalUnitName = OPS commonName = ldap.beyondh.org emailAddress = 451345726@qq.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 02:CF:80:2A:80:99:1D:FA:8A:AC:B2:52:B8:4F:21:ED:BF:A9:33:8F X509v3 Authority Key Identifier: keyid:E0:08:32:85:E9:45:AD:5B:BF:EB:42:15:EE:65:3C:80:56:00:24:93 Certificate is to be certified until Mar 22 07:18:05 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
将CA服务器自己的证书和LDAP SERVER的证书文件拷贝到 LDAP SERVER上
[root@mq02 tmp]# scp /tmp/ldap.crt 172.16.42.137:/root [root@mq02 CA]# scp /etc/pki/CA/cacert.pem 172.16.42.137:/root
登录LDAP SERVER,修改/etc/openldap/slapd.conf配置文件 TLSCACertificatePath /etc/openldap/certs TLSCertificateFile /etc/openldap/certs/ldap.crt TLSCertificateKeyFile /etc/openldap/certs/ldap.key TLSVerifyClient allow
说明:
never:默认选项,不验证客户端证书。
allow:检查客户端证书,没有证书或证书错误,都允许连接。
try:检查客户端证书,没有证书(允许连接),证书错误(终止连接)。
demand | hard | true:检查客户端证书,没有证书或证书错误都将立即终止连接。
#修改ldap server 端/etc/sysconfig/ldap文件
SLAPD_LDAP=yes SLAPD_LDAPS=yes
重新生成配置文件,并重启slapd服务
rm -rf slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap slapd.d /etc/init.d/slapd restart
客户端配置
客户端修改配置文件/etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts URI ldaps://172.16.42.137 BASE dc=beyondh,dc=org TLS_REQCERT allow TLS_CACERT /etc/openldap/cacerts/cacert.pem
客户端重启
[root@mq02 CA]# /etc/init.d/nslcd restart
测试客户端是否能够连接服务器端
[root@mq02 openldap]# ldapwhoami -v -x -Z ldap_initialize( <DEFAULT> ) ldap_start_tls: Operations error (1) additional info: TLS already started anonymous Result: Success (0)
注意:
配置为TLS认证方式后,如果没有启动ldap方式,仅仅启用了ldaps认证方式,phpldapadmin web管理工具无法登陆了。原因不清楚。
另外做了mirrormode 的两台LDAP SERVER,如何使用TLS加密方式同步也不清楚。
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
本文出自 “zengestudy” 博客,请务必保留此出处http://zengestudy.blog.51cto.com/1702365/1910142
标签:ldap tls
原文地址:http://zengestudy.blog.51cto.com/1702365/1910142