标签：mes   basic   upd   sha   基本   turn   密码   自己   blank   

OpenLDAP加密传输配置(CA服务器与openldap服务器异机)

阅读视图

1. 环境准备
2. CA证书服务器搭建
3. OpenLDAP服务端与CA集成
4. OpenLDAP客户端配置
5. 客户端测试验证
6. 故障处理

1. 环境准备

1. 服务器规划

1. 本文环境按照02-openldap服务端安装配置搭建出最基本的环境，用户数据来自02-openldap服务端安装配置中的第十步

2. CA证书服务器搭建

1. 安装OpenSSL软件

   [root@ca ~]# rpm -qa | grep openssl
   openssl-1.0.1e-57.el6.x86_64

2. CA中心生成自身私钥，命令如下。

   [root@ca ~]# cd /etc/pki/CA/
   [root@ca CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
   Generating RSA private key, 2048 bit long modulus
   .................................................+++
   ......................+++
   e is 65537 (0x10001)

3. CA签发自身公钥，命令如下。

   [root@ca CA]# openssl  req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter ‘.‘, the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:CN
   State or Province Name (full name) []:Shanghai
   Locality Name (eg, city) [Default City]:Shanghai
   Organization Name (eg, company) [Default Company Ltd]:GDY
   Organizational Unit Name (eg, section) []:Tech
   Common Name (eg, your name or your server‘s hostname) []:ca.gdy.com
   Email Address []:ca@gdy.com

   其中，各个字段含义如下。
   • Country Name(2 letter code)：两个字母的国家代号
   • State or Province Name(full name)[]：省份
   • Locality Name(eg, city)[Default City]：市或地区
   • Organization Name(eg, company)[Default Company Ltd]: 公司名称
   • Organizational Unit Name(eg, section)[]：部门名称，例如Tech
   • Common Name(eg, your name or your server‘s hostname)[]：通用名称，例如OL服务器的域名或IP地址。
   • Email Address []：邮件地址

4. 创建数据库文件及证书序列文件，命令如下

   [root@ca CA]# ls -lh
   total 20K
   -rw-r--r--  1 root root 1.4K Jun  1 17:04 cacert.pem
   drwxr-xr-x. 2 root root 4.0K Mar 23  2017 certs
   drwxr-xr-x. 2 root root 4.0K Mar 23  2017 crl
   drwxr-xr-x. 2 root root 4.0K Mar 23  2017 newcerts
   drwx------. 2 root root 4.0K Jun  1 17:01 private
   [root@ca CA]# touch serial index.txt
   [root@ca CA]# echo "01" > serial 

   目录文件用途如下
   • cacert.pem：CA自身证书文件（可根据自己需求进行修改）
   • certs：客户端证书存放目录
   • crl：CA吊销的客户端证书存放目录
   • newcerts：生成新证书存放目录
   • index.txt：存放客户端证书信息
   • serial：客户端证书编号（编号可自定义），用于识别客户端证书。
   • private：存放CA自身私钥的目录

5. 通过OpenSSL命令获取根证书信息，命令如下

   [root@ca CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number: 14795263444614255073 (0xcd5355b6d68e11e1)
       Signature Algorithm: sha1WithRSAEncryption
           Issuer: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com
           Validity
               Not Before: Jun  5 07:06:49 2018 GMT
               Not After : May 12 07:06:49 2118 GMT
           Subject: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com
           Subject Public Key Info:
               Public Key Algorithm: rsaEncryption
                   Public-Key: (2048 bit)
                   Modulus:
                       00:ba:0a:fa:87:16:4b:75:94:d6:98:a5:75:f5:93:
                       44:60:0c:c4:bc:d6:5e:3e:be:4c:29:41:36:5c:2d:
                       b8:c8:1e:97:10:38:0a:2d:60:0e:d9:38:5f:f5:7b:
                       ab:af:b6:35:d5:48:c0:50:c3:1e:17:5b:a8:c6:f8:
                       75:55:c7:0b:fb:7e:68:fc:a6:77:f9:7a:9a:d0:8f:
                       5a:c6:ca:c7:a7:b5:34:d4:ca:13:d6:3c:b6:aa:86:
                       7e:8f:17:24:f7:ce:b0:5f:11:3b:8a:6a:40:50:cc:
                       5c:b5:cc:b3:e2:17:be:f6:ab:f6:ae:6a:2f:58:88:
                       5f:12:65:58:cb:17:5e:00:51:ec:31:64:a7:d6:02:
                       63:b3:63:cc:00:87:49:67:a2:60:a0:82:ed:a8:08:
                       c5:77:c1:0a:04:42:9d:f2:c5:31:e7:b4:ee:67:f7:
                       28:05:27:a0:b3:06:b0:89:b5:8d:3c:14:79:6c:30:
                       ca:d3:90:8f:e5:72:61:13:c3:4d:bc:5a:80:9f:85:
                       3a:20:4c:9b:0d:bb:c0:bd:d5:98:65:0b:0e:29:e2:
                       45:ed:c2:e8:1c:74:e7:94:9b:07:49:28:06:13:44:
                       98:b5:a9:e3:46:59:99:77:e8:12:a8:91:38:bc:9f:
                       ef:48:b2:8f:58:8d:7c:a3:ba:fb:4f:e3:7b:8c:65:
                       20:6b
                   Exponent: 65537 (0x10001)
           X509v3 extensions:
               X509v3 Subject Key Identifier: 
                   FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D
               X509v3 Authority Key Identifier: 
                   keyid:FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D
   
               X509v3 Basic Constraints: 
                   CA:TRUE
       Signature Algorithm: sha1WithRSAEncryption
           38:9c:52:b7:a2:d8:03:60:ec:78:2a:4b:9b:b8:02:10:44:09:
           39:d3:e9:d0:b2:9a:bc:d5:2d:1d:a1:92:12:d7:06:c7:2c:c7:
           27:95:a5:8d:f1:db:e5:7b:09:d4:0e:a1:70:d9:d9:59:7b:54:
           5a:a0:19:b8:d4:ec:36:23:cf:8f:c1:a3:c3:a6:99:a6:3e:dc:
           1c:cc:8a:53:20:07:a6:f7:5d:c2:9d:7f:e2:ef:07:eb:f3:ca:
           c2:9b:6d:47:f1:34:70:e7:56:44:db:2d:8a:46:26:21:ce:99:
           62:21:b2:05:51:86:8c:ba:25:9e:3b:81:e8:0f:68:73:21:75:
           d7:64:c2:ed:4a:3b:4a:9d:74:da:ca:3a:4f:df:1f:c1:a5:88:
           6e:08:a8:2f:9b:f8:75:00:0d:53:6b:be:24:97:f8:03:6a:69:
           87:56:ec:57:ae:85:a4:9c:71:fa:dd:f8:e6:d9:8c:69:d8:ab:
           66:6e:da:c8:5d:2f:a7:34:b5:17:65:79:3e:02:d9:81:64:6e:
           37:9d:e6:26:59:18:73:83:f6:06:c4:a0:ff:7e:90:e2:a3:5f:
           a7:01:41:c0:e6:bc:c8:ce:b6:19:0a:78:19:f6:16:9d:45:9b:
           e3:46:9c:6f:ca:d5:29:61:4b:38:95:e9:65:b5:62:8d:78:c4:
           83:8b:f8:10

6. 自建CA完成

3. OpenLDAP服务端与CA集成

1. 在openldap服务器上生成密钥

   [root@mldap01 ~]# mkdir -pv /etc/openldap/ssl
   mkdir: created directory `/etc/openldap/ssl‘
   [root@mldap01 ~]# cd /etc/openldap/ssl
   [root@mldap01 ssl]# (umask 077; openssl genrsa -out ldapkey.pem 1024)
   Generating RSA private key, 1024 bit long modulus
   ............................++++++
   ...++++++
   e is 65537 (0x10001)
   [root@mldap01 ssl]# ls -lh
   total 4.0K
   -rw------- 1 root root 887 Jun  5 15:26 ldapkey.pem

2. OpenLDAP服务端向CA申请证书签署请求，命令如下

   [root@mldap01 ssl]# openssl req -new -key ldapkey.pem -out ldap.csr -days 36500
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter ‘.‘, the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:CN
   State or Province Name (full name) []:Shanghai
   Locality Name (eg, city) [Default City]:Shanghai
   Organization Name (eg, company) [Default Company Ltd]:GDY
   Organizational Unit Name (eg, section) []:Tech
   Common Name (eg, your name or your server‘s hostname) []:mldap01.gdy.com
   Email Address []:mldap@gdy.com
   
   Please enter the following ‘extra‘ attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:

3. CA服务器核实并签发证书

   如果CA服务器与openldap服务器不在同一台，需要将上述步骤生成的ldap.csr文件上传到CA服务器签署

   先在openldap服务器上将ldap.csr文件上传到CA服务器签署
   [root@mldap01 ssl]# scp ldap.csr root@ca:/root/   
   The authenticity of host ‘ca (192.168.244.23)‘ can‘t be established.
   RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added ‘ca,192.168.244.23‘ (RSA) to the list of known hosts.
   root@ca‘s password: 
   ldap.csr                                                                                                                      100%  696     0.7KB/s   00:00  
   
   [root@ca ~]# openssl ca -in ldap.csr -out ldapcert.pem -days 36500
   Using configuration from /etc/pki/tls/openssl.cnf
   Check that the request matches the signature
   Signature ok
   Certificate Details:
           Serial Number: 1 (0x1)
           Validity
               Not Before: Jun  5 10:00:26 2018 GMT
               Not After : May 12 10:00:26 2118 GMT
           Subject:
               countryName               = CN
               stateOrProvinceName       = Shanghai
               organizationName          = GDY
               organizationalUnitName    = Tech
               commonName                = mldap01.gdy.com
               emailAddress              = mldap@gdy.com
           X509v3 extensions:
               X509v3 Basic Constraints: 
                   CA:FALSE
               Netscape Comment: 
                   OpenSSL Generated Certificate
               X509v3 Subject Key Identifier: 
                   26:1C:25:DA:AD:A0:E3:72:43:CD:AC:7F:77:9E:37:BD:1B:EF:1A:FE
               X509v3 Authority Key Identifier: 
                   keyid:CB:DE:C2:81:45:FE:B3:10:02:95:DA:49:16:F6:FA:03:13:F6:3E:2E
   
   Certificate is to be certified until May 12 10:00:26 2118 GMT (36500 days)
   Sign the certificate? [y/n]:y
   
   
   1 out of 1 certificate requests certified, commit? [y/n]y
   Write out database with 1 new entries
   Data Base Updated
   
   然后将生成的ldapcert.pem文件和ca公钥文件发送至Openldap服务器/etc/openldap/ssl目录下
   [root@ca ~]# scp ldapcert.pem /etc/pki/CA/cacert.pem root@192.168.244.17:/etc/openldap/ssl/
   The authenticity of host ‘192.168.244.17 (192.168.244.17)‘ can‘t be established.
   RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added ‘192.168.244.17‘ (RSA) to the list of known hosts.
   root@192.168.244.17‘s password: 
   ldapcert.pem                                                                                                                  100% 3828     3.7KB/s   00:00    
   cacert.pem                                                                                                                    100% 1391     1.4KB/s   00:00

4. OpenLDAP TLS/SASL部署

   修改证书权限
   [root@mldap01 ssl]# chown ldap.ldap -R /etc/openldap
   [root@mldap01 ssl]# chmod -R 0400 /etc/openldap/ssl/*
   
   修改OpenLDAP配置文件，添加证书文件
   [root@mldap01 ~]# vim /etc/openldap/slapd.conf
   #TLSCACertificatePath /etc/openldap/certs
   #TLSCertificateFile "\"OpenLDAP Server\""
   #TLSCertificateKeyFile /etc/openldap/certs/password
   TLSCACertificateFile /etc/openldap/ssl/cacert.pem
   TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
   TLSCertificateKeyFile  /etc/openldap/ssl/ldapkey.pem
   TlsVerifyClient never

   TLSVerifyClient

5. 通过CA证书公钥验证OpenLDAP服务端证书的合法性，命令如下

   [root@mldap01 ~]# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem 
   /etc/openldap/ssl/ldapcert.pem: OK

6. 确认当前套接字是否通过CA的验证，命令如下

   [root@mldap01 ssl]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem               
   CONNECTED(00000003)
   SSL_connect:before/connect initialization
   SSL_connect:SSLv2/v3 write client hello A
   SSL_connect:SSLv3 read server hello A
   depth=1 C = CN, ST = Shanghai, L = Shanghai, O = GDY, OU = Tech, CN = ca.gdy.com, emailAddress = ca@gdy.com
   verify return:1
   depth=0 C = CN, ST = Shanghai, O = GDY, OU = Tech, CN = mldap01.gdy.com, emailAddress = mldap@gdy.com
   verify return:1
   SSL_connect:SSLv3 read server certificate A
   SSL_connect:SSLv3 read server key exchange A
   SSL_connect:SSLv3 read server done A
   SSL_connect:SSLv3 write client key exchange A
   SSL_connect:SSLv3 write change cipher spec A
   SSL_connect:SSLv3 write finished A
   SSL_connect:SSLv3 flush data
   SSL_connect:SSLv3 read finished A
   ---
   Certificate chain
   0 s:/C=CN/ST=Shanghai/O=GDY/OU=Tech/CN=mldap01.gdy.com/emailAddress=mldap@gdy.com
   i:/C=CN/ST=Shanghai/L=Shanghai/O=GDY/OU=Tech/CN=ca.gdy.com/emailAddress=ca@gdy.com
   -----BEGIN CERTIFICATE-----
   MIIDajCCAlKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCQ04x

4. OpenLDAP客户端配置

1. 将CA公钥证书发送至客户端

   [root@mldap01 ssl]# scp cacert.pem root@192.168.244.18:/etc/openldap/ssl/
   

2. 配置/etc/openldap/ldap.conf

   [root@test01 ~]# grep -Ev "^$|^#" /etc/openldap/ldap.conf 
   TLS_CACERTDIR /etc/openldap/ssl
   TLS_CACERT /etc/openldap/ssl/cacert.pem
   TLS_REQCERT never 
   BASE dc=gdy,dc=com
   URI ldaps://mldap01.gdy.com

   TLS_REQCERT [never allow try demand | hard] # 设置是否在TLS会话中检查server证书。
   • Never：不检查任何证书。
   • Allow：检查server证书，没有证书或证书错误，都允许连接。
   • Try：检查server证书，没有证书（允许连接），证书错误（终止连接）。
   • demand | hard：检查server证书，没有证书或证书错误都将立即终止连接。

3. 配置/etc/nslcd.conf

   [root@test01 ~]# grep -Ev "^$|^#" /etc/nslcd.conf 
   uid nslcd
   gid ldap
   uri ldaps://mldap01.gdy.com
   base dc=gdy,dc=com
   ssl on
   tls_cacertdir /etc/openldap/ssl
   tls_cacertfile /etc/openldap/ssl/cacert.pem
   tls_reqcert never

4. 配置/etc/pam_ldap.conf

   [root@test01 ~]# grep -Ev "^$|^#" /etc/pam_ldap.conf 
   host 127.0.0.1
   base dc=gdy,dc=com
   uri ldaps://mldap01.gdy.com
   ssl on
   tls_cacertdir /etc/openldap/ssl
   tls_cacertfile /etc/openldap/ssl/cacert.pem
   tls_reqcert never
   bind_policy soft

5. 客户端测试验证

1. 通过客户端匿名测试SSL连接是否正常，命令如下

   [root@test01 ~]# ldapwhoami -v -x -Z
   ldap_initialize( <DEFAULT> )
   ldap_start_tls: Operations error (1)
           additional info: TLS already started
   anonymous
   Result: Success (0)

2. LDAP用户验证密码, 命令如下

   [root@test01 ~]# ldapwhoami -D "uid=user1,ou=people,dc=gdy,dc=com" -W -H ldaps://mldap01.gdy.com -v
   ldap_initialize( ldaps://mldap01.gdy.com:636/??base )
   Enter LDAP Password: 
   dn:uid=user1,ou=people,dc=gdy,dc=com
   Result: Success (0)

3. 在客户端搜索OpenLDAP域信息, 命令如下

   [root@test01 ~]# ldapsearch -x -b ‘dc=gdy,dc=com‘ -H ldaps://mldap01.gdy.com
   # extended LDIF
   #
   # LDAPv3
   # base <dc=gdy,dc=com> with scope subtree
   # filter: (objectclass=*)
   # requesting: ALL
   #
   
   # gdy.com
   dn: dc=gdy,dc=com
   dc: gdy
   objectClass: top
   objectClass: domain
   
   # people, gdy.com
   ... 省略

故障处理

1. openssl s_client连接时报错如下

   [root@mldap01 ~]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem 
   CONNECTED(00000003)
   SSL_connect:before/connect initialization
   SSL_connect:SSLv2/v3 write client hello A
   139640374728520:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
   ---
   no peer certificate available
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 0 bytes and written 247 bytes
   ---
   New, (NONE), Cipher is (NONE)
   Secure Renegotiation IS NOT supported
   Compression: NONE
   Expansion: NONE
   ---

   没有解决：openldap和ca服务器不在同一台时没有这个问题, 下次我ca和ldap服务器使用同一个名字试试

09-OpenLDAP加密传输配置

标签：mes   basic   upd   sha   基本   turn   密码   自己   blank   

原文地址：https://www.cnblogs.com/cishi/p/9160562.html