Server configuration
Make sure you've got those available (RHEL5),
rpm -q \
openssl \
openssl-devel \
openldap-servers
Make the self-signed key,
cd /etc/openldap/
openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365
grep ^ldap /etc/passwd
chown ldap:ldap server.pem
chmod 440 server.pem
Enable SSL/TLS,
cd /etc/openldap/
vi slapd.conf
add,
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/server.pem
TLSCertificateFile /etc/openldap/server.pem
TLSCertificateKeyFile /etc/openldap/server.pem
TLSVerifyClient never
Note. for TLSVerifyClient, we're using 'never' (the default) instead of 'demand'. The server doesn't ask the client for a certificate.
Client configuration
Make sure you've got those available (RHEL5),
rpm -q \
openldap-clients \
nss_ldap
Send server side's /etc/openldap/server.pem to /etc/openldap/cacerts/server.pem on the client and make the required OpenSSL hash file,
cd /etc/openldap/cacerts/
ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0
Backup and clean-up the default system authentication configurations,
cd /etc/
mv nsswitch.conf nsswitch.conf.dist
sed '/^#/d; /^$/d;' nsswitch.conf.dist > nsswitch.conf.dist.clean
cp nsswitch.conf.dist.clean nsswitch.conf
ls -l nsswitch.conf*
cd /etc/
mv ldap.conf ldap.conf.dist
sed '/^#/d; /^$/d;' ldap.conf.dist > ldap.conf.dist.clean
cp ldap.conf.dist.clean ldap.conf
ls -l ldap.conf*
cd /etc/openldap/
mv ldap.conf ldap.conf.dist
sed '/^#/d; /^$/d;' ldap.conf.dist > ldap.conf.dist.clean
cp ldap.conf.dist.clean ldap.conf
ls -l ldap.conf*
Configure system authentication (RHEL5),
authconfig-tui
like,
use ldap
use ldap authentication
local authorization is sufficient
(next)
use tls
server: ldap://ldapsrv/
base db: dc=lusers,dc=example,dc=net
Ready to go,
ldapsearch -x -ZZ
getent passwd
Note. -Z issues StartTLS, -ZZ requires the operation to be successful
Client troubbleshooting
See if the ldap server is available without ssl/tls and look for your base dn,
ldapsearch -x -H "ldap://ldapsrv/" -b '' -s base '(objectclass=*)' namingContexts
ldapsearch -x -H "ldap://ldapsrv/" -b "dc=lusers,dc=example,dc=net"
configure your ldap client so you don't have to specify host and base dn again,
cd /etc/openldap/
vi ldap.conf
like,
BASE dc=lusers,dc=example,dc=net
URI ldap://ldapsrv/
check again,
ldapsearch -x -s base '(objectclass=*)' namingContexts
ldapsearch -x
Now configure your ldap client to use ssl/tls,
cd /etc/openldap/
vi ldap.conf
add,
TLS_CACERTDIR /etc/openldap/cacerts
Note. openssl hash should be there (see above)
Note. you could also force the .pem file with TLS_CACERT (doesn't require the hash) instead of TLS_CACERTDIR but then we would have to find a relative trick for /etc/ldap.conf
Make sure you've got those available (RHEL5),
rpm -q \
openssl \
openssl-devel \
openldap-servers
Make the self-signed key,
cd /etc/openldap/
openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365
grep ^ldap /etc/passwd
chown ldap:ldap server.pem
chmod 440 server.pem
Enable SSL/TLS,
cd /etc/openldap/
vi slapd.conf
add,
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/server.pem
TLSCertificateFile /etc/openldap/server.pem
TLSCertificateKeyFile /etc/openldap/server.pem
TLSVerifyClient never
Note. for TLSVerifyClient, we're using 'never' (the default) instead of 'demand'. The server doesn't ask the client for a certificate.
Client configuration
Make sure you've got those available (RHEL5),
rpm -q \
openldap-clients \
nss_ldap
Send server side's /etc/openldap/server.pem to /etc/openldap/cacerts/server.pem on the client and make the required OpenSSL hash file,
cd /etc/openldap/cacerts/
ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0
Backup and clean-up the default system authentication configurations,
cd /etc/
mv nsswitch.conf nsswitch.conf.dist
sed '/^#/d; /^$/d;' nsswitch.conf.dist > nsswitch.conf.dist.clean
cp nsswitch.conf.dist.clean nsswitch.conf
ls -l nsswitch.conf*
cd /etc/
mv ldap.conf ldap.conf.dist
sed '/^#/d; /^$/d;' ldap.conf.dist > ldap.conf.dist.clean
cp ldap.conf.dist.clean ldap.conf
ls -l ldap.conf*
cd /etc/openldap/
mv ldap.conf ldap.conf.dist
sed '/^#/d; /^$/d;' ldap.conf.dist > ldap.conf.dist.clean
cp ldap.conf.dist.clean ldap.conf
ls -l ldap.conf*
Configure system authentication (RHEL5),
authconfig-tui
like,
use ldap
use ldap authentication
local authorization is sufficient
(next)
use tls
server: ldap://ldapsrv/
base db: dc=lusers,dc=example,dc=net
Ready to go,
ldapsearch -x -ZZ
getent passwd
Note. -Z issues StartTLS, -ZZ requires the operation to be successful
Client troubbleshooting
See if the ldap server is available without ssl/tls and look for your base dn,
ldapsearch -x -H "ldap://ldapsrv/" -b '' -s base '(objectclass=*)' namingContexts
ldapsearch -x -H "ldap://ldapsrv/" -b "dc=lusers,dc=example,dc=net"
configure your ldap client so you don't have to specify host and base dn again,
cd /etc/openldap/
vi ldap.conf
like,
BASE dc=lusers,dc=example,dc=net
URI ldap://ldapsrv/
check again,
ldapsearch -x -s base '(objectclass=*)' namingContexts
ldapsearch -x
Now configure your ldap client to use ssl/tls,
cd /etc/openldap/
vi ldap.conf
add,
TLS_CACERTDIR /etc/openldap/cacerts
Note. openssl hash should be there (see above)
Note. you could also force the .pem file with TLS_CACERT (doesn't require the hash) instead of TLS_CACERTDIR but then we would have to find a relative trick for /etc/ldap.conf
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
