LDAP 开启 TLS
服务端
自定义CA签名证书
- 创建根密钥
openssl genrsa -out laoshirenCA.key 2048
- 创建自签名根证书
openssl req -x509 -new -nodes -key laoshirenCA.key -sha256 -days 1024 -out laoshirenCA.pem
输出:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shenzhen
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:SYS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:# 此处写自己的 LDAP 服务IP 或者域名
Email Address []:xxx@xxx.com
LDAP服务器创建私钥
openssl genrsa -out laoshirenldap.key 2048
- 创建证书签名请求
openssl req -new -key laoshirenldap.key -out laoshirenldap.csr
输出:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shenzhen
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:SYS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:# 此处写自己的 LDAP 服务IP 或者域名
Email Address []:xxx@xxx.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 使用自定义根CA签署证书签名请求
openssl x509 -req -in laoshirenldap.csr -CA laoshirenCA.pem -CAkey laoshirenCA.key -CAcreateserial -out laoshirenldap.crt -days 1460 -sha256
- 拷贝使用到的证书到应用目录并更改权限
cp laoshirenldap.{crt,key} laoshirenCA.pem /etc/openldap/certs/
chown -R ldap:ldap /etc/openldap/certs/
配置 LDAP开启 TLS
-
导入证书到配置文件
vim certs.ldif # 按照此顺序(报错时切换顺序尝试) dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/laoshirenldap.crt dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/laoshirenCA.pem dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/laoshirenldap.key -
导入配置
ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif -
验证服务
#StartTLS 继续使用389端口 netstat -nlp -t |grep :389 tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 12483/slapd tcp6 0 0 :::389 :::* LISTEN 12483/slapd -
更改服务配置文件
# 配置认证方式 vim /etc/openldap/ldap.conf TLS_REQCERT never -
测试
StartTLS执行ldapsearch -x -ZZ后,查看日志,内容有 TLS established tls_ssf=256 ssf=256, 服务端配置正常 Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 fd=26 ACCEPT from IP=[::1]:52758 (IP=[::]:389) Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 op=0 STARTTLS Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 op=0 RESULT oid= err=0 text= Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 fd=26 TLS established tls_ssf=256 ssf=256 Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 op=1 BIND dn="" method=128 Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 op=1 RESULT tag=97 err=0 text= Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 op=2 SRCH base="" scope=2 deref=0 filter="(objectClass=*)" Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text= Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 op=3 UNBIND Jan 9 01:17:31 ldap-server slapd[12483]: conn=1067 fd=26 closed
客户端
- 使用nslcd(Naming services LDAP client daemon)
# StartTLS
authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldap://172.16.10.220 --ldapbasedn='dc=laoshiren,dc=com' --enablemkhomedir --update
- 使用服务器证书
# 下载
wget http://xxxxxx/laoshirenCA.pem -O /etc/openldap/cacerts/laoshirenCA.pem
# 或
scp laoshirenCA.pem 172.16.10.10:/etc/openldap/cacerts/
- 创建CA证书的c哈希
/etc/pki/tls/misc/c_hash /etc/openldap/cacerts/laoshirenCA.pem
61450bc7.0 => /etc/openldap/cacerts/laoshirenCA.pem
- 创建证书哈希链接
ln -s /etc/openldap/cacerts/laoshirenCA.pem
- 配置使用证书与验证方式
vim /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/laoshirenCA.pem
TLS_REQCERT never
- 配置
mslcd启用start_tls
vim /etc/nslcd.conf
# StartTLS
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/laoshirenCA.pem
tls_reqcert never
systemctl restart nslcd
systemctl enable nslcd
- 指定
LDAP检索顺序
由它规定通过哪些途径以及按照什么顺序以及通过这些途径来查找特定类型的信息,还可以指定某个方法奏效或失效时系统将采取什么动作
vim /etc/nsswitch.conf
变更为
passwd: files ldap
shadow: files ldap
group: files ldap
- 测试
TLS
ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
anonymous
Result: Success (0)
ldapsearch -x -Z -H ldap://172.16.10.220 -b 'ou=Group,dc=laoshiren,dc=com'
# extended LDIF
#
# LDAPv3
# base <ou=Group,dc=laoshiren,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Group, laoshiren.com
dn: ou=Group,dc=laoshiren,dc=com
objectClass: organizationalUnit
ou: Group
# linux_group, Group, laoshiren.com
dn: cn=linux_group,ou=Group,dc=laoshiren,dc=com
cn: linux_group
gidNumber: 500
objectClass: posixGroup
objectClass: top
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
2348
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
