首先要实现openLDAP的编译安装以及配置
注意:上篇中的 3. 主配置文件slapd.conf 中 信息如下所示:
#修改域名及管理员账户名; suffix "dc=mirage,dc=com" rootdn "cn=AuthUsers,dc=mirage,dc=com"
为啥要用TLS?
Openldap默认使用简单验证,对slapd的所有访问都使用明文密码通过未加密通道进行。为了确保信息安全,需要对信息进行加密传输,SSL(Secure Sockets Layer)是一个可靠的解决方案。
它使用 X.509 证书,由可信任第三方(Certificate Authority (CA))进行数字签名的一个标准格式的数据。有效的数字签名意味着已签名的数据没有被篡改。如果签名的数据被更改,将不会通过验证
SSL/TLS 加密原理简介
SSL/TLS 是基于 PKI 机制的加密方式,包括证书认证、密钥交换、非对称加密、对称加密。SSL/TLS 采用 CA 作为服务端和客户端都信赖的具有权威性的组织,证书的颁发和认证都依赖于 CA,并假定 CA 颁发的证书是可靠的、可信赖的,证书里面的内容是真实的、有效的,并可用于客户机和服务器进行安全的可靠的通信加密。
SSL/TLS 证书用来认证服务器和客户机双方的身份,并用于密钥交换时候的非对称加密。密钥交换完毕之后,就可以用这个密钥做通信数据的对称加密了,具体的加密算法是由客户机和服务器互相协商得来。服务器和客户机由于 SSL/TLS 库的不同以及用户的配置不同,双方支持的算法列表不完全相同,当双方做 SSL/TLS 握手的时候,就需要将自己支持的算法列表及优先顺序告知对方,一旦对方按照优先顺序找到了第一个支持的算法,那么协商完成,否则双方协商失败,SSL/TLS 连接断开。
环境说明:
主机名 | 角色 | IP地址 |
ldapsrv02.contoso.com | openldap server | 192.168.49.139 |
ldapclient.contoso.com | openldap client + CA | 192.168.49.136 |
ldapsrv02是新添加的一台CentOS 6.5,这里直接使用之前的openldap的安装脚本进行安装,里面并未有任何数据,是一个空的域(域名也是contoso.com,为之后做双机同步做准备)。
真实配置如下
注意: [root@ldapclient ~] 都是在ip为192.168.1.22的机器上的操作(client) [root@ldapsrv02 ~] 都是在ip为192.168.1.93的机器上的操作(server) root@192.168.49.136:/root 都需要改为192.168.1.22 root@192.168.49.139:/root 都需要改为192.168.1.93 在本次操作中。CA为独立的服务器,则需要将用户的证书颁发请求通过ssh传至CA服务端中,当服务端完成签发后,再通过ssh将用户证书文件传送给客户端即可。 若OpenLDAP服务端 也作为CA,所以不需要通过SSH进行传输数据。在生产环境中部署时不建议二者混合使用,而推荐采用独立的服务器作为CA。 |
准备工作:
在两台CentOS上安装openssl.(这个是必须的)
yum -y install openssl
[root@ldapclient ~]# rpm -qa openssl
openssl-1.0.1e-15.el6.x86_64
[root@ldapsrv02 ~]# rpm -qa openssl
openssl-1.0.1e-15.el6.x86_64
一、建立CA中心
1)配置CA签发信息
以下是在client端的操作,(可以先跳过这里):
这里填写的信息 要记住,要与后边CA服务器生成公钥填写的信息一致
cd /etc/pki/CA/
touch index.txt
echo 01 >serial
cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.bak$(date +%F)
vi /etc/pki/tls/openssl.cnf
[root@ldapclient CA]# diff /etc/pki/tls/openssl.cnf.bak2016-09-18 /etc/pki/tls/openssl.cnf
50c50
< certificate = $dir/cacert.pem # The CA certificate
---
> certificate = $dir/CA.crt # The CA certificate
55c55
< private_key = $dir/private/cakey.pem# The private key
---
> private_key = $dir/private/CA.key # The private key
130c130
< countryName_default = XX
---
> countryName_default = CN
135c135
< #stateOrProvinceName_default = Default Province
---
> stateOrProvinceName_default = Guangdong
138c138
< localityName_default = Default City
---
> localityName_default = Shenzhen
141c141
< 0.organizationName_default = Default Company Ltd
---
> 0.organizationName_default = contoso
148c148
< #organizationalUnitName_default =
---
> organizationalUnitName_default = Tech
2)CA服务器生成自己的私钥
[root@ldapclient CA]# (umask 077;openssl genrsa -out private/CA.key)
Generating RSA private key, 1024 bit long modulus
...............++++++
..........++++++
e is 65537 (0x10001)
3)CA服务器生成公钥(CA证书)
真实配置如下
|
[root@ldapclient CA]# openssl req -new -x509 -key private/CA.key >CA.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [contoso]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.contoso.com
Email Address []:1217406852@qq.com
二、openldap server生成私钥及证书请求文件
1)ldapsrv02生成自己的私钥
[root@ldapsrv02 ~]# openssl genrsa -out ldapsrv02.key
Generating RSA private key, 1024 bit long modulus
...........................++++++
.....++++++
e is 65537 (0x10001)
2)ldapsrv02生成证书请求文件
真实配置如下
注意: 在OpenLDAP服务器向CA申请证书签署请求,时候。除了Common Name、Email Address 以外,以上所有值必须和CA证书所填写的信息保持一致,否则无法得到验证。 |
[root@ldapsrv02 ~]# openssl req -new -key ldapsrv02.key -out ldapsrv02.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:contoso
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ldapsrv02.contoso.com
Email Address []:1217406852@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
三、CA服务器向openldap server签发证书
1)ldapsrv02向CA请求证书
[root@ldapsrv02 ~]# scp ldapsrv02.csr root@192.168.49.136:/root
The authenticity of host '192.168.49.136 (192.168.49.136)' can't be established.
RSA key fingerprint is f9:ce:14:5d:cd:bb:3c:b4:0d:0b:fc:21:3a:92:43:6b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.49.136' (RSA) to the list of known hosts.
root@192.168.49.136's password:
ldapsrv02.csr 100% 777 0.8KB/s 00:00
2)CA服务器颁发证书
[root@ldapclient CA]# openssl ca -in /root/ldapsrv02.csr -out /root/ldapsrv02.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 18 08:22:46 2016 GMT
Not After : Sep 18 08:22:46 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Guangdong
organizationName = contoso
organizationalUnitName = Tech
commonName = ldapsrv02.contoso.com
emailAddress = 1217406852@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
39:FB:0E:BD:7D:03:7E:F3:9E:C3:BE:5B:4D:45:8B:63:B7:8B:7F:26
X509v3 Authority Key Identifier:
keyid:08:FF:94:52:EC:BD:97:12:5B:96:DD:1E:36:08:43:FF:AD:2F:7B:C8
Certificate is to be certified until Sep 18 08:22:46 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
四、openldap server下载并安装证书
1)ldapsrv02下载证书
[root@ldapclient CA]# scp /root/ldapsrv02.crt root@192.168.49.139:/root
The authenticity of host '192.168.49.139 (192.168.49.139)' can't be established.
RSA key fingerprint is 88:23:68:20:34:ef:8b:5c:28:ef:c1:d5:ea:ef:4f:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.49.139' (RSA) to the list of known hosts.
root@192.168.49.139's password:
ldapsrv02.crt 100% 3271 3.2KB/s 00:00
[root@ldapclient CA]# scp CA.crt ldapsrv02:/etc/openldap/certs/
The authenticity of host 'ldapsrv02 (192.168.49.139)' can't be established.
RSA key fingerprint is 88:23:68:20:34:ef:8b:5c:28:ef:c1:d5:ea:ef:4f:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ldapsrv02' (RSA) to the list of known hosts.
root@ldapsrv02's password:
CA.crt 100% 1078 1.1KB/s 00:00
2)ldapsrv02安装证书
mv ldapsrv02.crt /etc/openldap/certs/
mv ldapsrv02.key /etc/openldap/certs/
chown -R ldap:ldap /etc/openldap/certs/
vi /etc/openldap/ldap.conf #编辑ldap.conf文件
[root@ldapsrv02 ~]# tail -3 /etc/openldap/ldap.conf
URI ldap://ldapsrv02.contoso.com
BASE dc=contoso,dc=com
TLS_CACERTDIR /etc/openldap/certs
vi /etc/openldap/slapd.conf
[root@ldapsrv02 ~]# grep TLS /etc/openldap/slapd.conf #编辑slapd.conf文件,主要是TLS配置
# The next three lines allow use of TLS for encrypting connections using a
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile /etc/openldap/certs/ldapsrv02.crt
TLSCertificateKeyFile /etc/openldap/certs/ldapsrv02.key
[root@ldapsrv02 ~]# service slapd stop #关闭slapd服务
Stopping slapd: [ OK ]
[root@ldapsrv02 ~]# slapd -h "ldap://192.168.49.139/ ldaps://192.168.49.139/" #重启slapd服务,这里同时监听加密和不加密端口
[root@ldapsrv02 ~]# lsof -i :389 #查看不加密的slapd端口389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 1757 root 7u IPv4 14100 0t0 TCP *:ldap (LISTEN)
slapd 1757 root 8u IPv6 14101 0t0 TCP *:ldap (LISTEN)
[root@ldapsrv02 ~]# lsof -i :636 #查看加密的slapd端口636
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 1757 root 9u IPv4 14104 0t0 TCP *:ldaps (LISTEN)
slapd 1757 root 10u IPv6 14105 0t0 TCP *:ldaps (LISTEN)
[root@ldapsrv02 ~]# netstat -tunlp|grep slapd #查看slapd监听的端口
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1757/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1757/slapd
tcp 0 0 :::636 :::* LISTEN 1757/slapd
tcp 0 0 :::389 :::* LISTEN 1757/slapd
五、ldapclient客户端测试
1)下载CA公钥
cp /etc/pki/CA/private/CA.key /etc/openldap/certs/
说明:因为我的CA证书中心也同时作为ldap客户端,所以这里只需要拷贝到对应目录即可,如果CA证书中心和ldap客户端不在同一台服务器上,需要使用scp或者rz等其他方式拷贝到ldap客户端上。
2)修改ldap客户端配置
cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.bak$(date +%F)
vi /etc/openldap/ldap.conf
[root@ldapclient CA]# /etc/init.d/nslcd restart
Stopping nslcd: [ OK ]
Starting nslcd: [ OK ]
[root@ldapclient CA]# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
上述错误的解决方法是:
编辑/etc/openldap/ldap.conf,添加““TLS_REQCERT allow”,然后重启nslcd服务即可。
vi /etc/openldap/ldap.conf
[root@ldapclient CA]# egrep -v "#|^$" /etc/openldap/ldap.conf
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/certs
BASE dc=contoso,dc=com
URI ldaps://ldapsrv02.contoso.com/
/etc/init.d/nslcd restart
[root@ldapclient CA]# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
ldap_start_tls: Operations error (1)
additional info: TLS already started
anonymous
Result: Success (0)
[root@ldapclient CA]# ldapsearch -x -D "cn=admin,dc=contoso,dc=com" -H ldaps://192.168.49.139 -W -b "dc=contoso,dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=contoso,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
#因为ldapsrv02仅仅是安装了openldap,并没有导入数据,所以这里的查询结果是正确的。
综上所述: 配置后的文件大致如下:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
在测试TLS传输加密时候可以进行抓包查看 服务器端(192.168.1.93)--- 监听: #tcpdump -i eth0 -w /dev/shm/ldap.pcap | grep -v ssh 客户端(192.168.1.22)--- 查询: #ldapsearch -x -LLL -D "cn=AuthUsers,dc=mirage,dc=com" -w asdfgh -H ldaps://192.168.1.93 -b "dc=mirage,dc=com" |
查看.crt / .pem /.csr文件:
[root@localhost CA]# openssl x509 -noout -text -in CA.crt
ldapsrv02.crt ldapsrv02.csr ldapsrv02.key
测试过程 |
服务器端188: 1、首先查看slapd服务器进程 [root@localhost ~]# ps aux | grep slapd 2、若不存在,执行下面的语句 [root@localhost openldap]# /usr/local/libexec/slapd -h "ldap://192.168.1.188 ldaps://192.168.1.188" 3、再次查看 [root@localhost ~]# ps aux | grep slapd 4、若没有正常启动 执行下面语句 [root@localhost openldap]# /usr/local/libexec/slapd -h "ldap://192.168.1.188 ldaps://192.168.1.188" -d 256 (服务器端188:-d 256 是为debug) (若提示5b20eb1e daemon: bind(7) failed errno=98 (Address already in use) :说明slapd进行显示) (若提示库TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:821有问题:则说明是slapd.d下面的文件在改完slapd.conf文件后没有更新) 5、服务器端查询目录树条目(ldapsearch会通过/usr/local/etc/openldap/ldap.conf配置文件读取basea和url值进行查询) [root@localhost ~]# ldapsearch -x -LLL (若提示ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1):说明ldap.conf中修改URI ldap://服务器IP地址或者使用域名形式(能被解析即可) 或者是因为 slapd进程没有启动成功) |
(单查看服务器端是否成功)确认当前的套接字是否能够通过CA认证(说明OpenLDAP服务端使用SSL/TLS加密传输协议) 服务器端: [root@localhost certs]# killall slapd [root@localhost certs]# /usr/local/libexec/slapd -h "ldaps://192.168.1.188" [root@localhost certs]# openssl s_client -connect 192.168.1.188:636 -showcerts -state -CAfile /usr/local/etc/openldap/certs/CA.crt (成功显示 00a0 - 28 86 fa 51 6d 17 4f be-41 0e 7f de c5 27 5e 6a (..Qm.O.A....'^j
Compression: 1 (zlib compression) Start Time: 1528885067 Timeout : 300 (sec) Verify return code: 0 (ok)) |
|
客户端177: 客户端端查询目录树条目 [root@slave1 openldap]# ldapsearch -x -H "ldap://192.168.1.188" -b "dc=mirage,dc=com" (若提示ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1):说明cd /usr/local/etc/openldap/ldap.conf中TLS_REQCERT allow 这句没有添加 或者是因为 服务器端slapd进程没有启动成功,需要去服务器端查看一下) |
客户端查看通过CA证书公钥验证OpenLDAP服务端证书的合法性 客户端执行# openssl verify -CAfile /etc/pki/CA/CA.crt /root/ldapsrv02.crt /root/ldapsrv02.crt: OK 服务器端执行[root@localhost certs]# openssl verify -CAfile /usr/local/etc/openldap/certs/CA.crt /root/openldap_server/ldapsrv02.crt /root/openldap_server/ldapsrv02.crt: OK |
参考的链接:https://www.cnblogs.com/lemon-le/p/6266921.html
https://m.linuxidc.com/Linux/2017-10/147558.htm&http:/m.linuxidc.com/Linux/2017-10/147558.htm
919
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
