此脚本中只是负责实现了TLS加密配置部分,openLDAP的编译安装以及设置是前期已经配置好的!
具体的配置看上上篇文章openLDAP的编译安装以及配置。
注意slapd.conf中的配置,脚本中为【suffix "dc=mirage,dc=com" rootdn "
cn=AuthUsers,dc=mirage,dc=com"】
ldapTls.sh
代码在此不做太多的解释,配置文档看Openldap配置TLS加密传输(完整版——手动配置)
代码的下载:链接:https://pan.baidu.com/s/1OeYA8MptDUFqKnY3mppPYA 密码:uqza |
ldapTls.sh |
主配置文件: sh -n ldapTls.sh #只读shell脚本,但不执行 sh -x ldapTls.sh #跟踪调试shell脚本,显示执行的命令 |
#!/bin/sh
#description: LDAP TLS
CLICA_PATH="/etc/pki/CA"
CLICATLS_PATH="/etc/pki/tls/"
CLICATLS_NAME="/etc/pki/tls/openssl.cnf"
SERVER_PATH="/root/openldap_server"
SERVEROLDLDAP_PATH="/etc/openldap"
SERVERLDAP_PATH="/usr/local/etc/openldap"
SERVERCERT_PATH="/usr/local/etc/openldap/certs/"
SERVER_IP="192.168.1.188" #服务器端IP地址
SERVER_PORT="22"
SERVER_UNAME="root" #远程服务器时需要的用户名
SERVER_PASSWD="asd" #远程服务器时需要的密码
RUN_PATH="/root/workspace"
EXPECTTAR_PATH="/root/workspace/expect5.45.tar.gz"
EXPECT_PATH="/root/workspace/expect5.45"
TCLTAR_PATH="/root/workspace/tcl8.4.11-src.tar.gz"
TCL_PATH="/root/workspace/tcl8.4.11"
########################################################
#(1)这部分实现 判断client 与 服务器 是否都安装了 openssl 软件包
#(2)注意:默认已经安装 在此只是做判断;如没有安装 并没有安装包
########################################################
function deterPack_openssl() {
OPENPACKNAME=`rpm -qa openssl`
if [ `rpm -qa openssl|wc -l` -ne 0 ];then
echo -e "The packet_list:$OPENPACKNAME"
echo -e "\033[32m-----------------------------------------------\033[0m"
else
echo "You need to install packages openssl!"
fi
}
deterPack_openssl
########################################################
#(1)这部分实现expect的安装
#(2)expect 需要 依赖tcl的库
#(3)expect的位置 /use/expect/bin/expect; tcl位置 /usr/tcl/bin/tclsh8.4
#(4)注意:脚本每执行一次 就会安装一次
########################################################
function testInstal_pack() {
echo -e "\033[32m-----------------------------------------------\033[0m"
echo "This is going to install package $1!"
if [ $1 == "tcl" ]
then
echo "tcl tcl"
tar -xzf $TCLTAR_PATH -C $RUN_PATH
cd $TCL_PATH/unix
./configure --prefix=/usr/tcl --enable-shared
make && make install
cp $TCL_PATH/unix/tclUnixPort.h $TCL_PATH/generic/
fi
if [ $1 == "expect" ]
then
echo "aa"
tar -xzf $EXPECTTAR_PATH -C $RUN_PATH
cd $EXPECT_PATH
./configure --prefix=/usr/expect --with-tcl=/usr/tcl/lib --with-tclinclude=$TCL_PATH/generic
make && make install
ln -s /usr/tcl/bin/expect /usr/expect/bin/expect
fi
}
#testInstal_pack openssl
testInstal_pack tcl
testInstal_pack expect
########################################################i
#(1)这部分实现 修改/root/workspace目录下文件的权限
########################################################
chmod +x $RUN_PATH/*
########################################################i
#(1)这部分实现 建立CA中心 CA服务器生成自己的私钥、公钥
#(2)注意:第一次CA服务器 生成公钥时候,需要人输入操作;
#之后需要修改 用expect避免人机交互
########################################################
#CA服务器生成自己的私钥 CA服务器生成自己的公钥
(umask 077;openssl genrsa -out $CLICA_PATH/private/CA.key)
$RUN_PATH/cakey.exp $CLICA_PATH/private/CA.key $CLICA_PATH/CA.crt
########################################################i
#(1)这部分实现 openldap server生成私钥及证书请求文件 CA服务器向openldap server签发证书
#(2)使用expect工具ssh登录远程服务器,并执行命令操作,操作结束后退出
#(3)注意:登陆格式 ./shLdsr02key ipaddress port username passwd
#CA服务器颁发证书时候 需要手动的输入两次y
########################################################
#服务器上生成私钥 并把其下载到本地
$RUN_PATH/sshLdsr02key.exp $SERVER_IP $SERVER_PORT $SERVER_UNAME $SERVER_PASSWD
#本地生成证书请求文件 同时完成了ldapsrv02向CA请求证书
$RUN_PATH/serkey.exp $RUN_PATH/ldapsrv02.key $RUN_PATH/ldapsrv02.csr
#配置/etc/pki/tls/openssl.cnf文件 与CA服务器生成公钥填写的信息一致
echo "-------------------开始配置CA签发信息--------------------------"
`source $RUN_PATH/chenOpslConf.sh`
echo "-------------------结束配置CA签发信息--------------------------"
#CA服务颁发证书
$RUN_PATH/cliLdsr02crt.exp $RUN_PATH/ldapsrv02.csr $RUN_PATH/ldapsrv02.crt
########################################################i
#(1)这部分实现 openldap server下载并安装证书
#(2)使用expect工具ssh登录远程服务器,并执行命令操作,操作结束后退出
#(3)注意:登陆格式 ./uploadFile.exp locaFilepath username ipaddress servFilepath passwd\n
#内部需要slapd服务 但是在此次测试时候 是没有的((此时这行是被注释掉的,随后记得去掉注释))
########################################################
#ldapsrv02下载证书
$RUN_PATH/uploadFile.exp $RUN_PATH/ldapsrv02.crt $SERVER_UNAME $SERVER_IP $SERVER_PATH $SERVER_PASSWD
$RUN_PATH/uploadFile.exp $CLICA_PATH/CA.crt $SERVER_UNAME $SERVER_IP $SERVERCERT_PATH $SERVER_PASSWD
#ldapsrv02安装证书
$RUN_PATH/sshCheSlaconf.exp $SERVER_IP $SERVER_PORT $SERVER_UNAME $SERVER_PASSWD
########################################################i
#(1)这部分实现 客户端测试 修改ldap客户端配置
#(2)注意:
########################################################
#下载公钥
mkdir -p $SERVERCERT_PATH;cp $CLICA_PATH/CA.crt $SERVERCERT_PATH
cp -n $CLICA_PATH/private/CA.key $SERVERCERT_PATH
\cp $SERVEROLDLDAP_PATH/ldap.conf $SERVERLDAP_PATH
sed -i '$a TLS_REQCERT allow' $SERVERLDAP_PATH/ldap.conf
sed -i '/^TLS_CACERTDIR/{s/etc.*$/usr\/local\/etc\/openldap\/certs/g}' $SERVERLDAP_PATH/ldap.conf
sed -i 's/^SASL_NOCANON/#&/' $SERVERLDAP_PATH/ldap.conf
cat $SERVERLDAP_PATH/ldap.conf|grep ^BASE && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf;fi
#sed -i '$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf
cat $SERVERLDAP_PATH/ldap.conf|grep ^URI && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a URI ldaps://127.0.0.1/' $SERVERLDAP_PATH/ldap.conf;fi
#sed -i '$a URI ldaps://127.0.0.1' $SERVERLDAP_PATH/ldap.conf
|
cakey.exp |
建立CA中心 CA服务器生成自己的公钥 |
#!/usr/expect/bin/expect -f
set prikeyname [lindex $argv 0]
set pubkeyname [lindex $argv 1]
set timeout 30
if {$argc != 2} {
send "usage ./cakey.exp \$prikeyname \$pubkeyname\n"
exit
}
spawn openssl req -new -x509 -key $prikeyname -out $pubkeyname -days 365
expect {
"Country Name" { send "CN\r";exp_continue }
"State or Province" { send "ShangHai\r";exp_continue }
"Locality Name" { send "ShangHai\r";exp_continue }
"Organization Name" { send "IT\r";exp_continue }
"Organizational Unit Name" { send "IT\r";exp_continue }
"Common Name" { send "192.168.1.77\r";exp_continue } #可以发送客户端ip也可以为 其他
"Email Address" { send "1457375505@qq.com\r";exp_continue } #可以按照需求写
}
|
sshLdsr02key.exp |
openldap server生成私钥,并把其传到本地 |
#!/usr/expect/bin/expect -f
#SERVER_PATH="/root/openldap_server"
set ipaddress [lindex $argv 0]
set port [lindex $argv 1]
set username [lindex $argv 2]
set passwd [lindex $argv 3]
set srv02pat /root/openldap_server/ldapsrv02.key
set cli02pat /root/workspace/
set timeout 30
if {$argc != 4} {
send "usage ./sshLdsr02key.exp \$ipaddress \$port \$username \$passwd\n"
exit
}
spawn ssh $ipaddress -p$port -l$username
expect {
"yes/no" { send "yes\r";exp_continue }
"password:" { send "$passwd\r" }
}
expect -re "\](\$|#) "
send "mkdir -p openldap_server && cd openldap_server;openssl genrsa -out ldapsrv02.key;mkdir -p /usr/local/etc/openldap/certs\r"
expect -re "\](\$|#) "
send "exit\r"
spawn scp $ipaddress:$srv02pat $cli02pat
expect {
"yes/no" { send "yes\r";exp_continue }
"password:" { send "asd\r" }
}
expect eof
|
serkey.exp |
本地生成证书请求文件 同时完成了ldapsrv02向CA请求证书 |
#!/usr/expect/bin/expect -f
set prikeyname [lindex $argv 0]
set pubkeyname [lindex $argv 1]
set timeout 30
if {$argc != 2} {
send "usage ./cakey.exp \$prikeyname \$pubkeyname\n"
exit
}
#spawn openssl req -new -x509 -key $prikeyname -out $pubkeyname -days 365
spawn openssl req -new -key $prikeyname -out $pubkeyname
expect {
"Country Name" { send "CN\r";exp_continue }
"State or Province" { send "ShangHai\r";exp_continue }
"Locality Name" { send "ShangHai\r";exp_continue }
"Organization Name" { send "IT\r";exp_continue }
"Organizational Unit Name" { send "IT\r";exp_continue }
"Common Name" { send "192.168.1.88\r";exp_continue } #发送
"Email Address" { send "1457375505@qq.com\r";exp_continue }
"password []" { send "asd\r";exp_continue }
"company name []" { send "heihei\r";exp_continue }
}
|
chenOpslConf.sh |
配置CA签发信息 |
#/bin/bash
cd $CLICA_PATH
if [ ! -f index.txt ];then
echo "NO ********************"
touch index.txt
else
echo "YES *******************"
rm -rf index.txt
touch index.txt
fi
#echo `touch index.txt`
echo "01" > serial
cd $CLICATLS_PATH
#for test
cp openssl.cnf.bak openssl.cnf
if [ ! -f $CLICATLS_PATH/openssl.cnf.bak ];then
cp openssl.cnf openssl.cnf.bak
else
if [ ! -f $CLICATLS_PATH/openssl.cnf.bak$(date +%F) ];then
cp openssl.cnf openssl.cnf.bak$(date +%F)
else
rm -rf openssl.cnf.bak$(date +%F)
cp openssl.cnf openssl.cnf.bak$(date +%F)
fi
fi
sed -i '/^certificate/{s/cacert.pem/CA.crt/g}' $CLICATLS_NAME
sed -i '/^private_key/{s/cakey.pem/CA.key /g}' $CLICATLS_NAME
sed -i '/^countryName_default/{s/XX/CN/g}' $CLICATLS_NAME
#sed -i '$astateOrProvinceName_default = ShangHai' $CLICATLS_NAME
line=`sed -n '/#stateOrProvinceName_default/=' $CLICATLS_NAME`
if [ $line ];then
sed -i "$line d" $CLICATLS_NAME
sed -i "$line istateOrProvinceName_default = ShangHai" $CLICATLS_NAME
else
sed -i '\$a stateOrProvinceName_default = ShangHai' $CLICATLS_NAME
fi
sed -i '/^localityName_default/{s/Default City/ShangHai/g}' $CLICATLS_NAME
sed -i '/^0.organizationName_default/{s/Default Company Ltd/IT/g}' $CLICATLS_NAME
line1=`sed -n '/#organizationalUnitName_default/=' $CLICATLS_NAME`
if [ $line1 ];then
sed -i "$line1 d" $CLICATLS_NAME
sed -i "$line1 iorganizationalUnitName_default = IT" $CLICATLS_NAME
else
sed -i '\$a organizationalUnitName_default = IT' $CLICATLS_NAME
fi
#sed -i '\$a organizationalUnitName_default = IT' $CLICATLS_NAME
#sed -i '/^organizationalUnitName/{s/Organizational Unit Name (eg, section)/IT/g}' $CLICATLS_NAME
|
cliLdsr02crt.exp |
CA服务颁发证书 |
#!/usr/expect/bin/expect -f
set requeFilename [lindex $argv 0]
set certiFilename [lindex $argv 1]
set timeout 30
if {$argc != 2} {
send "usage ./cliLdsr02crt.exp \$requeFilename \$certiFilename\n"
exit
}
spawn openssl ca -in $requeFilename -out $certiFilename
expect {
"Certificate is" { send "y\r";exp_continue }
"1 out of" { send "y\r";exp_continue }
}
|
uploadFile.exp |
openldap server下载证书 |
#!/usr/expect/bin/expect -f
set locaFilepath [lindex $argv 0]
set username [lindex $argv 1]
set ipaddress [lindex $argv 2]
set servFilepath [lindex $argv 3]
set passwd [lindex $argv 4]
set timeout 30
if {$argc != 5} {
send "usage ./uploadFile.exp \$locaFilepath \$username \$ipaddress \$servFilepath \$passwd\n"
exit
}
#eg : scp ldapsrv02.csr root@192.168.1.126:/root/openldap_server
spawn scp $locaFilepath $username@$ipaddress:$servFilepath
expect {
"yes/no" { send "yes\r";exp_continue }
"password:" { send "asd\r" }
}
expect eof
|
sshCheSlaconf.exp |
ldapsrv02安装证书 |
#!/usr/expect/bin/expect -f
#注意ldap.conf sldap.conf两个文件在安装openssl安装包时候 就必须完成备份
#killall sldap以下内容是对lapd服务器开启ldaps服务的操作
set SERVERCERT_PATH /usr/local/etc/openldap/certs
set SERVERLDAP_PATH /usr/local/etc/openldap
set SERVER_PATH /root/openldap_server
set SERVEROLDLDAP_PATH /etc/openldap
set ipaddress [lindex $argv 0]
set port [lindex $argv 1]
set username [lindex $argv 2]
set passwd [lindex $argv 3]
set timeout 30
if {$argc != 4} {
send "usage ./account.sh \$ipaddress \$port \$username \$passwd\n"
exit
}
spawn ssh $ipaddress -p$port -l$username
expect {
"yes/no" { send "yes\r";exp_continue }
"password:" { send "$passwd\r" }
}
expect -re "\](\$|#) "
send "useradd ldap\r"
expect -re "\](\$|#) "
send "chown -R ldap:ldap $SERVERCERT_PATH;\\cp $SERVER_PATH/ldapsrv02.crt $SERVERCERT_PATH;\\cp $SERVER_PATH/ldapsrv02.key $SERVERCERT_PATH\r"
expect -re "\](\$|#) "
send "\\cp $SERVEROLDLDAP_PATH/ldap.conf $SERVERLDAP_PATH/\r"
expect -re "\](\$|#) "
send "sed -i '/^TLS_CACERTDIR/{s/etc.*$/usr\\/local\\/etc\\/openldap\\/certs/g}' $SERVERLDAP_PATH/ldap.conf\r"
expect -re "\](\$|#) "
send "cat $SERVERLDAP_PATH/ldap.conf|grep ^BASE && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf;fi\r"
#send "sed -i '\$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf\r"
expect -re "\](\$|#) "
send "cat $SERVERLDAP_PATH/ldap.conf|grep ^URI && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a URI ldap://192.168.1.188/' $SERVERLDAP_PATH/ldap.conf;fi\r"
#send "sed -i '\$a URI ldap://127.0.0.1/' $SERVERLDAP_PATH/ldap.conf\r"
expect -re "\](\$|#) "
send "sed -i 's/^SASL_NOCANON/#&/' $SERVERLDAP_PATH/ldap.conf\r"
expect -re "\](\$|#) "
send "\\cp $SERVERLDAP_PATH/slapd.conf.bak $SERVERLDAP_PATH/slapd.conf\r"
expect -re "\](\$|#) "
send "cat $SERVERLDAP_PATH/slapd.conf|grep ^TLSCACertificatePath && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a TLSCACertificatePath $SERVERCERT_PATH' $SERVERLDAP_PATH/slapd.conf;fi\r"
expect -re "\](\$|#) "
send "cat $SERVERLDAP_PATH/slapd.conf|grep ^TLSCertificateFile && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a TLSCertificateFile $SERVERCERT_PATH/ldapsrv02.crt' $SERVERLDAP_PATH/slapd.conf;fi\r"
expect -re "\](\$|#) "
send "cat $SERVERLDAP_PATH/slapd.conf|grep ^TLSCertificateKeyFile && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a TLSCertificateKeyFile $SERVERCERT_PATH/ldapsrv02.key' $SERVERLDAP_PATH/slapd.conf;fi\r"
expect -re "\](\$|#) "
send "rm -rf $SERVERLDAP_PATH/slapd.d/* ; slaptest -f $SERVERLDAP_PATH/slapd.conf -F $SERVERLDAP_PATH/slapd.d/\r"
expect -re "\](\$|#) "
send "chown -R ldap:ldap $SERVERLDAP_PATH/slapd.d\r"
expect -re "\](\$|#) "
send "killall slapd;/usr/local/libexec/slapd -h \"ldap://$ipaddress/ ldaps://$ipaddress/\";netstat -tunlp | grep slapd\r"
expect -re "\](\$|#) "
send "iptables -F\r"
expect -re "\](\$|#) "
send "exit\r"
|