openldap tls 认证和细节

原创

pincer 2015-03-04 20:56:30 博主文章分类：openldap ©著作权

文章标签 oenldap 加密细节 文章分类 数字化转型

©著作权归作者所有：来自51CTO博客作者pincer的原创作品，请联系作者获取转载授权，否则将追究法律责任

1，ldap server 192.168.98.129

client 192.168.98.128

客户端加入到ldap 域，使用ldap账户登录，见《ldap客户端加入域和ssl加密查询》

2，配置CA 认证中心

129上

首先清理掉默认的CA目录，然后重新生成

[root@localhost misc]# cd /etc/pki/
[root@localhost pki]# ls
CA nssdb rpm-gpg server.crt server.csr server.key tls
[root@localhost pki]# rm -rf CA

重新生成

[root@localhost ssl]# cd /etc/pki/tls/misc/

[root@localhost misc]# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.........++++++
................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:pincer
Email Address []:root@pincer.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:abc
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 15 07:11:29 2015 GMT
Not After : Feb 14 07:11:29 2018 GMT
Subject:
countryName = GB
stateOrProvinceName = Berkshire
organizationName = My Company Ltd
commonName = pincer
emailAddress = root@pincer.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BA:B6:03:66:2F:8E:9A:AB:79:B2:82:24:CC:EA:15:8C:7D:69:77:2B
X509v3 Authority Key Identifier:
keyid:BA:B6:03:66:2F:8E:9A:AB:79:B2:82:24:CC:EA:15:8C:7D:69:77:2B

Certificate is to be certified until Feb 14 07:11:29 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
[root@localhost misc]#

上面生成了CA 证书，在/etc/pki/CA下有一个cacert.pem文件，这个证书是要放到ldap 的证书目录中使用的

下面生成的是每个机器的请求文件和证书，线上使用中，每个ldap server 都要执行一次，然后传到ldap server（主要是因为下面的commonName = pincer ）

[root@localhost misc]# openssl req -newkey rsa:1024 -nodes -keyout slapd-key.pem -out slapd-req.pem
Generating a 1024 bit RSA private key
...++++++
...++++++
writing new private key to 'slapd-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:pincer
Email Address []:root@pincer.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:abc
[root@localhost misc]#
[root@localhost misc]#
[root@localhost misc]# ls
CA CA.pl c_hash c_info c_issuer c_name slapd-key.pem slapd-req.pem

[root@localhost misc]# openssl ca -out slapd-cert.pem -infiles slapd-req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 15 07:13:21 2015 GMT
Not After : Feb 15 07:13:21 2016 GMT
Subject:
countryName = GB
stateOrProvinceName = Berkshire
organizationName = My Company Ltd
commonName = pincer ###这里要注意，这里的写主机名，则连接的时候，ldapsearch -h也要写主机名，所以，为了线上使用，需要填写ldap server的ip地址
emailAddress = root@pincer.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DC:50:25:5D:64:DB:DC:50:5C:F5:30:03:76:6A:9F:38:EE:A3:38:C5
X509v3 Authority Key Identifier:
keyid:BA:B6:03:66:2F:8E:9A:AB:79:B2:82:24:CC:EA:15:8C:7D:69:77:2B

Certificate is to be certified until Feb 15 07:13:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost misc]#

3个步骤，就将ca中心的证书和ldap的证书都搞定了

3，下面将证书复制到ldap 目录中使用

修改ldap配置文件

[root@localhost pki]# vim /etc/openldap/slapd.conf

TLSCACertificateFile /etc/openldap/ssl/cacert.pem

TLSCertificateFile /etc/openldap/ssl/slapd-cert.pem

TLSCertificateKeyFile /etc/openldap/ssl/slapd-key.pem

将证书复制到/etc/openldap/ssl/ 中，修改slapd-key.pem 文件权限为600

[root@localhost pki]# cp CA/cacert.pem tls/misc/slapd-* /etc/openldap/ssl/

[root@localhost pki]# chmod 600 /etc/openldap/ssl/slapd-key.pem

重启ldap 会监听一个636 端口，即为加密认证

4，修改客户端配置认证

注意：如果有其他客户端，则将/etc/openldap/ssl下的目录全部复制到ldap client上，然后修改/etc/openlda/ldap.conf 就好了

[root@localhost pki]# vim /etc/openldap/ldap.conf

URI ldaps://pincer/ （1）这里的pincer要跟生成证书的comm写的一样，我们这里写的是pincer，所以这里也要写pincer

BASE dc=my-domain,dc=com

#TLS_CACERTDIR /etc/openldap/cacerts

TLS_CACERTDIR /etc/openldap/ssl

TLS_CACERT /etc/openldap/ssl/cacert.pem

TLS_REQCERT hard

上面的必须要加

配置/etc/ldap.conf

（2）#下面的顺序一定要这样

ssl start_tls

ssl on

上面的（1）和(2) 不对， ldapsearch 不受影响，但是getent 和系统验证登录就会失败（卡主）

测试:

可以看到下面ldaps://pincer 访问的ip的pincer，这是因为上面（[root@localhost misc]# openssl ca -out slapd-cert.pem -infiles slapd-req.pem ）生成的时候写的pincer，所以这个访问这个ldap server的时候就必须要跟天蝎的pincer对应，如果想访问ip，生成的时候就得使用ip地址

[root@localhost pki]# ldapsearch -x -b 'dc=my-domain,dc=com' -H ldaps://pincer -D 'cn=Manager,dc=my-domain,dc=com' -w 123456|less
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# my-domain.com
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: top
objectClass: dcObject
objectClass: organization
o: my-domain

# Manager, my-domain.com
dn: cn=Manager,dc=my-domain,dc=com
objectClass: organizationalRole
cn: Manager

# People, my-domain.com
dn: ou=People,dc=my-domain,dc=com
ou: People
description:: QWxsIHBlb3BsZSBpbiBvcmdhbml6YXRpb24g
objectClass: organizationalUnit

# Group, my-domain.com
dn: ou=Group,dc=my-domain,dc=com
ou: Group
description: All people in organization
objectClass: organizationalUnit

# root, People, my-domain.com
dn: uid=root,ou=People,dc=my-domain,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJC5weE5FaUo3JG9jeER0cGFuTlBIU1o1WVI5Z2FGNi4=
shadowLastChange: 16354
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root