LDAP啟用SSL/TLS
一、利用redhat-idm-console控制台生成ssl證書請求檔案
[root@station2 ~]#redhat-idm-console
1、選擇Manager Certificates後點選Request,生存證書請求檔案
<a target="_blank" href="http://blog.51cto.com/attachment/201104/121710799.png"></a>
2、選擇Request Certificaate manually後在Requestor information輸入CA中心要求相關資訊
<a target="_blank" href="http://blog.51cto.com/attachment/201104/121810546.png"></a>
#紅色部分為CA中心定義的必須比對的資訊,其他為ldap伺服器自身資訊
3、在彈出對話框中輸入Token Passwd(該密碼為證書保護密碼)的密碼redhat,輸入密碼後next,選擇“save to file”
<a target="_blank" href="http://blog.51cto.com/attachment/201104/121820791.png"></a>
#save to file檔案即位證書請求檔案dirsrv.crt(檔案名自己定義)
4、将證書請求檔案dirsrv.csr發送給CA中心,并由CA中心生成證書
[root@station2 ~]# scp dirsrv.csr 192.168.32.31:/root/.
[email protected]'s password:
dirsrv.csr 100% 684 0.7KB/s 00:00
[root@server1 ~]# openssl ca -in dirsrv.csr -out dirsrv.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 7 (0x7)
Validity
Not Before: Apr 13 04:08:15 2011 GMT
Not After : Apr 12 04:08:15 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = kvm,Inc.
organizationalUnitName = example.com
commonName = station2.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F4:7A:1D:90:90:F2:AD:AF:F1:97:44:1B:23:C7:39:D0:B3:82:F5:D9
X509v3 Authority Key Identifier:
keyid:82:06:F6:4D:45:71:D8:0C:EC:14:DD:44:2C:CB:78:24:5E:9D:D0:C5
Certificate is to be certified until Apr 12 04:08:15 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#CA中心生成證書
[root@server1 ~]# scp dirsrv.crt 192.168.32.32:/root/.
[email protected]'s password:
dirsrv.crt 100% 3765 3.7KB/s 00:00
[root@server1 ~]# scp /etc/pki/CA/my-ca.crt dirsrv.crt 192.168.32.32:/root/.
my-ca.crt 100% 1533 1.5KB/s 00:00
#将證書和CA公鑰發送給ldap伺服器
二、ldap伺服器利用redhat-idm-console控制台導入公鑰和ca中心公鑰,并開啟ssl/tls認證
1、導入公鑰:選擇install,在in this local file對話框中輸入ldap伺服器公鑰
<a target="_blank" href="http://blog.51cto.com/attachment/201104/121842429.png"></a>
#CA中心公鑰導入同上
2、開啟ssl/tls認證
<a target="_blank" href="http://blog.51cto.com/attachment/201104/121955567.png"></a>
3、編輯證書保護密碼存放檔案,并重新開機ldap伺服器
[root@station2 ~]# vi /etc/dirsrv/slapd-station2/pin.txt
Internal (Software) Token:redhat
#redhat為證書保護密碼
[root@station2 ~]# service dirsrv restart
Shutting down dirsrv:
station2... [确定]
Starting dirsrv:
#如果證書生成過程中有任何錯誤,均不能啟動dirsrv服務。
[root@station2 ~]# netstat -tunpl|grep 636
tcp 0 0 :::636 :::* LISTEN 10753/ns-slapd
#636端口開啟表示ldap已經開啟ssl/tls認證
三、用戶端開啟ssl/tls認證
[root@station2 ~]# vi /etc/openldap/ldap.conf
TLS_CACERT /etc/pki/tls/certs/my-ca.crt
[root@station2 ~]# ldapsearch -x "uid=zhangsan123" -ZZ -LLL
dn: uid=zhangsan123,ou=People,dc=station2,dc=example,dc=com
cn: zhangsam 123
sn: zhang
givenName: Emanuel
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Product Testing
ou: People
l: Santa Clara
uid: zhangsan123
telephoneNumber: +1 408 555 0933
facsimileTelephoneNumber: +1 408 555 9752
roomNumber: 3906
manager: uid=jwalker, ou=People, dc=station2,dc=example,dc=com
userPassword:: e1NTSEF9ZGcvQWpjUmhyOHAyd05tNU5Kbmo5bTFwMkJoN1VqcWltSHI1TXc9PQ=
=
#如果密碼指定ca中心公鑰,将無法利用-ZZ查詢。用戶端在從ldap伺服器中擷取資料時,會提示下載下傳并導入ldap伺服器的公鑰。
本文轉自netsword 51CTO部落格,原文連結:http://blog.51cto.com/netsword/543773
![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)