LDAP模式是明文傳輸,為了安全起見,最好配置TLS加密方式傳輸。下面是配置過程(省略了LDAP SERVER的配置過程,前面的文檔中有)
環境:
LDAP SERVER1 172.16.42.136
LDAP SERVER2 172.16.42.137
CA SERVER & LDAP Client 172.16.42.135
CA Server配置:
CA伺服器建立私鑰
1
2
3
<code>#cd /etc/pki/CA</code>
<code>#(umask 077; openssl genrsa -out private/cakey.pem 2048)</code>
修改/etc/pki/tls/openssl.conf配置檔案,修改證書預設的相關設定
4
5
6
<code>[ req_distinguished_name ]</code>
<code>countryName_default = CN</code>
<code>stateOrProvinceName_default = Shanghai</code>
<code>localityName_default = Shanghai</code>
<code>0.organizationName_default = beyondh</code>
<code>organizationalUnitName_default = OPS</code>
生成自簽署證書
<code>openssl req -new -x509 -key private</code><code>/cakey</code><code>.pem -out cacert.pem -days 3650</code>
7
<code>Country Name (2 letter code) [CN]:</code>
<code>State or Province Name (full name) [Shanghai]:</code>
<code>Locality Name (eg, city) [Shanghai]:</code>
<code>Organization Name (eg, company) [beyondh]:</code>
<code>Organizational Unit Name (eg, section) [OPS]:</code>
<code>Common Name (eg, your name or your server's </code><code>hostname</code><code>) []:ca.beyondh.org</code>
<code>Email Address []:[email protected]</code>
預設/etc/pki/CA路徑下沒有serial 和index.txt檔案,需要手動建立
<code>touch</code> <code>index.txt</code>
<code>[root@mq02 CA]</code><code># echo 01 > serial</code>
<code>[root@mq02 CA]</code><code># ls</code>
<code>cacert.pem certs crl index.txt newcerts private serial</code>
LDAP SERVER配置
生成私鑰檔案
8
9
<code>pwd</code>
<code>/etc/pki/CA</code>
<code>[root@localhost CA]</code><code># (umask 077; openssl genrsa 1024 > ldap.key) </code>
<code>Generating RSA private key, 1024 bit long modulus</code>
<code>............................++++++</code>
<code>.......++++++</code>
<code>e is 65537 (0x10001)</code>
<code>[root@localhost CA]</code><code># ls</code>
<code>certs crl ldap.key newcerts private</code>
生成證書請求檔案
10
11
12
13
14
15
16
17
18
<code>openssl req -new -key ldap.key -out ldap.csr</code>
<code>You are about to be asked to enter information that will be incorporated</code>
<code>into your certificate request.</code>
<code>What you are about to enter is what is called a Distinguished Name or a DN.</code>
<code>There are quite a few fields but you can leave some blank</code>
<code>For some fields there will be a default value,</code>
<code>If you enter </code><code>'.'</code><code>, the field will be left blank.</code>
<code>-----</code>
<code>Country Name (2 letter code) [XX]:CN</code>
<code>State or Province Name (full name) []:Shanghai</code>
<code>Locality Name (eg, city) [Default City]:Shanghai</code>
<code>Organization Name (eg, company) [Default Company Ltd]:beyondh</code>
<code>Organizational Unit Name (eg, section) []:OPS</code>
<code>Common Name (eg, your name or your server's </code><code>hostname</code><code>) []:ldap.beyondh.org</code>
<code>Please enter the following </code><code>'extra'</code> <code>attributes</code>
<code>to be sent with your certificate request</code>
<code>A challenge password []:</code>
将證書請求檔案拷貝到CA Server
<code>scp</code> <code>ldap.csr 172.16.42.135:</code><code>/tmp</code>
登入CA Server,将ldap server的證書請求檔案簽署成證書檔案
19
20
21
22
23
24
25
26
27
28
29
30
<code>openssl ca -</code><code>in</code> <code>/tmp/ldap</code><code>.csr -out ldap.crt -days 3650</code>
<code>Using configuration from </code><code>/etc/pki/tls/openssl</code><code>.cnf</code>
<code>Check that the request matches the signature</code>
<code>Signature ok</code>
<code>Certificate Details:</code>
<code> </code><code>Serial Number: 1 (0x1)</code>
<code> </code><code>Validity</code>
<code> </code><code>Not Before: Mar 24 07:18:05 2017 GMT</code>
<code> </code><code>Not After : Mar 22 07:18:05 2027 GMT</code>
<code> </code><code>Subject:</code>
<code> </code><code>countryName = CN</code>
<code> </code><code>stateOrProvinceName = Shanghai</code>
<code> </code><code>organizationName = beyondh</code>
<code> </code><code>organizationalUnitName = OPS</code>
<code> </code><code>commonName = ldap.beyondh.org</code>
<code> </code><code>emailAddress = [email protected]</code>
<code> </code><code>X509v3 extensions:</code>
<code> </code><code>X509v3 Basic Constraints: </code>
<code> </code><code>CA:FALSE</code>
<code> </code><code>Netscape Comment: </code>
<code> </code><code>OpenSSL Generated Certificate</code>
<code> </code><code>X509v3 Subject Key Identifier: </code>
<code> </code><code>02:CF:80:2A:80:99:1D:FA:8A:AC:B2:52:B8:4F:21:ED:BF:A9:33:8F</code>
<code> </code><code>X509v3 Authority Key Identifier: </code>
<code> </code><code>keyid:E0:08:32:85:E9:45:AD:5B:BF:EB:42:15:EE:65:3C:80:56:00:24:93</code>
<code>Certificate is to be certified </code><code>until</code> <code>Mar 22 07:18:05 2027 GMT (3650 days)</code>
<code>Sign the certificate? [y</code><code>/n</code><code>]:y</code>
<code>1 out of 1 certificate requests certified, commit? [y</code><code>/n</code><code>]y</code>
<code>Write out database with 1 new entries</code>
<code>Data Base Updated</code>
将CA伺服器自己的證書和LDAP SERVER的證書檔案拷貝到 LDAP SERVER上
<code>[root@mq02 tmp]</code><code># scp /tmp/ldap.crt 172.16.42.137:/root</code>
<code>[root@mq02 CA]</code><code># scp /etc/pki/CA/cacert.pem 172.16.42.137:/root</code>
<code>登入LDAP SERVER,修改</code><code>/etc/openldap/slapd</code><code>.conf配置檔案</code>
<code>TLSCACertificatePath </code><code>/etc/openldap/certs</code>
<code>TLSCertificateFile </code><code>/etc/openldap/certs/ldap</code><code>.crt</code>
<code>TLSCertificateKeyFile </code><code>/etc/openldap/certs/ldap</code><code>.key</code>
<code>TLSVerifyClient allow</code>
說明:
never:預設選項,不驗證用戶端證書。
allow:檢查用戶端證書,沒有證書或證書錯誤,都允許連接配接。
try:檢查用戶端證書,沒有證書(允許連接配接),證書錯誤(終止連接配接)。
demand | hard | true:檢查用戶端證書,沒有證書或證書錯誤都将立即終止連接配接。
#修改ldap server 端/etc/sysconfig/ldap檔案
<code>SLAPD_LDAP=</code><code>yes</code>
<code>SLAPD_LDAPS=</code><code>yes</code>
重新生成配置檔案,并重新開機slapd服務
<code>rm</code> <code>-rf slapd.d/*</code>
<code>slaptest -f </code><code>/etc/openldap/slapd</code><code>.conf -F </code><code>/etc/openldap/slapd</code><code>.d</code>
<code>chown</code> <code>-R ldap:ldap slapd.d</code>
<code>/etc/init</code><code>.d</code><code>/slapd</code> <code>restart</code>
用戶端配置
安裝openldap用戶端
<code>yum -y </code><code>install</code> <code>nss-pam-ldapd setuptool</code>
<code>yum -y </code><code>install</code> <code>openldap openldap-*</code>
<code>yum -y </code><code>install</code> <code>openssh-ldap</code>
<code>/etc/init</code><code>.d</code><code>/nslcd</code> <code>start</code>
輸入setup或者 authconfig-tui進行配置,也可以通過修改配置檔案的方式修改。參考下面的連接配接
<a href="http://54im.com/openldap/centos-6-yum-install-openldap-phpldapadmin-tls-%E5%8F%8C%E4%B8%BB%E9%85%8D%E7%BD%AE.html" target="_blank">http://54im.com/openldap/centos-6-yum-install-openldap-phpldapadmin-tls-%E5%8F%8C%E4%B8%BB%E9%85%8D%E7%BD%AE.html</a>
确認用戶端配置檔案/etc/openldap/ldap.conf
<code>TLS_CACERTDIR </code><code>/etc/openldap/cacerts</code>
<code>URI ldaps:</code><code>//172</code><code>.16.42.137</code>
<code>BASE </code><code>dc</code><code>=beyondh,</code><code>dc</code><code>=org</code>
<code>TLS_REQCERT allow </code>
<code>TLS_CACERT </code><code>/etc/openldap/cacerts/cacert</code><code>.pem </code><code>//</code><code>将CA伺服器的公鑰拷貝到該路徑下</code>
用戶端重新開機
<code>[root@mq02 CA]</code><code># /etc/init.d/nslcd restart</code>
測試用戶端是否能夠連接配接伺服器端
<code>[root@mq02 openldap]</code><code># ldapwhoami -v -x -Z</code>
<code>ldap_initialize( <DEFAULT> )</code>
<code>ldap_start_tls: Operations error (1)</code>
<code> </code><code>additional info: TLS already started</code>
<code>anonymous</code>
<code>Result: Success (0)</code>
注意:
配置為TLS認證方式後,如果沒有啟動ldap方式,僅僅啟用了ldaps認證方式,phpldapadmin web管理工具無法登陸了。原因不清楚。
另外做了mirrormode 的兩台LDAP SERVER,如何使用TLS加密方式同步也不清楚。
本文轉自 曾哥最愛 51CTO部落格,原文連結:http://blog.51cto.com/zengestudy/1910142,如需轉載請自行聯系原作者
![“雲管邊端”協同的邊緣計算安全防護解決方案0 引 言1 5G 及邊緣計算2 邊緣計算面臨的風險3 “雲管邊端”安全防護技術4 “雲管邊端”安全防護實踐5 結 語[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)