openldap ssl配置
阿新 • • 發佈:2018-12-11
給ldap配置ssl
ldapssl有兩種實現方法
1、自簽名證書,這種方法需要在ldap客戶端上的/etc/nslcd.conf中新增tls_reqcert_allow來允許不驗證證書
2、ca簽名證書,你應該將證書放在/etc/openldap/cacerts/目錄下來保證ldap客戶端可以驗證證書
生成金鑰
[[email protected]] /etc/pki/tls/certs$ openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus .+++ ..........+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:
移除金鑰的密碼
[[email protected]] /etc/pki/tls/certs$ openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
生成csr
[[email protected]] /etc/pki/tls/certs$ openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:baidu
Organizational Unit Name (eg, section) []:sre
Common Name (eg, your name or your server's hostname) []:slave3.hanli.com
Email Address []: [email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:520224
An optional company name []:baidu
生成crt
[[email protected]] /etc/pki/tls/certs$ openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=CN/ST=Shanghai/L=Shanghai/O=baidu/OU=sre/CN=slave3.hanli.com/ [email protected]
Getting Private key
複製到ldap的證書目錄下
[[email protected]] /etc/pki/tls/certs$ cp /etc/pki/tls/certs/server.key \
> /etc/pki/tls/certs/server.crt \
> /etc/pki/tls/certs/ca-bundle.crt \
> /etc/openldap/certs/
修改許可權
[[email protected]] /etc/openldap/certs$ chown ldap. /etc/openldap/certs/server.key \
> /etc/openldap/certs/server.crt \
> /etc/openldap/certs/ca-bundle.crt
建立ssl配置
[[email protected] ~]# vi mod_ssl.ldif
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
匯入
[[email protected]] ~$ ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
驗證配置檔案是否正確
slaptest -u
修改伺服器配置
[[email protected]] ~$ vi /etc/sysconfig/slapd
# line 9: add
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
重啟
[[email protected]] ~$ systemctl restart slapd
檢查埠,發現埠已改變
[[email protected]] ~$ netstat -antlp |grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 15877/slapd
tcp6 0 0 :::636 :::* LISTEN 15877/slapd
修改客戶端配置
[[email protected]] ~$ echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf
[[email protected]] ~$ echo "tls_reqcert allow" >> /etc/nslcd.conf
[[email protected]] ~$ authconfig --enableldaptls --update
https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=4
https://www.itzgeek.com/how-tos/linux/centos-how-tos/configure-openldap-with-ssl-on-centos-7-rhel-7.html