配置LDAP启动TLS

阅读本文之前,建议初学的小伙伴先看一下上一篇:完整的 LDAP + phpLDAPadmin安装部署流程 (ubuntu18.04)

以下正文:

接下来的操作承接上文,还是在同一台机器上。

操作系统:Ubuntu18.04

安装gnutls-binssl-cert软件包

root@cky:~# apt install gnutls-bin ssl-cert -y

为证书颁发机构创建私钥:

root@cky:~# certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/mycakey.pem

创建模板/文件/etc/ssl/ca.info以定义CA:

root@cky:~# cat /etc/ssl/ca.info
cn = Xcdata Company
ca
cert_signing_key
expiration_days = 3650

创建自签名的CA证书:

root@cky:~# certtool --generate-self-signed \
--load-privkey /etc/ssl/private/mycakey.pem \
--template /etc/ssl/ca.info \
--outfile /usr/local/share/ca-certificates/mycacert.crt

运行update-ca-certificates以将新的CA证书添加到受信任的CA列表中。请注意添加的一个CA:

root@cky:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

这还会在中创建一个/etc/ssl/certs/mycacert.pem指向实际文件的符号链接/usr/local/share/ca-certificates

为服务器创建一个私钥:

root@cky_dev:~# certtool --generate-privkey \
--bits 2048 \
--outfile /etc/ldap/company_ldap_slapd_key.pem

** Note: You may use '--sec-param Medium' instead of '--bits 2048'
Generating a 2048 bit RSA private key...

创建/etc/ssl/company_ldap.info包含以下内容的信息文件:

organization = Company
cn = company.com
tls_www_server
encryption_key
signing_key
expiration_days = 365

以上证书有效期为1年,仅对company.com主机名有效。

创建服务器的证书:

root@cky:~# certtool --generate-certificate \
--load-privkey /etc/ldap/company_ldap_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/mycacert.pem \
--load-ca-privkey /etc/ssl/private/mycakey.pem \
--template /etc/ssl/company_ldap.info \
--outfile /etc/ldap/company_ldap_slapd_cert.pem

调整权限和所有权:

root@cky:~# chgrp openldap /etc/ldap/company_ldap_slapd_key.pem
root@cky:~# chmod 0640 /etc/ldap/company_ldap_slapd_key.pem

现在服务器准备接受新的TLS配置。

创建certinfo.ldif文件

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/company_ldap_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/company_ldap_slapd_key.pem

使用ldapmodify命令通过slapd-config数据库告诉slapd我们的TLS工作:

root@cky:~/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

最后检查个文件

root@cky:~/ldap# grep -e '^SLAPD_SERVICES' /etc/default/slapd 
SLAPD_SERVICES="ldap:/// ldapi:///"

因为我们不需要使用 ldaps://,而推荐使用StartTLS。后者指的是已由TLS / SSL保护的现有LDAP会话(在TCP端口389上监听),而LDAPS像HTTPS一样,是一种独特的从头开始加密的协议,它在TCP端口636上运行。

OpenLDAP副本的证书

要为OpenLDAP副本(消费者)生成证书对,创建一个保存目录(将用于最终传输)

root@cky:~# mkdir /mnt/ldap02-ssl
root@cky:~# cd /mnt/ldap02-ssl/
root@cky:/mnt/ldap02-ssl# pwd
/mnt/ldap02-ssl

root@cky_dev:/mnt/ldap02-ssl# certtool --generate-privkey \
--bits 2048 \
--outfile company_ldap02_slapd_key.pem

** Note: You may use '--sec-param Medium' instead of '--bits 2048'
Generating a 2048 bit RSA private key...

为消费者服务器创建一个信息文件ldap02.info

organization = Company
cn = company02.com
tls_www_server
encryption_key
signing_key
expiration_days = 365

创建消费者证书:

root@cky:/mnt/ldap02-ssl# certtool --generate-certificate \
--load-privkey company_ldap02_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/mycacert.pem \
--load-ca-privkey /etc/ssl/private/mycakey.pem \
--template ldap02.info \
--outfile company_ldap02_slapd_cert.pem

获取CA证书的副本

root@cky:/mnt/ldap02-ssl# cp /etc/ssl/certs/mycacert.pem .

现在将ldap02-ssl目录转移到使用者。(如果是多节点可以scp,现在是单节点测试,就直接本地搞了)

root@cky:/mnt/ldap02-ssl# cp company_ldap02_slapd_cert.pem company_ldap02_slapd_key.pem /etc/ldap/
root@cky:/mnt/ldap02-ssl# chgrp openldap /etc/ldap/company_ldap02_slapd_key.pem
root@cky:/mnt/ldap02-ssl# chmod 0640 /etc/ldap/company_ldap02_slapd_key.pem
root@cky:/mnt/ldap02-ssl# cp mycacert.pem /usr/local/share/ca-certificates/mycacert.crt
root@cky:/mnt/ldap02-ssl# update-ca-certificates

创建certinfo.ldif具有以下内容的文件

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/company_ldap02_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/company_ldap02_slapd_key.pem

配置slapd-config数据库:

root@cky:/mnt/ldap02-ssl# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

报错

root@cky:/mnt/ldap02-ssl# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Inappropriate matching (18)
        additional info: modify/add: olcTLSCACertificateFile: no equality matching rule

一番百度google之后,更改certinfo.ldif,将add改成了replace

dn: cn=config
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/company_ldap02_slapd_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/company_ldap02_slapd_key.pem

再跑一次(此处diss一下ubuntu的官方文档

root@cky:/mnt/ldap02-ssl# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif     
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

加个解析

# file : /etc/hosts
xxx.xxx.xxx.xxx    company02.com

测试

root@cky:/mnt/ldap02-ssl# ldapwhoami -x -ZZ -h company02.com
anonymous

版权声明:本文为shu-sheng原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/shu-sheng/p/14450815.html