配置LDAP啟動TLS
閱讀本文之前,建議初學的小夥伴先看一下上一篇:完整的 LDAP + phpLDAPadmin安裝部署流程 (ubuntu18.04)
接下來的操作承接上文,還是在同一臺機器上。
作業系統:Ubuntu18.04
以下正文:
安裝gnutls-bin
和ssl-cert
軟體包
root@cky:~# apt install gnutls-bin ssl-cert -y
為證照頒發機構建立私鑰:
root@cky:~# certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/mycakey.pem
建立模板/檔案/etc/ssl/ca.info
以定義CA:
root@cky:~# cat /etc/ssl/ca.info
cn = Xcdata Company
ca
cert_signing_key
expiration_days = 3650
建立自簽名的CA證照:
root@cky:~# certtool --generate-self-signed \
--load-privkey /etc/ssl/private/mycakey.pem \
--template /etc/ssl/ca.info \
--outfile /usr/local/share/ca-certificates/mycacert.crt
執行update-ca-certificates
以將新的CA證照新增到受信任的CA列表中。請注意新增的一個CA:
root@cky:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
這還會在中建立一個/etc/ssl/certs/mycacert.pem
指向實際檔案的符號連結/usr/local/share/ca-certificates
。
為伺服器建立一個私鑰:
root@cky_dev:~# certtool --generate-privkey \
--bits 2048 \
--outfile /etc/ldap/company_ldap_slapd_key.pem
** Note: You may use '--sec-param Medium' instead of '--bits 2048'
Generating a 2048 bit RSA private key...
建立/etc/ssl/company_ldap.info
包含以下內容的資訊檔案:
organization = Company
cn = company.com
tls_www_server
encryption_key
signing_key
expiration_days = 365
以上證照有效期為1年,僅對company.com
主機名有效。
建立伺服器的證照:
root@cky:~# certtool --generate-certificate \
--load-privkey /etc/ldap/company_ldap_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/mycacert.pem \
--load-ca-privkey /etc/ssl/private/mycakey.pem \
--template /etc/ssl/company_ldap.info \
--outfile /etc/ldap/company_ldap_slapd_cert.pem
調整許可權和所有權:
root@cky:~# chgrp openldap /etc/ldap/company_ldap_slapd_key.pem
root@cky:~# chmod 0640 /etc/ldap/company_ldap_slapd_key.pem
現在伺服器準備接受新的TLS配置。
建立certinfo.ldif
檔案
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/company_ldap_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/company_ldap_slapd_key.pem
使用ldapmodify
命令通過slapd-config
資料庫告訴slapd
我們的TLS工作:
root@cky:~/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
最後檢查個檔案
root@cky:~/ldap# grep -e '^SLAPD_SERVICES' /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:///"
因為我們不需要使用
ldaps://
,而推薦使用StartTLS
。後者指的是已由TLS / SSL保護的現有LDAP會話(在TCP埠389上監聽),而LDAPS像HTTPS一樣,是一種獨特的從頭開始加密的協議,它在TCP埠636上執行。
OpenLDAP副本的證照
要為OpenLDAP副本(消費者)生成證照對,建立一個儲存目錄(將用於最終傳輸)
root@cky:~# mkdir /mnt/ldap02-ssl
root@cky:~# cd /mnt/ldap02-ssl/
root@cky:/mnt/ldap02-ssl# pwd
/mnt/ldap02-ssl
root@cky_dev:/mnt/ldap02-ssl# certtool --generate-privkey \
--bits 2048 \
--outfile company_ldap02_slapd_key.pem
** Note: You may use '--sec-param Medium' instead of '--bits 2048'
Generating a 2048 bit RSA private key...
為消費者伺服器建立一個資訊檔案ldap02.info
:
organization = Company
cn = company02.com
tls_www_server
encryption_key
signing_key
expiration_days = 365
建立消費者證照:
root@cky:/mnt/ldap02-ssl# certtool --generate-certificate \
--load-privkey company_ldap02_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/mycacert.pem \
--load-ca-privkey /etc/ssl/private/mycakey.pem \
--template ldap02.info \
--outfile company_ldap02_slapd_cert.pem
獲取CA證照的副本
root@cky:/mnt/ldap02-ssl# cp /etc/ssl/certs/mycacert.pem .
現在將ldap02-ssl
目錄轉移到使用者。(如果是多節點可以scp
,現在是單節點測試,就直接本地搞了)
root@cky:/mnt/ldap02-ssl# cp company_ldap02_slapd_cert.pem company_ldap02_slapd_key.pem /etc/ldap/
root@cky:/mnt/ldap02-ssl# chgrp openldap /etc/ldap/company_ldap02_slapd_key.pem
root@cky:/mnt/ldap02-ssl# chmod 0640 /etc/ldap/company_ldap02_slapd_key.pem
root@cky:/mnt/ldap02-ssl# cp mycacert.pem /usr/local/share/ca-certificates/mycacert.crt
root@cky:/mnt/ldap02-ssl# update-ca-certificates
建立certinfo.ldif
具有以下內容的檔案
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/company_ldap02_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/company_ldap02_slapd_key.pem
配置slapd-config資料庫:
root@cky:/mnt/ldap02-ssl# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
報錯
root@cky:/mnt/ldap02-ssl# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcTLSCACertificateFile: no equality matching rule
一番百度google之後,更改certinfo.ldif
,將add
改成了replace
dn: cn=config
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/company_ldap02_slapd_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/company_ldap02_slapd_key.pem
再跑一次(此處diss一下ubuntu的官方文件)
root@cky:/mnt/ldap02-ssl# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
加個解析
# file : /etc/hosts
xxx.xxx.xxx.xxx company02.com
測試
root@cky:/mnt/ldap02-ssl# ldapwhoami -x -ZZ -h company02.com
anonymous