本章主要介绍openldap支持TLS证书配置
1.配置TLS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
vim tls.ldif # create new dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key - replace: olcTLSVerifyClient olcTLSVerifyClient: never TLSVerifyClient:设置是否验证 client 的身份,其值可以是 never / allow / try / demand never:不需要验证 client 端的身份,Client 端只需要有 CA 证书就可以了 allow:Server 会要求 client 提供证书,如果 client 端没有提供证书,会话会正常进行 try:Client 端提供了证书,但是 Server 端有可能不能校验这个证书,这个证书会被忽略,会话正常进行 demand:Server 端需要认证 client 端的身份,Client 端需要有自己的证书和私钥 [root@base ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" |
2.配置ldap开启ssl
1 2 3 4 5 6 7 |
[root@base ~]# vim /etc/sysconfig/slapd SLAPD_URLS="ldapi:/// ldap:/// ldaps:///" systemctl restart slapd [root@base ~]# netstat -tulnp |grep 636 #出现slapd说明ldap启动成功 tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 3064/slapd tcp6 0 0 :::636 :::* LISTEN 3064/slapd |
3.验证当前套接字能否通过CA验证
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |
[root@base ~]# openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /etc/openldap/certs/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 C = CN, ST = Zhejiang, L = Hangzhou, O = ldap, OU = IT, CN = ldap, emailAddress = admin@ldap.com verify return:1 depth=0 C = CN, ST = Zhejiang, O = ldap, OU = IT, CN = www.myldap.com, emailAddress = admin@myldap.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=CN/ST=Zhejiang/O=ldap/OU=IT/CN=www.myldap.com/emailAddress=admin@myldap.com i:/C=CN/ST=Zhejiang/L=Hangzhou/O=ldap/OU=IT/CN=ldap/emailAddress=admin@ldap.com -----BEGIN CERTIFICATE----- MIID6TCCAtGgAwIBAgIBATANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJDTjER MA8GA1UECAwIWmhlamlhbmcxETAPBgNVBAcMCEhhbmd6aG91MQ0wCwYDVQQKDARs ZGFwMQswCQYDVQQLDAJJVDENMAsGA1UEAwwEbGRhcDEdMBsGCSqGSIb3DQEJARYO YWRtaW5AbGRhcC5jb20wHhcNMTkwNTE1MDc1MzA0WhcNMjkwNTEyMDc1MzA0WjB2 MQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlhbmcxDTALBgNVBAoMBGxkYXAx CzAJBgNVBAsMAklUMRcwFQYDVQQDDA53d3cubXlsZGFwLmNvbTEfMB0GCSqGSIb3 DQEJARYQYWRtaW5AbXlsZGFwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBANpop+0xr2YAnDrd4aBf28GBrnSEqldIVtTo4VCgpcxmUc4XYJE6yrQG MqfCWatuAUBMIJNMZRsFxCdnV5+z+YEIqF4eMBLLEJ2wRqHStiQgX7651Iy+hxIE C8F1mTo3PVdWkpSPBU7vd4zJu0l7mmADCIDuFTHAlrX2oe/jpJdiG+XGDBol9qR+ AH1ib1IYo8XngeNHI1/wDe8+FXj6Niwl+r7ozbnCk9tPP74LnabhcbRWTzWo9X2B hGzFobODcRk+5qhnHR1OUqubeeJfap+iOiFCDhg4bXxA2//fwq9Au3X/AOEaqSFy qXGmz99AScy3aWZB8k7A9U1L71dj93kCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglg hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFC6zD84/eUJClnck56TdGU/TYOkfMB8GA1UdIwQYMBaAFEQyBbIZqgnOgKJF /eg8FU0knzHTMA0GCSqGSIb3DQEBCwUAA4IBAQAVuqoGeDYze4EFu4sL+4Ohe35R OnMI9eJ23eY6+VjrQlpE7nRIm3GpSOdn3re7UZ+gRXIB/Ny815KlhbgixwHT/1/e 6MpJ7QT9Co1TdhWvWJoxv2pPRksyz2gKu/NOUAJsZ8/U2lW3P538rZCOnBEyrDpC b/BpBZJ2BtryOAKpNH8jE9n/HZlGGxHozj7LyV3EEMe128llhfUFKAP18/gBhvzj jYsH94tLSzCyylLbxSR6VVWBQmnqcmYgK+euNMOqKfQUFKSlZ8JmTNRXcUCNI85h t2nfQv9FL2hKEbl5bGVKjIznRKMbxD56B7RFW6qOQY7IDEklOpmuMX4v9NGc -----END CERTIFICATE----- 1 s:/C=CN/ST=Zhejiang/L=Hangzhou/O=ldap/OU=IT/CN=ldap/emailAddress=admin@ldap.com i:/C=CN/ST=Zhejiang/L=Hangzhou/O=ldap/OU=IT/CN=ldap/emailAddress=admin@ldap.com -----BEGIN CERTIFICATE----- MIIDzTCCArWgAwIBAgIJAKdgI0BjB7rKMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV BAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3pob3UxDTAL BgNVBAoMBGxkYXAxCzAJBgNVBAsMAklUMQ0wCwYDVQQDDARsZGFwMR0wGwYJKoZI hvcNAQkBFg5hZG1pbkBsZGFwLmNvbTAeFw0xOTA1MTUwNzQ4MTlaFw0yOTA1MTIw NzQ4MTlaMH0xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UE BwwISGFuZ3pob3UxDTALBgNVBAoMBGxkYXAxCzAJBgNVBAsMAklUMQ0wCwYDVQQD DARsZGFwMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkBsZGFwLmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAJjC+kxqa93FqXkYMrkWejH4AIcONy2qWkK4 m56Ft8ixXzauNCUSlhBYxQlY3rxaKYXdqz3k12cZZEfmC5ghy5olEM8rLCWv0y9i LifaWYeX3zjP40V8Q5SO6PeVSNdxAksBsyZzK5oWDFO42RfuqGrnNgLMZuibsCAJ YJOi+KqD9y/+CpDXgWNfFfuX/V9ZQeeRA/ByVMjQhIIlhbBIl6bLEEvinmOmE8za zcUgxlQBwCxscrdtsPAhoyZhZ8iPsvR9YdraApBQjpSBOAsd9+vLPtW9nsoUlo4p R5tMX0kKdOCufcR1XHflDEd73DnbIx7vofuaTP4wC5dLQcBNfq8CAwEAAaNQME4w HQYDVR0OBBYEFEQyBbIZqgnOgKJF/eg8FU0knzHTMB8GA1UdIwQYMBaAFEQyBbIZ qgnOgKJF/eg8FU0knzHTMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB ADFGqKnN/1bY3nGB6psjwI8j7QcrcacG/0l5pWDmqRqPdxGPhnpZ/fPPFH0xnRWU QUL9pYH3ifnmklYr/D1HFKdEOjoCGqMjEdl3UQ5Txwfns6Ak529/UNrrH4xKRK1I IiH7IIes7R+P9ZSjF4FEvTVKxJTqAy+nO133LF5GN5zq18kklcRA0An3yfR5lwS7 6PGxiaIR5rYoH3y8NhAtQLuC7O/f0Ky2OyycnFYhwXckIQ6Xbd6rLrfLzWBMKBxw npkok2xMWK0/DPxP7YD9HOA+p9NxJ+LPCo6x4rFb2KyOBvEVTlNkSDHn17PiVshu /BtvhgCnflDNEDpkl/j829E= -----END CERTIFICATE----- --- Server certificate subject=/C=CN/ST=Zhejiang/O=ldap/OU=IT/CN=www.myldap.com/emailAddress=admin@myldap.com issuer=/C=CN/ST=Zhejiang/L=Hangzhou/O=ldap/OU=IT/CN=ldap/emailAddress=admin@ldap.com --- No client certificate CA names sent --- SSL handshake has read 2298 bytes and written 565 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: DF4890F67DEDB2E6C3C8D8C4E0F4943C68594AE9D3831CC90B7D84C920330A92 Session-ID-ctx: Master-Key: A32FB5E7417A4A9CA800E815ADEB8FCB38AEF60578E9D42095A95C0F62EEBC959DB267780D27AEA974215070B2ED8434 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - db a9 31 63 cd 7b 16 78-6f fd ba 9e d9 a6 9c 0d ..1c.{.xo....... 0010 - 48 7f ba 67 77 40 76 11-d9 94 de 90 be b1 c2 06 H..gw@v......... 0020 - 10 4c e1 35 9d 45 12 ce-10 08 cd e0 be b0 9d 4a .L.5.E.........J 0030 - 21 f1 14 db 32 50 15 f6-78 86 5c a2 1c 75 fb 78 !...2P..x.\..u.x 0040 - ad 80 e4 c0 45 5f f9 06-07 be 0a 86 7d 2a 33 a8 ....E_......}*3. 0050 - c7 a7 56 0b 5a 18 ce e6-9d 46 c5 1d 92 d6 0f 39 ..V.Z....F.....9 0060 - e5 87 39 b2 a2 07 71 75-46 5f 13 22 48 85 45 a9 ..9...quF_."H.E. 0070 - 2a 35 0f 9d cd bd 5a e3-04 ae 8c 80 38 62 a1 fc *5....Z.....8b.. 0080 - 8a 8f b4 eb 9b 62 aa 75-aa c6 f7 2d da ef 25 3f .....b.u...-..%? 0090 - 35 1e 53 eb 44 f3 80 11-65 38 29 56 1b 4a 0d 5e 5.S.D...e8)V.J.^ Start Time: 1557910357 Timeout : 300 (sec) Verify return code: 0 (ok) --- |
至此,Openldap服务配置完成,如配置过程中出现问题可在文章下方提问。后续将会介绍openldap集成WEB管理以及linux集成openldap认证等相关内容