超详细centos7搭建配置openldap以及常见问题(二)

2019-06-1410:44:01 发表评论 93

openldap配置(一)

本章主要介绍openldap支持TLS证书配置

1.配置TLS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
vim tls.ldif
# create new
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: never
 
TLSVerifyClient:设置是否验证 client 的身份,其值可以是 never / allow / try / demand
 
never:不需要验证 client 端的身份,Client 端只需要有 CA 证书就可以了
allowServer 会要求 client 提供证书,如果 client 端没有提供证书,会话会正常进行
tryClient 端提供了证书,但是 Server 端有可能不能校验这个证书,这个证书会被忽略,会话正常进行
demandServer 端需要认证 client 端的身份,Client 端需要有自己的证书和私钥
 
 
[root@base ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

2.配置ldap开启ssl

1
2
3
4
5
6
7
[root@base ~]# vim /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
systemctl restart slapd
[root@base ~]# netstat -tulnp |grep 636
#出现slapd说明ldap启动成功
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      3064/slapd          
tcp6       0      0 :::636                  :::*                    LISTEN      3064/slapd

3.验证当前套接字能否通过CA验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
[root@base ~]# openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /etc/openldap/certs/cacert.pem
 
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = CN, ST = Zhejiang, L = Hangzhou, O = ldap, OU = IT, CN = ldap, emailAddress = admin@ldap.com
verify return:1
depth=0 C = CN, ST = Zhejiang, O = ldap, OU = IT, CN = www.myldap.com, emailAddress = admin@myldap.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=CN/ST=Zhejiang/O=ldap/OU=IT/CN=www.myldap.com/emailAddress=admin@myldap.com
   i:/C=CN/ST=Zhejiang/L=Hangzhou/O=ldap/OU=IT/CN=ldap/emailAddress=admin@ldap.com
-----BEGIN CERTIFICATE-----
MIID6TCCAtGgAwIBAgIBATANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJDTjER
MA8GA1UECAwIWmhlamlhbmcxETAPBgNVBAcMCEhhbmd6aG91MQ0wCwYDVQQKDARs
ZGFwMQswCQYDVQQLDAJJVDENMAsGA1UEAwwEbGRhcDEdMBsGCSqGSIb3DQEJARYO
YWRtaW5AbGRhcC5jb20wHhcNMTkwNTE1MDc1MzA0WhcNMjkwNTEyMDc1MzA0WjB2
MQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlhbmcxDTALBgNVBAoMBGxkYXAx
CzAJBgNVBAsMAklUMRcwFQYDVQQDDA53d3cubXlsZGFwLmNvbTEfMB0GCSqGSIb3
DQEJARYQYWRtaW5AbXlsZGFwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANpop+0xr2YAnDrd4aBf28GBrnSEqldIVtTo4VCgpcxmUc4XYJE6yrQG
MqfCWatuAUBMIJNMZRsFxCdnV5+z+YEIqF4eMBLLEJ2wRqHStiQgX7651Iy+hxIE
C8F1mTo3PVdWkpSPBU7vd4zJu0l7mmADCIDuFTHAlrX2oe/jpJdiG+XGDBol9qR+
AH1ib1IYo8XngeNHI1/wDe8+FXj6Niwl+r7ozbnCk9tPP74LnabhcbRWTzWo9X2B
hGzFobODcRk+5qhnHR1OUqubeeJfap+iOiFCDhg4bXxA2//fwq9Au3X/AOEaqSFy
qXGmz99AScy3aWZB8k7A9U1L71dj93kCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglg
hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
BBYEFC6zD84/eUJClnck56TdGU/TYOkfMB8GA1UdIwQYMBaAFEQyBbIZqgnOgKJF
/eg8FU0knzHTMA0GCSqGSIb3DQEBCwUAA4IBAQAVuqoGeDYze4EFu4sL+4Ohe35R
OnMI9eJ23eY6+VjrQlpE7nRIm3GpSOdn3re7UZ+gRXIB/Ny815KlhbgixwHT/1/e
6MpJ7QT9Co1TdhWvWJoxv2pPRksyz2gKu/NOUAJsZ8/U2lW3P538rZCOnBEyrDpC
b/BpBZJ2BtryOAKpNH8jE9n/HZlGGxHozj7LyV3EEMe128llhfUFKAP18/gBhvzj
jYsH94tLSzCyylLbxSR6VVWBQmnqcmYgK+euNMOqKfQUFKSlZ8JmTNRXcUCNI85h
t2nfQv9FL2hKEbl5bGVKjIznRKMbxD56B7RFW6qOQY7IDEklOpmuMX4v9NGc
-----END CERTIFICATE-----
1 s:/C=CN/ST=Zhejiang/L=Hangzhou/O=ldap/OU=IT/CN=ldap/emailAddress=admin@ldap.com
   i:/C=CN/ST=Zhejiang/L=Hangzhou/O=ldap/OU=IT/CN=ldap/emailAddress=admin@ldap.com
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIJAKdgI0BjB7rKMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3pob3UxDTAL
BgNVBAoMBGxkYXAxCzAJBgNVBAsMAklUMQ0wCwYDVQQDDARsZGFwMR0wGwYJKoZI
hvcNAQkBFg5hZG1pbkBsZGFwLmNvbTAeFw0xOTA1MTUwNzQ4MTlaFw0yOTA1MTIw
NzQ4MTlaMH0xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UE
BwwISGFuZ3pob3UxDTALBgNVBAoMBGxkYXAxCzAJBgNVBAsMAklUMQ0wCwYDVQQD
DARsZGFwMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkBsZGFwLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJjC+kxqa93FqXkYMrkWejH4AIcONy2qWkK4
m56Ft8ixXzauNCUSlhBYxQlY3rxaKYXdqz3k12cZZEfmC5ghy5olEM8rLCWv0y9i
LifaWYeX3zjP40V8Q5SO6PeVSNdxAksBsyZzK5oWDFO42RfuqGrnNgLMZuibsCAJ
YJOi+KqD9y/+CpDXgWNfFfuX/V9ZQeeRA/ByVMjQhIIlhbBIl6bLEEvinmOmE8za
zcUgxlQBwCxscrdtsPAhoyZhZ8iPsvR9YdraApBQjpSBOAsd9+vLPtW9nsoUlo4p
R5tMX0kKdOCufcR1XHflDEd73DnbIx7vofuaTP4wC5dLQcBNfq8CAwEAAaNQME4w
HQYDVR0OBBYEFEQyBbIZqgnOgKJF/eg8FU0knzHTMB8GA1UdIwQYMBaAFEQyBbIZ
qgnOgKJF/eg8FU0knzHTMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
ADFGqKnN/1bY3nGB6psjwI8j7QcrcacG/0l5pWDmqRqPdxGPhnpZ/fPPFH0xnRWU
QUL9pYH3ifnmklYr/D1HFKdEOjoCGqMjEdl3UQ5Txwfns6Ak529/UNrrH4xKRK1I
IiH7IIes7R+P9ZSjF4FEvTVKxJTqAy+nO133LF5GN5zq18kklcRA0An3yfR5lwS7
6PGxiaIR5rYoH3y8NhAtQLuC7O/f0Ky2OyycnFYhwXckIQ6Xbd6rLrfLzWBMKBxw
npkok2xMWK0/DPxP7YD9HOA+p9NxJ+LPCo6x4rFb2KyOBvEVTlNkSDHn17PiVshu
/BtvhgCnflDNEDpkl/j829E=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=Zhejiang/O=ldap/OU=IT/CN=www.myldap.com/emailAddress=admin@myldap.com
issuer=/C=CN/ST=Zhejiang/L=Hangzhou/O=ldap/OU=IT/CN=ldap/emailAddress=admin@ldap.com
---
No client certificate CA names sent
---
SSL handshake has read 2298 bytes and written 565 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: DF4890F67DEDB2E6C3C8D8C4E0F4943C68594AE9D3831CC90B7D84C920330A92
    Session-ID-ctx:
    Master-Key: A32FB5E7417A4A9CA800E815ADEB8FCB38AEF60578E9D42095A95C0F62EEBC959DB267780D27AEA974215070B2ED8434
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - db a9 31 63 cd 7b 16 78-6f fd ba 9e d9 a6 9c 0d   ..1c.{.xo.......
    0010 - 48 7f ba 67 77 40 76 11-d9 94 de 90 be b1 c2 06   H..gw@v.........
    0020 - 10 4c e1 35 9d 45 12 ce-10 08 cd e0 be b0 9d 4a   .L.5.E.........J
    0030 - 21 f1 14 db 32 50 15 f6-78 86 5c a2 1c 75 fb 78   !...2P..x.\..u.x
    0040 - ad 80 e4 c0 45 5f f9 06-07 be 0a 86 7d 2a 33 a8   ....E_......}*3.
    0050 - c7 a7 56 0b 5a 18 ce e6-9d 46 c5 1d 92 d6 0f 39   ..V.Z....F.....9
    0060 - e5 87 39 b2 a2 07 71 75-46 5f 13 22 48 85 45 a9   ..9...quF_."H.E.
    0070 - 2a 35 0f 9d cd bd 5a e3-04 ae 8c 80 38 62 a1 fc   *5....Z.....8b..
    0080 - 8a 8f b4 eb 9b 62 aa 75-aa c6 f7 2d da ef 25 3f   .....b.u...-..%?
    0090 - 35 1e 53 eb 44 f3 80 11-65 38 29 56 1b 4a 0d 5e   5.S.D...e8)V.J.^
 
    Start Time: 1557910357
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

至此,Openldap服务配置完成,如配置过程中出现问题可在文章下方提问。后续将会介绍openldap集成WEB管理以及linux集成openldap认证等相关内容

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: