2. 科技
  3. openldap加密传输 nslcd

openldap加密传输 nslcd

it2022-05-05  206
openldap加密传输 nslcd

http://www.openldap.org/faq/data/cache/185.html https://www.ibm.com/developerworks/cn/linux/1312_zhangchao_opensslldap/ http://blog.sina.com.cn/s/blog_88cdde9f01019vdt.html http://phorum.study-area.org/index.php?topic=68194.0 http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_設定

startTLS & LDAPS

Transport Layer Security (TLS) is the standard name for the Secure Socket Layer (SSL). The terms (unless qualified with specific version numbers) are generally interchangable. StartTLS is the name of the standard LDAP operation for initiating TLS/SSL. TLS/SSL is initiated upon successful completion of this LDAP operation. No alternative port is necessary. It is sometimes referred to as the TLS upgrade operation, as it upgrades a normal LDAP connection to one protected by TLS/SSL. ldaps:// and LDAPS refers to "LDAP over TLS/SSL" or "LDAP Secured". TLS/SSL is initated upon connection to an alternative port (normally 636). Though the LDAPS port (636) is registered for this use, the particulars of the TLS/SSL initiation mechanism are not standardized. Once initiated, there is no difference between ldaps:// and StartTLS. They share the same configuration options (excepting ldaps:// requires configuration of a separate listener, see slapd(8)'s -h option) and result in like security services being established.

服务端

复制证书

cp /etc/pki/CA/{openldap.key,openldap.crt,ca.crt} /etc/openldap/certs/

配置slapd.conf

TLSVerifyClient never # 设置是否验证 client 的身份,其值可以是 never/allow/try/demand, #never 不需要验证 client 端的身份,Client 端只需要有 CA 证书就可以了 #allow Server会要求 client 提供证书,如果 client 端没有提供证书,会话会正常进行 #try Client端提供了证书,但是 Server 端有可能不能校验这个证书,这个证书会被忽略,会话正常进行 #demand Server端需要认证 client 端的身份,Client 端需要有自己的证书和私钥 vim /etc/openldap/slapd.conf 添加以下项目 TLSCACertificateFile /etc/openldap/certs/ca.crt TLSCertificateFile /etc/openldap/certs/openldap.crt TLSCertificateKeyFile /etc/openldap/certs/openldap.key TLSVerifyClient never #

启用LDAPS

vim /etc/sysconfig/slapd SLAPD_URLS="ldapi:/// ldap:///" -> SLAPD_URLS="ldapi:/// ldaps:///" # 如果使用StartTLS,这个步骤不用执行

配置生效

rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d systemctl restart slapd

服务端口

#StartTLS 继续使用389端口 netstat -nlp -t |grep :389 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1981/slapd tcp6 0 0 :::389 :::* LISTEN 1981/slapd #LDAPS 启用636端口 netstat -nlp -t |grep :636 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1981/slapd tcp6 0 0 :::636 :::* LISTEN 1981/slapd

测试StartTLS

ldap服务器/etc/openldap/ldap.conf 添加以下内容 TLS_REQCERT never 执行ldapsearch -x -ZZ后,查看日志,内容有 TLS established tls_ssf=256 ssf=256, 服务端配置正常 Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 ACCEPT from IP=[::1]:39720 (IP=[::]:389) Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 STARTTLS Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 RESULT oid= err=0 text= Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 TLS established tls_ssf=256 ssf=256 Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=1 BIND dn="" method=128 Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=1 RESULT tag=97 err=0 text= Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=2 SRCH base="" scope=2 deref=0 filter="(objectClass=*)" Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text= Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=3 UNBIND Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 closed

测试LDAPS

# openssl verify -CAfile /etc/openldap/certs/ca.crt /etc/openldap/certs/openldap.crt /etc/openldap/certs/openldap.crt: OK # openssl s_client -connect slave.local:636 -showcerts -state -CAfile /etc/openldap/certs/ca.crt --- Server certificate subject=/C=CN/ST=Beijing/O=TVM/OU=Tech Dept/CN=OPENLDAP issuer=/C=CN/ST=Beijing/L=Beijing/O=TVM/OU=Tech Dept/CN=CA --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 2354 bytes and written 375 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 022E6922974AD42984230001FC3CD5923A44B73FFE94CE324BA12A58B120DDBF Session-ID-ctx: Master-Key: CCFF58FFF333BA758C31123C9DC469F4BA752B2464B6CE5C4B998012C329D319898F873617CD98F6970AEA7CE5F413D8 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1474511415 Timeout : 300 (sec) Verify return code: 0 (ok) ---

客户端

使用nslcd(Naming services LDAP client daemon)

yum -y install openldap-clients nss-pam-ldapd

配置客户端

# StartTLS authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldap://master.local,ldap://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update # LDAPS authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldaps://master.local,ldaps://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update # 注意 --ldapserver=ldaps://master.local,ldaps://slave.local

下载服务器的ca证书

wget http://master.local/ca.crt -O /etc/openldap/cacerts/ca.crt # ls -lh /etc/openldap/cacerts total 4.0K lrwxrwxrwx 1 root root 6 Sep 22 12:31 100934e9.0 -> ca.crt -rw------- 1 root root 1.3K Sep 22 12:30 ca.crt

配置/etc/openldap/ldap.conf

TLS_REQCERT [never、allow、try、demand | hard] # 设置是否在TLS会话中检查server证书。 Never:不检查任何证书。 Allow:检查server证书,没有证书或证书错误,都允许连接。 Try:检查server证书,没有证书(允许连接),证书错误(终止连接)。 demand | hard:检查server证书,没有证书或证书错误都将立即终止连接。 TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/ca.crt TLS_REQCERT never

配置/etc/nslcd.conf

ssl start_tls # StartTLS 或ssl on # LDAPS tls_cacertdir /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/ca.crt tls_reqcert never

重启nslcd服务

systemctl restart nslcd systemctl enable nslcd

配置/etc/nsswitch.conf

变更为 passwd: files ldap shadow: files ldap group: files ldap

测试

# ldapwhoami -v -x -Z ldap_initialize( <DEFAULT> ) ldap_start_tls: Operations error (1) additional info: TLS already started anonymous Result: Success (0) # ldapsearch -x -Z -H ldaps://slave.local -b 'ou=group,dc=suntv,dc=tv' ldap_start_tls: Operations error (1) additional info: TLS already started # extended LDIF # # LDAPv3 # base <ou=group,dc=suntv,dc=tv> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Group, suntv.tv dn: ou=Group,dc=suntv,dc=tv ou: Group objectClass: top objectClass: organizationalUnit # g01, Group, suntv.tv dn: cn=g01,ou=Group,dc=suntv,dc=tv objectClass: posixGroup objectClass: top cn: g01 gidNumber: 2001 # g02, Group, suntv.tv dn: cn=g02,ou=Group,dc=suntv,dc=tv objectClass: posixGroup objectClass: top cn: g02 gidNumber: 2002 # search result search: 3 result: 0 Success # numResponses: 4 # numEntries: 3

帐号登录测试

ssh u01@10.0.1.53 passwd posted on 2016-09-21 17:40 北京涛子 阅读( ...) 评论( ...) 编辑 收藏

转载于:https://www.cnblogs.com/liujitao79/p/5893561.html

专利

最新回复(0)