7.openldap使用ssl加密认证

作者:yaoyao

1.服务器端部署

1.自建CA中心

1.CA中心生成自身私钥

#cd /etc/pki/CA
#(umask 077; openssl genrsa -out private/cakey.pem 2048)

2.CA签发自身公钥

#openssl  req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
输出一下内容,按照提示输入
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:liuyao.com
Organizational Unit Name (eg, section) []:Devops
Common Name (eg, your name or your server's hostname) []:ldap.liuyao.com
Email Address []:870000@163.com

3.创建index.txt和serial文件

index.txt文件用于存放客户端证书信息,serial文件用于存放客户端证书编号，可以自定义,用于识别客户端证书
#touch serial index.txt
#echo "01" > serial 

4.使用openssl命令获取证书信息

#openssl x509 -noout -text -in /etc/pki/CA/cacert.pem 

2.LDAP与CA集成

1. 获取LDAP证书

#mkdir /etc/openldap/ssl
#cd /etc/openldap/ssl
服务器端生成密钥
#(umask 077; openssl genrsa -out ldapkey.pem 1024)
服务端向CA申请证书签署请求,相关信息必须和CA所填证书一致才可以正常签发
openssl req -new -key ldapkey.pem -out ldap.csr -days 3650

2. CA检测用户请求，通过后生成证书

# openssl ca -in ldap.csr -out ldapcert.pem -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 31 11:01:24 2017 GMT
            Not After : Jul  8 11:01:24 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = liuyao
            organizationalUnitName    = devops
            commonName                = ldap.liuyao.com
            emailAddress              = 870000@163.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                5B:9E:1A:5C:FD:B:51:BC:89:F0:33:3E:D4:E:1B:27:78:1D:95:F5:7F
            X509v3 Authority Key Identifier: 
                keyid:76:49:FA:96:6C:F5:B7:B4:95:FC:89:F0:33:3E:5:9:9A:74:29:DB:06

Certificate is to be certified until Jul  8 11:01:24 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

3.部署

1.修改证书权

#cd /etc/openldap/ssl/
#cp /etc/pki/CA/cacert.pem .

2.修改配置文件

#vim /etc/sysconfig/ldap
SLAPD_LDAPS=yes

#vim slapd.conf
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile  /etc/openldap/ssl/ldapkey.pem
TlsVerifyClient never

3.测试并生成相关数据

#slaptest -u
#rm -rf /etc/openldap/slapd.d/*
#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

5. 启动服务

#chown ldap.ldap */* -R
#/etc/init.d/slapd restart
可以使用netstat -tnlp 命令查看。加密端口为636

4.测试

1. 测试服务端证书的合法性

#openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem 
/etc/openldap/ssl/ldapcert.pem: OK

2. 测试当前套接字是否能通过CA的验证

openssl s_client -connect ldap.liuyao.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem

2.客户端部署

1. 将证书cp到客户端

scp root@我不告诉你ip:/etc/pki/CA/cacert.pem /etc/openldap/cacerts

2. 配置ldap加密

#authconfig-tui
配置域名地址和tls。这个地方应该有个图。但是我没有

3.修改相关文件

#vim /etc/pam_ldap.conf
ssl on
#vim /etc/nslcd.conf 
ssl on

4.启动服务

#/etc/init.d/nslcd restart
#chkconfig nslcd on

5.测试

#ldapwhoami -v -x -Z

# ldapwhoami -D "uid=liuyao,ou=devops,dc=liuyao,dc=com" -W -H ldaps://ldap.liuyao.com -v 
    ldap_initialize( ldaps://ldap.liuyao.com:636/??base )
    Enter LDAP Password: 
    dn:uid=liuyao,ou=devops,dc=liuyao,dc=com                                                                      Result: Success (0)