3.LdapSever 配置SSL/TLS 

#!/bin/bash
##!/bin/bash
#
# 脚本自动生成根证书和用户服务器证书
#-----------------------------------------------
DomainName="huawei.com"
CA="CA"
ServerName="ldapserver"
AdminPd="Huawei@123"
LdifPath="/etc/openldap/schema/ldif"
CertPath="/etc/openldap/certs"


####################
# 创建CA根证书
####################
#-------------------------------------------------------------------------------------------
#创建证书存放目录
mkdir -p ${CertPath} && cd ${CertPath}
     
#创建CA证书的私钥"cacert-key.pem"
openssl genrsa -out  ${CertPath}/cacert-key.pem
chmod  700  ${CertPath}/cacert-key.pem

#创建CA证书请求"cacert.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${CA}.${DomainName}"  \
-key  ${CertPath}/cacert-key.pem \
-out  ${CertPath}/cacert.csr

#创建3年有效期的CA证书"cacert.pem"
openssl x509 -req \
-days  3650 \
-in ${CertPath}/cacert.csr \
-signkey ${CertPath}/cacert-key.pem \
-out ${CertPath}/cacert.pem
#-------------------------------------------------------------------------------------------


####################
# CA签署的服务器证书
####################

# 创建服务证书的私钥"xxx-key.pem"
openssl genrsa -out ${CertPath}/${ServerName}-key.pem
chmod   700   ${CertPath}/${ServerName}-key.pem
#chown    ldap:ldap ${CertPath}/${ServerName}-key.pem

# 创建服务器证书请求文件 "xxx-cert.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}"  \
-key ${CertPath}/${ServerName}-key.pem \
-out ${CertPath}/${ServerName}-cert.csr

# CA签署服务器证书,有效期3年,即: "xxx-cert.pem"
openssl x509 -req -days 3650 -CAcreateserial \
-CA ${CertPath}/cacert.pem \
-CAkey ${CertPath}/cacert-key.pem \
-in  ${CertPath}/${ServerName}-cert.csr \
-out  ${CertPath}/${ServerName}-cert.pem

# 查看证书文件
openssl x509 -in  ${CertPath}/${ServerName}-cert.pem  -text -noout | head -8

# 证书有效性验证
openssl verify -CAfile ${CertPath}/cacert.pem  ${CertPath}/${ServerName}-cert.pem

# 备份证书文件
tar -czvf ~/bakup_cert_$(date "+%F_%H-%M-%S").tar.gz /etc/openldap/certs/{*.csr,*.pem,*.srl}

###########################################
#配置 Ldap Server支持SSL/TLS认证
###########################################
mkdir -p ${LdifPath}
cat>${LdifPath}/mod_ssl.ldif<<EOF
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: ${CertPath}/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: ${CertPath}/${ServerName}-cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: ${CertPath}/${ServerName}-key.pem
EOF

chown ldap:ldap -R ${CertPath}
ldapmodify -Y EXTERNAL -H ldapi:/// -f ${LdifPath}/mod_ssl.ldif


# 关闭ldap:///,即取消监听389端口
sed -i.bak '/^SLAPD_URLS=/ s#ldap:///#ldaps:///#g'  /etc/sysconfig/slapd
sed -i.bak '/Environment=/ s#ldap:///#ldaps:///#g' /usr/lib/systemd/system/slapd.service

#############################
# 启用LDAP日志记录
#############################
# 配置Rsyslog以将LDAP事件记录到日志文件/var/log/ldap.log

cat >> /etc/rsyslog.conf << EOF
local4.* /var/log/slapd.log
EOF

# 重新启动服务
systemctl restart rsyslog
systemctl daemon-reload
systemctl restart slapd.service

 

posted @ 2023-05-04 22:44  vmsysjack  阅读(238)  评论(0)    收藏  举报