为啥要用TLS?
Openldap默认使用简单验证,对slapd的所有访问都使用明文密码通过未加密通道进行。为了确保信息安全,需要对信息进行加密传输,SSL(Secure Sockets Layer)是一个可靠的解决方案。
它使用 X.509 证书,由可信任第三方(Certificate Authority (CA))进行数字签名的一个标准格式的数据。有效的数字签名意味着已签名的数据没有被篡改。如果签名的数据被更改,将不会通过验证
SSL/TLS 加密原理简介
SSL/TLS 是基于 PKI 机制的加密方式,包括证书认证、密钥交换、非对称加密、对称加密。SSL/TLS 采用 CA 作为服务端和客户端都信赖的具有权威性的组织,证书的颁发和认证都依赖于 CA,并假定 CA 颁发的证书是可靠的、可信赖的,证书里面的内容是真实的、有效的,并可用于客户机和服务器进行安全的可靠的通信加密。
SSL/TLS 证书用来认证服务器和客户机双方的身份,并用于密钥交换时候的非对称加密。密钥交换完毕之后,就可以用这个密钥做通信数据的对称加密了,具体的加密算法是由客户机和服务器互相协商得来。服务器和客户机由于 SSL/TLS 库的不同以及用户的配置不同,双方支持的算法列表不完全相同,当双方做 SSL/TLS 握手的时候,就需要将自己支持的算法列表及优先顺序告知对方,一旦对方按照优先顺序找到了第一个支持的算法,那么协商完成,否则双方协商失败,SSL/TLS 连接断开。
环境说明:
主机名 | 角色 | IP地址 |
ldapsrv02.contoso.com | openldap server | 192.168.49.139 |
ldapclient.contoso.com | openldap client + CA | 192.168.49.136 |
ldapsrv02是新添加的一台CentOS 6.5,这里直接使用之前的openldap的安装脚本进行安装,里面并未有任何数据,是一个空的域(域名也是contoso.com,为之后做双机同步做准备)。
准备工作:
在两台CentOS上安装openssl.
yum -y install openssl
[root@ldapclient ~]# rpm -qa openssl
openssl-1.0.1e-15.el6.x86_64
[root@ldapsrv02 ~]# rpm -qa openssl
openssl-1.0.1e-15.el6.x86_64
一、建立CA中心
1)配置CA签发信息
cd /etc/pki/CA/
touch index.txt
echo 01 >serial
cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.bak$(date +%F)
vi /etc/pki/tls/openssl.cnf
[root@ldapclient CA]# diff /etc/pki/tls/openssl.cnf.bak2016-09-18 /etc/pki/tls/openssl.cnf
50c50
< certificate = $dir/cacert.pem # The CA certificate
---
> certificate = $dir/CA.crt # The CA certificate
55c55
< private_key = $dir/private/cakey.pem# The private key
---
> private_key = $dir/private/CA.key # The private key
130c130
< countryName_default = XX
---
> countryName_default = CN
135c135
< #stateOrProvinceName_default = Default Province
---
> stateOrProvinceName_default = Guangdong
138c138
< localityName_default = Default City
---
> localityName_default = Shenzhen
141c141
< 0.organizationName_default = Default Company Ltd
---
> 0.organizationName_default = contoso
148c148
< #organizationalUnitName_default =
---
> organizationalUnitName_default = Tech
2)CA服务器生成自己的私钥
[root@ldapclient CA]# (umask 077;openssl genrsa -out private/CA.key)
Generating RSA private key, 1024 bit long modulus
...............++++++
..........++++++
e is 65537 (0x10001)
3)CA服务器生成公钥(CA证书)
[root@ldapclient CA]# openssl req -new -x509 -key private/CA.key >CA.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [contoso]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.contoso.com
Email Address []:[email protected]
二、openldap server生成私钥及证书请求文件
1)ldapsrv02生成自己的私钥
[root@ldapsrv02 ~]# openssl genrsa -out ldapsrv02.key
Generating RSA private key, 1024 bit long modulus
...........................++++++
.....++++++
e is 65537 (0x10001)
2)ldapsrv02生成证书请求文件
[root@ldapsrv02 ~]# openssl req -new -key ldapsrv02.key -out ldapsrv02.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:contoso
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ldapsrv02.contoso.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
三、CA服务器向openldap server签发证书
1)ldapsrv02向CA请求证书
[root@ldapsrv02 ~]# scp ldapsrv02.csr [email protected]:/root
The authenticity of host '192.168.49.136 (192.168.49.136)' can't be established.
RSA key fingerprint is f9:ce:14:5d:cd:bb:3c:b4:0d:0b:fc:21:3a:92:43:6b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.49.136' (RSA) to the list of known hosts.
[email protected]'s password:
ldapsrv02.csr 100% 777 0.8KB/s 00:00
2)CA服务器颁发证书
[root@ldapclient CA]# openssl ca -in /root/ldapsrv02.csr -out /root/ldapsrv02.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 18 08:22:46 2016 GMT
Not After : Sep 18 08:22:46 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Guangdong
organizationName = contoso
organizationalUnitName = Tech
commonName = ldapsrv02.contoso.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
39:FB:0E:BD:7D:03:7E:F3:9E:C3:BE:5B:4D:45:8B:63:B7:8B:7F:26
X509v3 Authority Key Identifier:
keyid:08:FF:94:52:EC:BD:97:12:5B:96:DD:1E:36:08:43:FF:AD:2F:7B:C8
Certificate is to be certified until Sep 18 08:22:46 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
四、openldap server下载并安装证书
1)ldapsrv02下载证书
[root@ldapclient CA]# scp /root/ldapsrv02.crt [email protected]:/root
The authenticity of host '192.168.49.139 (192.168.49.139)' can't be established.
RSA key fingerprint is 88:23:68:20:34:ef:8b:5c:28:ef:c1:d5:ea:ef:4f:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.49.139' (RSA) to the list of known hosts.
[email protected]'s password:
ldapsrv02.crt 100% 3271 3.2KB/s 00:00
[root@ldapclient CA]# scp CA.crt ldapsrv02:/etc/openldap/certs/
The authenticity of host 'ldapsrv02 (192.168.49.139)' can't be established.
RSA key fingerprint is 88:23:68:20:34:ef:8b:5c:28:ef:c1:d5:ea:ef:4f:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ldapsrv02' (RSA) to the list of known hosts.
root@ldapsrv02's password:
CA.crt 100% 1078 1.1KB/s 00:00
2)ldapsrv02安装证书
mv ldapsrv02.crt /etc/openldap/certs/
mv ldapsrv02.key /etc/openldap/certs/
chown -R ldap:ldap /etc/openldap/certs/
vi /etc/openldap/ldap.conf #编辑ldap.conf文件
[root@ldapsrv02 ~]# tail -3 /etc/openldap/ldap.conf
URI ldap://ldapsrv02.contoso.com
BASE dc=contoso,dc=com
TLS_CACERTDIR /etc/openldap/certs
vi /etc/openldap/slapd.conf
[root@ldapsrv02 ~]# grep TLS /etc/openldap/slapd.conf #编辑slapd.conf文件,主要是TLS配置
# The next three lines allow use of TLS for encrypting connections using a
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile /etc/openldap/certs/ldapsrv02.crt
TLSCertificateKeyFile /etc/openldap/certs/ldapsrv02.key
[root@ldapsrv02 ~]# service slapd stop #关闭slapd服务
Stopping slapd: [ OK ]
[root@ldapsrv02 ~]# slapd -h "ldap://192.168.49.139/ ldaps://192.168.49.139/" #重启slapd服务,这里同时监听加密和不加密端口
[root@ldapsrv02 ~]# lsof -i :389 #查看不加密的slapd端口389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 1757 root 7u IPv4 14100 0t0 TCP *:ldap (LISTEN)
slapd 1757 root 8u IPv6 14101 0t0 TCP *:ldap (LISTEN)
[root@ldapsrv02 ~]# lsof -i :636 #查看加密的slapd端口636
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 1757 root 9u IPv4 14104 0t0 TCP *:ldaps (LISTEN)
slapd 1757 root 10u IPv6 14105 0t0 TCP *:ldaps (LISTEN)
[root@ldapsrv02 ~]# netstat -tunlp|grep slapd #查看slapd监听的端口
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1757/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1757/slapd
tcp 0 0 :::636 :::* LISTEN 1757/slapd
tcp 0 0 :::389 :::* LISTEN 1757/slapd
五、ldapclient客户端测试
1)下载CA公钥
cp /etc/pki/CA/private/CA.key /etc/openldap/certs/
说明:因为我的CA证书中心也同时作为ldap客户端,所以这里只需要拷贝到对应目录即可,如果CA证书中心和ldap客户端不在同一台服务器上,需要使用scp或者rz等其他方式拷贝到ldap客户端上。
2)修改ldap客户端配置
cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.bak$(date +%F)
vi /etc/openldap/ldap.conf
[root@ldapclient CA]# /etc/init.d/nslcd restart
Stopping nslcd: [ OK ]
Starting nslcd: [ OK ]
[root@ldapclient CA]# ldapwhoami -v -x -Z
ldap_initialize(
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
上述错误的解决方法是:
编辑/etc/openldap/ldap.conf,添加““TLS_REQCERT allow”,然后重启nslcd服务即可。
vi /etc/openldap/ldap.conf
[root@ldapclient CA]# egrep -v "#|^$" /etc/openldap/ldap.conf
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/certs
BASE dc=contoso,dc=com
URI ldaps://ldapsrv02.contoso.com/
/etc/init.d/nslcd restart
[root@ldapclient CA]# ldapwhoami -v -x -Z
ldap_initialize(
ldap_start_tls: Operations error (1)
additional info: TLS already started
anonymous
Result: Success (0)
[root@ldapclient CA]# ldapsearch -x -D "cn=admin,dc=contoso,dc=com" -H ldaps://192.168.49.139 -W -b "dc=contoso,dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
#因为ldapsrv02仅仅是安装了openldap,并没有导入数据,所以这里的查询结果是正确的。