为啥要用TLS?

Openldap默认使用简单验证,对slapd的所有访问都使用明文密码通过未加密通道进行。为了确保信息安全,需要对信息进行加密传输,SSL(Secure Sockets Layer)是一个可靠的解决方案。

它使用 X.509 证书,由可信任第三方(Certificate Authority (CA))进行数字签名的一个标准格式的数据。有效的数字签名意味着已签名的数据没有被篡改。如果签名的数据被更改,将不会通过验证

SSL/TLS 加密原理简介

SSL/TLS 是基于 PKI 机制的加密方式,包括证书认证、密钥交换、非对称加密、对称加密。SSL/TLS 采用 CA 作为服务端和客户端都信赖的具有权威性的组织,证书的颁发和认证都依赖于 CA,并假定 CA 颁发的证书是可靠的、可信赖的,证书里面的内容是真实的、有效的,并可用于客户机和服务器进行安全的可靠的通信加密。

SSL/TLS 证书用来认证服务器和客户机双方的身份,并用于密钥交换时候的非对称加密。密钥交换完毕之后,就可以用这个密钥做通信数据的对称加密了,具体的加密算法是由客户机和服务器互相协商得来。服务器和客户机由于 SSL/TLS 库的不同以及用户的配置不同,双方支持的算法列表不完全相同,当双方做 SSL/TLS 握手的时候,就需要将自己支持的算法列表及优先顺序告知对方,一旦对方按照优先顺序找到了第一个支持的算法,那么协商完成,否则双方协商失败,SSL/TLS 连接断开。

环境说明:

主机名 角色 IP地址
ldapsrv02.contoso.com openldap server 192.168.49.139
ldapclient.contoso.com openldap client + CA 192.168.49.136

ldapsrv02是新添加的一台CentOS 6.5,这里直接使用之前的openldap的安装脚本进行安装,里面并未有任何数据,是一个空的域(域名也是contoso.com,为之后做双机同步做准备)。

准备工作:

在两台CentOS上安装openssl.

yum -y install openssl

[root@ldapclient ~]# rpm -qa openssl

openssl-1.0.1e-15.el6.x86_64

[root@ldapsrv02 ~]# rpm -qa openssl

openssl-1.0.1e-15.el6.x86_64

一、建立CA中心

1)配置CA签发信息

cd /etc/pki/CA/

touch index.txt

echo 01 >serial

cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.bak$(date +%F)

vi /etc/pki/tls/openssl.cnf

[root@ldapclient CA]# diff /etc/pki/tls/openssl.cnf.bak2016-09-18 /etc/pki/tls/openssl.cnf

50c50

< certificate = $dir/cacert.pem # The CA certificate

---

> certificate = $dir/CA.crt     # The CA certificate

55c55

< private_key = $dir/private/cakey.pem# The private key

---

> private_key = $dir/private/CA.key   # The private key

130c130

< countryName_default = XX

---

> countryName_default = CN

135c135

< #stateOrProvinceName_default = Default Province

---

> stateOrProvinceName_default = Guangdong

138c138

< localityName_default = Default City

---

> localityName_default = Shenzhen

141c141

< 0.organizationName_default = Default Company Ltd

---

> 0.organizationName_default = contoso

148c148

< #organizationalUnitName_default =

---

> organizationalUnitName_default = Tech

2)CA服务器生成自己的私钥

[root@ldapclient CA]# (umask 077;openssl genrsa -out private/CA.key)

Generating RSA private key, 1024 bit long modulus

...............++++++

..........++++++

e is 65537 (0x10001)

3)CA服务器生成公钥(CA证书)

[root@ldapclient CA]# openssl req -new -x509 -key private/CA.key >CA.crt

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Guangdong]:

Locality Name (eg, city) [Shenzhen]:

Organization Name (eg, company) [contoso]:

Organizational Unit Name (eg, section) [Tech]:

Common Name (eg, your name or your server's hostname) []:ca.contoso.com

Email Address []:[email protected]

二、openldap server生成私钥及证书请求文件

1)ldapsrv02生成自己的私钥

[root@ldapsrv02 ~]# openssl genrsa -out ldapsrv02.key

Generating RSA private key, 1024 bit long modulus

...........................++++++

.....++++++

e is 65537 (0x10001)

2)ldapsrv02生成证书请求文件

[root@ldapsrv02 ~]# openssl req -new -key ldapsrv02.key -out ldapsrv02.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Guangdong  

Locality Name (eg, city) [Default City]:Shenzhen

Organization Name (eg, company) [Default Company Ltd]:contoso

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:ldapsrv02.contoso.com

Email Address []:[email protected]


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:123456

三、CA服务器向openldap server签发证书

1)ldapsrv02向CA请求证书

[root@ldapsrv02 ~]# scp ldapsrv02.csr [email protected]:/root

The authenticity of host '192.168.49.136 (192.168.49.136)' can't be established.

RSA key fingerprint is f9:ce:14:5d:cd:bb:3c:b4:0d:0b:fc:21:3a:92:43:6b.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.49.136' (RSA) to the list of known hosts.

[email protected]'s password: 

ldapsrv02.csr                                                   100%  777     0.8KB/s   00:00    

2)CA服务器颁发证书

[root@ldapclient CA]# openssl ca -in /root/ldapsrv02.csr -out /root/ldapsrv02.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Sep 18 08:22:46 2016 GMT

            Not After : Sep 18 08:22:46 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Guangdong

            organizationName          = contoso

            organizationalUnitName    = Tech

            commonName                = ldapsrv02.contoso.com

            emailAddress              = [email protected]

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                39:FB:0E:BD:7D:03:7E:F3:9E:C3:BE:5B:4D:45:8B:63:B7:8B:7F:26

            X509v3 Authority Key Identifier: 

                keyid:08:FF:94:52:EC:BD:97:12:5B:96:DD:1E:36:08:43:FF:AD:2F:7B:C8


Certificate is to be certified until Sep 18 08:22:46 2017 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

四、openldap server下载并安装证书

1)ldapsrv02下载证书

[root@ldapclient CA]# scp /root/ldapsrv02.crt [email protected]:/root

The authenticity of host '192.168.49.139 (192.168.49.139)' can't be established.

RSA key fingerprint is 88:23:68:20:34:ef:8b:5c:28:ef:c1:d5:ea:ef:4f:55.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.49.139' (RSA) to the list of known hosts.

[email protected]'s password: 

ldapsrv02.crt                                                   100% 3271     3.2KB/s   00:00     

[root@ldapclient CA]# scp CA.crt ldapsrv02:/etc/openldap/certs/

The authenticity of host 'ldapsrv02 (192.168.49.139)' can't be established.

RSA key fingerprint is 88:23:68:20:34:ef:8b:5c:28:ef:c1:d5:ea:ef:4f:55.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'ldapsrv02' (RSA) to the list of known hosts.

root@ldapsrv02's password: 

CA.crt                                                          100% 1078     1.1KB/s   00:00    

2)ldapsrv02安装证书

mv ldapsrv02.crt /etc/openldap/certs/

mv ldapsrv02.key /etc/openldap/certs/

chown -R ldap:ldap /etc/openldap/certs/

vi /etc/openldap/ldap.conf     #编辑ldap.conf文件

[root@ldapsrv02 ~]# tail -3 /etc/openldap/ldap.conf 

URI    ldap://ldapsrv02.contoso.com

BASE   dc=contoso,dc=com

TLS_CACERTDIR /etc/openldap/certs

vi /etc/openldap/slapd.conf

[root@ldapsrv02 ~]# grep TLS /etc/openldap/slapd.conf  #编辑slapd.conf文件,主要是TLS配置

# The next three lines allow use of TLS for encrypting connections using a

TLSCACertificatePath /etc/openldap/certs

TLSCertificateFile /etc/openldap/certs/ldapsrv02.crt

TLSCertificateKeyFile /etc/openldap/certs/ldapsrv02.key

[root@ldapsrv02 ~]# service slapd stop  #关闭slapd服务

Stopping slapd:                                            [  OK  ]

[root@ldapsrv02 ~]# slapd -h "ldap://192.168.49.139/ ldaps://192.168.49.139/"  #重启slapd服务,这里同时监听加密和不加密端口

[root@ldapsrv02 ~]# lsof -i :389    #查看不加密的slapd端口389

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

slapd   1757 root    7u  IPv4  14100      0t0  TCP *:ldap (LISTEN)

slapd   1757 root    8u  IPv6  14101      0t0  TCP *:ldap (LISTEN)

[root@ldapsrv02 ~]# lsof -i :636    #查看加密的slapd端口636

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

slapd   1757 root    9u  IPv4  14104      0t0  TCP *:ldaps (LISTEN)

slapd   1757 root   10u  IPv6  14105      0t0  TCP *:ldaps (LISTEN)

[root@ldapsrv02 ~]# netstat -tunlp|grep slapd  #查看slapd监听的端口

tcp        0      0 0.0.0.0:636                 0.0.0.0:*                   LISTEN      1757/slapd          

tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      1757/slapd          

tcp        0      0 :::636                      :::*                        LISTEN      1757/slapd          

tcp        0      0 :::389                      :::*                        LISTEN      1757/slapd

五、ldapclient客户端测试

1)下载CA公钥

cp /etc/pki/CA/private/CA.key  /etc/openldap/certs/

说明:因为我的CA证书中心也同时作为ldap客户端,所以这里只需要拷贝到对应目录即可,如果CA证书中心和ldap客户端不在同一台服务器上,需要使用scp或者rz等其他方式拷贝到ldap客户端上。

2)修改ldap客户端配置

cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.bak$(date +%F)

vi /etc/openldap/ldap.conf

[root@ldapclient CA]# /etc/init.d/nslcd restart

Stopping nslcd:                                            [  OK  ]

Starting nslcd:                                            [  OK  ]

[root@ldapclient CA]# ldapwhoami -v -x -Z

ldap_initialize( )

ldap_start_tls: Can't contact LDAP server (-1)

additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

上述错误的解决方法是:

        编辑/etc/openldap/ldap.conf,添加““TLS_REQCERT allow”,然后重启nslcd服务即可。

vi /etc/openldap/ldap.conf

[root@ldapclient CA]# egrep -v "#|^$" /etc/openldap/ldap.conf

TLS_REQCERT  allow

TLS_CACERTDIR /etc/openldap/certs

BASE dc=contoso,dc=com

URI ldaps://ldapsrv02.contoso.com/

/etc/init.d/nslcd restart

[root@ldapclient CA]# ldapwhoami -v -x -Z

ldap_initialize( )

ldap_start_tls: Operations error (1)

additional info: TLS already started

anonymous

Result: Success (0)

[root@ldapclient CA]# ldapsearch -x -D "cn=admin,dc=contoso,dc=com" -H ldaps://192.168.49.139 -W -b "dc=contoso,dc=com"

Enter LDAP Password: 

# extended LDIF

#

# LDAPv3

# base with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#


# search result

search: 2

result: 32 No such object


# numResponses: 1

#因为ldapsrv02仅仅是安装了openldap,并没有导入数据,所以这里的查询结果是正确的。