openldap ssl配置

给ldap配置ssl

ldapssl有两种实现方法
1、自签名证书,这种方法需要在ldap客户端上的/etc/nslcd.conf中添加tls_reqcert_allow来允许不验证证书
2、ca签名证书,你应该将证书放在/etc/openldap/cacerts/目录下来保证ldap客户端可以验证证书

生成密钥

[root@slave3] /etc/pki/tls/certs$ openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
.+++
..........+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

移除密钥的密码

[root@slave3] /etc/pki/tls/certs$ openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

生成csr

[root@slave3] /etc/pki/tls/certs$ openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:baidu
Organizational Unit Name (eg, section) []:sre    
Common Name (eg, your name or your server's hostname) []:slave3.hanli.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:520224
An optional company name []:baidu

生成crt

[root@slave3] /etc/pki/tls/certs$ openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=CN/ST=Shanghai/L=Shanghai/O=baidu/OU=sre/CN=slave3.hanli.com/[email protected]
Getting Private key

复制到ldap的证书目录下

[root@slave3] /etc/pki/tls/certs$ cp /etc/pki/tls/certs/server.key \
> /etc/pki/tls/certs/server.crt \
> /etc/pki/tls/certs/ca-bundle.crt \
> /etc/openldap/certs/ 

修改权限

[root@slave3] /etc/openldap/certs$ chown ldap. /etc/openldap/certs/server.key \
> /etc/openldap/certs/server.crt \
> /etc/openldap/certs/ca-bundle.crt

创建ssl配置

[root@dlp ~]# vi mod_ssl.ldif
# create new
 dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

导入

[root@slave3] ~$ ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

验证配置文件是否正确

slaptest -u

修改服务器配置

[root@slave3] ~$ vi /etc/sysconfig/slapd

# line 9: add
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

重启

[root@slave3] ~$ systemctl restart slapd

检查端口,发现端口已改变

[root@slave3] ~$ netstat -antlp |grep 636
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      15877/slapd         
tcp6       0      0 :::636                  :::*                    LISTEN      15877/slapd         

修改客户端配置

[root@slave3] ~$ echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf 
[root@slave3] ~$  echo "tls_reqcert allow" >> /etc/nslcd.conf 
[root@slave3] ~$ authconfig --enableldaptls --update 

https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=4
https://www.itzgeek.com/how-tos/linux/centos-how-tos/configure-openldap-with-ssl-on-centos-7-rhel-7.html

你可能感兴趣的:(ldap)