1,ldap server 192.168.98.129
client 192.168.98.128
客户端加入到ldap 域,使用ldap账户登录,见 《ldap客户端加入域和ssl加密查询》
2,配置CA 认证中心
129上
首先清理掉默认的CA目录,然后重新生成
[root@localhost misc]# cd /etc/pki/
[root@localhost pki]# ls
CA nssdb rpm-gpg server.crt server.csr server.key tls
[root@localhost pki]# rm -rf CA
重新生成
[root@localhost ssl]# cd /etc/pki/tls/misc/
[root@localhost misc]# ./CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.........++++++
................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:pincer
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:abc
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 15 07:11:29 2015 GMT
Not After : Feb 14 07:11:29 2018 GMT
Subject:
countryName = GB
stateOrProvinceName = Berkshire
organizationName = My Company Ltd
commonName = pincer
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BA:B6:03:66:2F:8E:9A:AB:79:B2:82:24:CC:EA:15:8C:7D:69:77:2B
X509v3 Authority Key Identifier:
keyid:BA:B6:03:66:2F:8E:9A:AB:79:B2:82:24:CC:EA:15:8C:7D:69:77:2B
Certificate is to be certified until Feb 14 07:11:29 2018 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost misc]#
上面生成了CA 证书,在/etc/pki/CA下有一个cacert.pem文件,这个证书是要放到ldap 的证书目录中使用的
下面生成的是每个机器的请求文件和证书,线上使用中,每个ldap server 都要执行一次,然后传到ldap server(主要是因为下面的commonName = pincer )
[root@localhost misc]# openssl req -newkey rsa:1024 -nodes -keyout slapd-key.pem -out slapd-req.pem
Generating a 1024 bit RSA private key
...++++++
...++++++
writing new private key to 'slapd-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:pincer
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:abc
[root@localhost misc]#
[root@localhost misc]#
[root@localhost misc]# ls
CA CA.pl c_hash c_info c_issuer c_name slapd-key.pem slapd-req.pem
[root@localhost misc]# openssl ca -out slapd-cert.pem -infiles slapd-req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 15 07:13:21 2015 GMT
Not After : Feb 15 07:13:21 2016 GMT
Subject:
countryName = GB
stateOrProvinceName = Berkshire
organizationName = My Company Ltd
commonName = pincer ###这里要注意,这里的写主机名,则连接的时候,ldapsearch -h也要写主机名,所以,为了线上使用,需要填写ldap server的ip地址
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DC:50:25:5D:64:DB:DC:50:5C:F5:30:03:76:6A:9F:38:EE:A3:38:C5
X509v3 Authority Key Identifier:
keyid:BA:B6:03:66:2F:8E:9A:AB:79:B2:82:24:CC:EA:15:8C:7D:69:77:2B
Certificate is to be certified until Feb 15 07:13:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost misc]#
3个步骤,就将ca中心的证书和ldap的证书都搞定了
3,下面将证书复制到ldap 目录中使用
修改ldap配置文件
[root@localhost pki]# vim /etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/slapd-cert.pem
TLSCertificateKeyFile /etc/openldap/ssl/slapd-key.pem
将证书复制到/etc/openldap/ssl/ 中,修改slapd-key.pem 文件权限为600
[root@localhost pki]# cp CA/cacert.pem tls/misc/slapd-* /etc/openldap/ssl/
[root@localhost pki]# chmod 600 /etc/openldap/ssl/slapd-key.pem
重启ldap 会监听一个636 端口,即为加密认证
4,修改客户端配置认证
注意: 如果有其他客户端,则将/etc/openldap/ssl下的目录全部复制到ldap client上,然后修改/etc/openlda/ldap.conf 就好了
[root@localhost pki]# vim /etc/openldap/ldap.conf
URI ldaps://pincer/ (1)这里的pincer要跟生成证书的comm写的一样, 我们这里写的是pincer,所以这里也要写pincer
BASE dc=my-domain,dc=com
#TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERTDIR /etc/openldap/ssl
TLS_CACERT /etc/openldap/ssl/cacert.pem
TLS_REQCERT hard
上面的必须要加
配置/etc/ldap.conf
(2)#下面的顺序一定要这样
ssl start_tls
ssl on
上面的(1)和(2) 不对, ldapsearch 不受影响,但是getent 和系统验证登录就会失败(卡主)
测试:
可以看到下面ldaps://pincer 访问的ip的pincer,这是因为上面([root@localhost misc]# openssl ca -out slapd-cert.pem -infiles slapd-req.pem )生成的时候写的pincer,所以这个访问这个ldap server的时候就必须要跟天蝎的pincer对应, 如果想访问ip,生成的时候就得使用ip地址
[root@localhost pki]# ldapsearch -x -b 'dc=my-domain,dc=com' -H ldaps://pincer -D 'cn=Manager,dc=my-domain,dc=com' -w 123456|less
# extended LDIF
#
# LDAPv3
# base
# filter: (objectclass=*)
# requesting: ALL
#
# my-domain.com
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: top
objectClass: dcObject
objectClass: organization
o: my-domain
# Manager, my-domain.com
dn: cn=Manager,dc=my-domain,dc=com
objectClass: organizationalRole
cn: Manager
# People, my-domain.com
dn: ou=People,dc=my-domain,dc=com
ou: People
description:: QWxsIHBlb3BsZSBpbiBvcmdhbml6YXRpb24g
objectClass: organizationalUnit
# Group, my-domain.com
dn: ou=Group,dc=my-domain,dc=com
ou: Group
description: All people in organization
objectClass: organizationalUnit
# root, People, my-domain.com
dn: uid=root,ou=People,dc=my-domain,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJC5weE5FaUo3JG9jeER0cGFuTlBIU1o1WVI5Z2FGNi4=
shadowLastChange: 16354
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
为ldap用户登录时创建家目录
将下面一条在ldap client上追加 就可以了
echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/system-auth
------下面是线上实例,由于有多个ldap server都需要加密,所以要单独为每个ldap生成一个证书(主要是方便客户端通过ip访问)
#!/usr/bin/expect
proc Usage_Exit {myself} {
puts ""
puts "### USAGE: $myself slave_ip pass_phrase"
puts ""
exit
}
if { [llength $argv] < 2 } {
Usage_Exit $argv0
}
set IP [lindex $argv 0]
set PASSWORD [lindex $argv 1]
set timeout 8
spawn openssl req -newkey rsa:1024 -nodes -keyout slapd-key.pem -out slapd-req.pem
expect {
"Country Name (2 letter code) " { send "\r";exp_continue}
"State or Province Name (full name) " { send "\r";exp_continue}
"Locality Name (eg, city) " { send "\r";exp_continue}
"Organization Name (eg, company) " { send "\r";exp_continue}
"Organizational Unit Name (eg, section) " { send "\r";exp_continue}
"Common Name (eg, YOUR name) " { send "$IP\r";exp_continue}
"Email Address " { send "\r";exp_continue}
"A challenge password " { send "\r";exp_continue}
"An optional company name " { send "\r"; exp_continue}
timeout { puts "$IP time out" ;exit 1 }
}
spawn openssl ca -out slapd-cert.pem -infiles slapd-req.pem
expect {
"Enter pass phrase for ./demoCA/private/cakey.pem" { send "$PASSWORD\r";exp_continue}
"y/n]" { send "y\r";exp_continue}
timeout { puts "$IP time out" ;exit 1 }
}