1,ldap server 192.168.98.129

      client  192.168.98.128

客户端加入到ldap 域,使用ldap账户登录,见 《ldap客户端加入域和ssl加密查询》

2,配置CA 认证中心

129上

首先清理掉默认的CA目录,然后重新生成

[root@localhost misc]# cd /etc/pki/ 
[root@localhost pki]# ls 
CA nssdb rpm-gpg server.crt server.csr server.key tls 
[root@localhost pki]# rm -rf CA

重新生成

[root@localhost ssl]# cd /etc/pki/tls/misc/

[root@localhost misc]# ./CA -newca 
CA certificate filename (or enter to create) 

Making CA certificate ... 
Generating a 1024 bit RSA private key 
.........++++++ 
................++++++ 
writing new private key to '../../CA/private/./cakey.pem' 
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [GB]: 
State or Province Name (full name) [Berkshire]: 
Locality Name (eg, city) [Newbury]: 
Organization Name (eg, company) [My Company Ltd]: 
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) []:pincer  
Email Address []:[email protected] 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []:abc 
Using configuration from /etc/pki/tls/openssl.cnf 
Enter pass phrase for ../../CA/private/./cakey.pem: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
Serial Number: 0 (0x0) 
Validity 
Not Before: Feb 15 07:11:29 2015 GMT 
Not After : Feb 14 07:11:29 2018 GMT 
Subject: 
countryName = GB 
stateOrProvinceName = Berkshire 
organizationName = My Company Ltd 
commonName = pincer 
emailAddress = [email protected] 
X509v3 extensions: 
X509v3 Basic Constraints: 
CA:FALSE 
Netscape Comment: 
OpenSSL Generated Certificate 
X509v3 Subject Key Identifier: 
BA:B6:03:66:2F:8E:9A:AB:79:B2:82:24:CC:EA:15:8C:7D:69:77:2B 
X509v3 Authority Key Identifier: 
keyid:BA:B6:03:66:2F:8E:9A:AB:79:B2:82:24:CC:EA:15:8C:7D:69:77:2B 

Certificate is to be certified until Feb 14 07:11:29 2018 GMT (1095 days) 

Write out database with 1 new entries 
Data Base Updated 
[root@localhost misc]#

上面生成了CA 证书,在/etc/pki/CA下有一个cacert.pem文件,这个证书是要放到ldap 的证书目录中使用的

下面生成的是每个机器的请求文件和证书,线上使用中,每个ldap server 都要执行一次,然后传到ldap server(主要是因为下面的commonName = pincer 

[root@localhost misc]# openssl req -newkey rsa:1024 -nodes -keyout slapd-key.pem -out slapd-req.pem 
Generating a 1024 bit RSA private key 
...++++++ 
...++++++ 
writing new private key to 'slapd-key.pem' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [GB]: 
State or Province Name (full name) [Berkshire]: 
Locality Name (eg, city) [Newbury]: 
Organization Name (eg, company) [My Company Ltd]: 
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) []:pincer 
Email Address []:[email protected] 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []:abc 
[root@localhost misc]# 
[root@localhost misc]# 
[root@localhost misc]# ls 
CA CA.pl c_hash c_info c_issuer c_name slapd-key.pem slapd-req.pem 


[root@localhost misc]# openssl ca -out slapd-cert.pem -infiles slapd-req.pem 
Using configuration from /etc/pki/tls/openssl.cnf 
Enter pass phrase for ../../CA/private/cakey.pem: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
Serial Number: 1 (0x1) 
Validity 
Not Before: Feb 15 07:13:21 2015 GMT 
Not After : Feb 15 07:13:21 2016 GMT 
Subject: 
countryName = GB 
stateOrProvinceName = Berkshire 
organizationName = My Company Ltd 
commonName = pincer  ###这里要注意,这里的写主机名,则连接的时候,ldapsearch -h也要写主机名,所以,为了线上使用,需要填写ldap server的ip地址
emailAddress = [email protected] 
X509v3 extensions: 
X509v3 Basic Constraints: 
CA:FALSE 
Netscape Comment: 
OpenSSL Generated Certificate 
X509v3 Subject Key Identifier: 
DC:50:25:5D:64:DB:DC:50:5C:F5:30:03:76:6A:9F:38:EE:A3:38:C5 
X509v3 Authority Key Identifier: 
keyid:BA:B6:03:66:2F:8E:9A:AB:79:B2:82:24:CC:EA:15:8C:7D:69:77:2B 

Certificate is to be certified until Feb 15 07:13:21 2016 GMT (365 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 
[root@localhost misc]#

3个步骤,就将ca中心的证书和ldap的证书都搞定了

3,下面将证书复制到ldap 目录中使用

修改ldap配置文件

[root@localhost pki]# vim /etc/openldap/slapd.conf

TLSCACertificateFile /etc/openldap/ssl/cacert.pem

TLSCertificateFile /etc/openldap/ssl/slapd-cert.pem

TLSCertificateKeyFile /etc/openldap/ssl/slapd-key.pem

将证书复制到/etc/openldap/ssl/ 中,修改slapd-key.pem 文件权限为600

[root@localhost pki]# cp CA/cacert.pem tls/misc/slapd-* /etc/openldap/ssl/

[root@localhost pki]# chmod 600 /etc/openldap/ssl/slapd-key.pem

重启ldap 会监听一个636 端口,即为加密认证

4,修改客户端配置认证

注意: 如果有其他客户端,则将/etc/openldap/ssl下的目录全部复制到ldap client上,然后修改/etc/openlda/ldap.conf 就好了

[root@localhost pki]# vim /etc/openldap/ldap.conf

URI ldaps://pincer/           (1)这里的pincer要跟生成证书的comm写的一样, 我们这里写的是pincer,所以这里也要写pincer

BASE dc=my-domain,dc=com

#TLS_CACERTDIR /etc/openldap/cacerts

TLS_CACERTDIR /etc/openldap/ssl

TLS_CACERT /etc/openldap/ssl/cacert.pem

TLS_REQCERT hard

上面的必须要加

配置/etc/ldap.conf

  (2)#下面的顺序一定要这样

ssl start_tls

ssl on

上面的(1)和(2) 不对,  ldapsearch 不受影响,但是getent 和系统验证登录就会失败(卡主)

测试:

可以看到下面ldaps://pincer  访问的ip的pincer,这是因为上面([root@localhost misc]# openssl ca -out slapd-cert.pem -infiles slapd-req.pem )生成的时候写的pincer,所以这个访问这个ldap server的时候就必须要跟天蝎的pincer对应, 如果想访问ip,生成的时候就得使用ip地址

[root@localhost pki]# ldapsearch -x -b 'dc=my-domain,dc=com' -H ldaps://pincer -D 'cn=Manager,dc=my-domain,dc=com' -w 123456|less 
# extended LDIF 

# LDAPv3 
# base with scope subtree 
# filter: (objectclass=*) 
# requesting: ALL 


# my-domain.com 
dn: dc=my-domain,dc=com 
dc: my-domain 
objectClass: top 
objectClass: dcObject 
objectClass: organization 
o: my-domain 

# Manager, my-domain.com 
dn: cn=Manager,dc=my-domain,dc=com 
objectClass: organizationalRole 
cn: Manager 

# People, my-domain.com 
dn: ou=People,dc=my-domain,dc=com 
ou: People 
description:: QWxsIHBlb3BsZSBpbiBvcmdhbml6YXRpb24g 
objectClass: organizationalUnit 

# Group, my-domain.com 
dn: ou=Group,dc=my-domain,dc=com 
ou: Group 
description: All people in organization 
objectClass: organizationalUnit 

# root, People, my-domain.com 
dn: uid=root,ou=People,dc=my-domain,dc=com 
uid: root 
cn: root 
objectClass: account 
objectClass: posixAccount 
objectClass: top 
objectClass: shadowAccount 
userPassword:: e2NyeXB0fSQxJC5weE5FaUo3JG9jeER0cGFuTlBIU1o1WVI5Z2FGNi4= 
shadowLastChange: 16354 
shadowMin: 0 
shadowMax: 99999 
shadowWarning: 7 
loginShell: /bin/bash 
uidNumber: 0 
gidNumber: 0 
homeDirectory: /root

为ldap用户登录时创建家目录

将下面一条在ldap client上追加 就可以了

echo 'session    required     pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/system-auth

------下面是线上实例,由于有多个ldap server都需要加密,所以要单独为每个ldap生成一个证书(主要是方便客户端通过ip访问)

#!/usr/bin/expect

proc Usage_Exit {myself} {

    puts ""

    puts "### USAGE: $myself slave_ip pass_phrase"

    puts ""

    exit

}

if { [llength $argv] < 2 } {

    Usage_Exit $argv0

}

set IP [lindex $argv 0]

set PASSWORD [lindex $argv 1]

set timeout 8

spawn openssl req -newkey rsa:1024 -nodes -keyout slapd-key.pem -out slapd-req.pem

expect {

        "Country Name (2 letter code) " { send "\r";exp_continue}

        "State or Province Name (full name) " { send "\r";exp_continue}

        "Locality Name (eg, city) " { send "\r";exp_continue}

        "Organization Name (eg, company) " { send "\r";exp_continue}

        "Organizational Unit Name (eg, section) " { send "\r";exp_continue}

        "Common Name (eg, YOUR name) " { send "$IP\r";exp_continue}

        "Email Address " { send "\r";exp_continue}

        "A challenge password " { send "\r";exp_continue}

        "An optional company name " { send "\r"; exp_continue}

        timeout { puts "$IP time out" ;exit 1 }

}

spawn openssl ca -out slapd-cert.pem -infiles slapd-req.pem

expect {

        "Enter pass phrase for ./demoCA/private/cakey.pem" { send "$PASSWORD\r";exp_continue}

        "y/n]" { send "y\r";exp_continue}

        timeout { puts "$IP time out" ;exit 1 }

}