From:http://maxshu.lofter.com/post/6c7b3_93f73


安装LDAP:
# yum install openldap-servers

安装openSSL:
# tar -zxvf openssl-1.0.0e.tar.gz
# cd openssl-1.0.0e
# ./config -fPIC shared
# make clean
# make
# make test
# make install
默认安装位置在/usr/local/ssl/,加入export PATH=/usr/local/ssl/bin:$PATH。
# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf.d/openssl.conf
# ldconfig
# ldconfig -p |grep ssl
# ldconfig -v |grep ssl


创建CA根证书,这里调用的都是CA.sh,跟使用openssl加一大堆参数是一样的:
# mkdir /etc/ssl/
# cd /etc/ssl
# /usr/local/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
....................................++++++
....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: (输入ca根证书RAS密钥口令)
Verifying - Enter PEM pass phrase:(输入ca根证书RAS密钥口令)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hanborq Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:nd0-rack2-cloud (必须是hostname命令的输出
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(不填,直接回车)
An optional company name []:(不填,直接回车)
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:  (上面输入的ca根证书RAS密钥口令)
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            97:c5:5e:6c:8f:de:20:7b
        Validity
            Not Before: Nov 25 02:59:48 2011 GMT
            Not After : Nov 24 02:59:48 2014 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            organizationName          = Hanborq Ltd.
            commonName                = nd0-rack2-cloud
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB
            X509v3 Authority Key Identifier:
                keyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov 24 02:59:48 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated


生成请求证书,为了LDAP能用,必须使用-newreq-nodes,正常情况应该用-newreq:
# /usr/local/ssl/misc/CA.sh -newreq-nodes
Generating a 1024 bit RSA private key
.............................++++++
.......++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hanborq Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:nd0-rack2-cloud (必须是hostname命令的输出)
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(不填,直接回车)
An optional company name []:(不填,直接回车)
Request (and private key) is in newreq.pem


签发请求证书,就是生成签名后的证书:
# /usr/local/ssl/misc/CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            97:c5:5e:6c:8f:de:20:7c
        Validity
            Not Before: Nov 25 03:13:19 2011 GMT
            Not After : Nov 24 03:13:19 2012 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            localityName              = Shenzhen
            organizationName          = Hanborq Ltd.
            commonName                = nd0-rack2-cloud
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                2F:7C:AE:2C:9D:04:CE:B6:6F:5C:91:C5:95:1C:92:9E:E4:FA:D5:66
            X509v3 Authority Key Identifier:
                keyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB

Certificate is to be certified until Nov 24 03:13:19 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            97:c5:5e:6c:8f:de:20:7c
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=Hanborq Ltd., CN=Max Shu/[email protected]
        Validity
            Not Before: Nov 25 03:13:19 2011 GMT
            Not After : Nov 24 03:13:19 2012 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=Hanborq Ltd., CN=Max Shu/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:e3:ef:5b:50:ff:3a:14:6b:c7:72:58:90:5f:76:
                    2d:9c:f8:cc:34:e7:2c:07:bd:72:92:9e:47:06:44:
                    78:8a:bd:34:21:ed:ac:c9:1d:f3:bf:77:1a:20:a8:
                    75:b1:ad:4f:9f:e1:70:d1:fe:64:45:63:7b:0b:bf:
                    36:a7:7b:e4:4a:6e:1a:07:f3:90:78:ca:35:46:8f:
                    09:6e:4e:9c:c9:56:c6:f1:17:c3:53:91:f2:72:3a:
                    db:7d:f4:b8:38:b8:e7:d4:e2:14:03:16:f1:10:50:
                    cb:ab:d2:cd:18:20:97:b2:83:17:bc:47:00:d4:69:
                    06:3c:e4:b3:91:23:3b:d1:b7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                2F:7C:AE:2C:9D:04:CE:B6:6F:5C:91:C5:95:1C:92:9E:E4:FA:D5:66
            X509v3 Authority Key Identifier:
                keyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB

    Signature Algorithm: sha1WithRSAEncryption
        3a:37:db:9a:92:90:0b:c9:9e:c1:bc:bf:c2:be:e4:a5:7a:fa:
        45:03:6a:cf:f0:6a:7d:0f:45:c3:a0:30:21:2f:3d:3a:c7:11:
        63:f6:79:38:6e:de:9d:15:60:18:1c:d5:f1:1f:25:b1:05:e3:
        56:bb:5f:d2:69:66:5c:66:50:e3:b9:06:41:3d:37:78:05:7d:
        23:b8:40:d7:3b:b6:aa:59:7c:ce:dc:91:53:a5:7e:8c:dc:98:
        c7:3a:ba:51:cd:f0:00:7d:1d:71:1b:22:51:ee:60:88:f8:d4:
        2c:a4:d0:8b:c2:0a:55:37:a9:b2:ed:8e:9c:2e:a0:bd:31:3b:
        ee:a5
-----BEGIN CERTIFICATE-----
MIIC5DCCAk2gAwIBAgIJAJfFXmyP3iB8MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV
BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ2RvbmcxFTATBgNVBAoMDEhhbmJvcnEgTHRk
LjEQMA4GA1UEAwwHTWF4IFNodTEgMB4GCSqGSIb3DQEJARYRYWRhaXNodUBnbWFp
bC5jb20wHhcNMTExMTI1MDMxMzE5WhcNMTIxMTI0MDMxMzE5WjB/MQswCQYDVQQG
EwJDTjESMBAGA1UECAwJR3Vhbmdkb25nMREwDwYDVQQHDAhTaGVuemhlbjEVMBMG
A1UECgwMSGFuYm9ycSBMdGQuMRAwDgYDVQQDDAdNYXggU2h1MSAwHgYJKoZIhvcN
AQkBFhFhZGFpc2h1QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA4+9bUP86FGvHcliQX3YtnPjMNOcsB71ykp5HBkR4ir00Ie2syR3zv3caIKh1
sa1Pn+Fw0f5kRWN7C782p3vkSm4aB/OQeMo1Ro8Jbk6cyVbG8RfDU5HycjrbffS4
OLjn1OIUAxbxEFDLq9LNGCCXsoMXvEcA1GkGPOSzkSM70bcCAwEAAaN7MHkwCQYD
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFC98riydBM62b1yRxZUckp7k+tVmMB8GA1UdIwQYMBaA
FLooqpybKklPGx2W3WFrqyNznUq7MA0GCSqGSIb3DQEBBQUAA4GBADo325qSkAvJ
nsG8v8K+5KV6+kUDas/wan0PRcOgMCEvPTrHEWP2eThu3p0VYBgc1fEfJbEF41a7
X9JpZlxmUOO5BkE9N3gFfSO4QNc7tqpZfM7ckVOlfozcmMc6ulHN8AB9HXEbIlHu
YIj41Cyk0IvCClU3qbLtjpwuoL0xO+6l
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
最终生成的有用的证书就是newcert.pem,可以拷贝到别的地方使用,挪走newreq.pem和newcrt.pem之后,又可以请求和签发新证书了。

校验:
# /usr/local/ssl/misc/CA.sh -verify
newcert.pem: OK


移动证书到LDAP:
# cp /etc/ssl/newcert.pem /etc/openldap/cacerts/servercrt.pem
# cp /etc/ssl/newreq.pem /etc/openldap/cacerts/serverkey.pem
# cp /etc/ssl/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem
# chmod 400 /etc/openldap/cacerts/serverkey.pem
# chown ldap:ldap /etc/openldap/cacerts/serverkey.pem
# chmod 644 /etc/openldap/cacerts/servercrt.pem
# chown ldap:ldap /etc/openldap/cacerts/servercrt.pem
# chmod 644 /etc/openldap/cacerts/cacert.pem
# chown ldap:ldap /etc/openldap/cacerts/cacert.pem
# ll /etc/openldap/cacerts/
total 12
-rw-r--r-- 1 ldap ldap 3046 Nov 25 13:40 cacert.pem
-rw-r--r-- 1 ldap ldap 3217 Nov 25 13:40 servercrt.pem
-r-------- 1 ldap ldap 1600 Nov 25 13:40 serverkey.pem


得到ldap管理帐号的密码,下面会把这个密码加入slapd.conf的rootpw:
# slappasswd
New password:
Re-enter new password:
{SSHA}L19zkWmhL8zXnKfLDetVAwXt3Lm7qBOa

修改slapd.conf:
# vi /etc/openldap/slapd.conf
...
include         /etc/openldap/schema/nis.schema
...
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
...
suffix          "dc=hanborq,dc=com"
rootdn          "cn=Manager,dc=hanborq,dc=com"
...
rootpw                  {SSHA}L19zkWmhL8zXnKfLDetVAwXt3Lm7qBOa
...
access to attrs=shadowLastChange,userPassword
      by self write
      by * auth
access to *
      by * read
...

修改/etc/openldap/ldap.conf,注意这个ldap.conf是用于ldapadd之类的工具的,如果是客户端,则还需要使用/etc/ldap.conf:
# vi /etc/openldap/ldap.conf
BASE    dc=hanborq, dc=com
URI     ldap://nd0-rack2-cloud ldaps://nd0-rack2-cloud:636
TLS_REQCERT      allow
TLS_CACERTDIR    /etc/openldap/cacerts

默认DB配置:
# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

增加LOG:
# echo "local4.* /var/log/slapd.log" >> /etc/syslog.conf
# service syslog restart


启动:
# service ldap restart
测试tls是否可用:
# openssl s_client -connect nd0-rack2-cloud:636
会输出证书。
# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
dn:
namingContexts: dc=hanborq,dc=com  这里是正确的。
search: 2
result: 0 Success
# netstat -an | grep 389
# netstat -an | grep 636


编辑ldif文件:
# cd /etc/openldap/
# /usr/share/openldap/migration/migrate_base.pl > base.ldif
# sed -i "s/padl/hanborq/" base.ldif
编辑base.ldif,只需要三项:
# vi base.ldif
dn: dc=hanborq,dc=com
dc: hanborq
objectClass: top
objectClass: domain

dn: ou=People,dc=hanborq,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=hanborq,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

添加进数据库:
# ldapdelete -x -D "cn=Manager,dc=hanborq,dc=com" -W -r "dc=hanborq,dc=com"
# ldapadd -x -D "cn=Manager,dc=hanborq,dc=com" -W -f base.ldif
Enter LDAP Password:  这里口令为slapd.conf的rootpw的口令
注意这里的-D参数需要跟slapd.conf的rootdn一致,否则会出错。
这里的-x表示简单鉴权,-W为提醒输入口令。

迁移组信息:
# /usr/share/openldap/migration/migrate_group.pl /etc/group > group.ldif
# sed -i "s/padl/hanborq/" group.ldif
# ldapadd -x -D "cn=Manager,dc=hanborq,dc=com" -W -f group.ldif

迁移用户信息,其中shadow过的口令会自动加入:
# /usr/share/openldap/migration/migrate_passwd.pl /etc/passwd > passwd.ldif
# sed -i "s/padl/hanborq/" passwd.ldif
# ldapadd -x -D "cn=Manager,dc=hanborq,dc=com" -W -f passwd.ldif


检查一下:
# ldapsearch -x -b "dc=hanborq,dc=com"
可以看到所有用户和组都加入了。

URL方式检查:
非加密方式:
# ldapsearch -v -x -H ldap://nd0-rack2-cloud
SSL方式:
# ldapsearch -v -x -H ldaps://nd0-rack2-cloud:636
TLS方式,最好就用TLS方式:
# ldapsearch -v -x -h nd0-rack2-cloud -ZZ


客户端配置:
传输CA到客户端:
# scp LDAP_SERVER_IP:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/

下面的配置最好使用setup命令来配置。
修改/etc/sysconfig/authconfig:
# sed -i "/USELDAP=/d"         /etc/sysconfig/authconfig && echo "USELDAP=yes"         >> /etc/sysconfig/authconfig
# sed -i "/USELDAPAUTH=/d"     /etc/sysconfig/authconfig && echo "USELDAPAUTH=yes"     >> /etc/sysconfig/authconfig
# sed -i "/USEMD5=/d"          /etc/sysconfig/authconfig && echo "USEMD5=yes"          >> /etc/sysconfig/authconfig
# sed -i "/USESHADOW=/d"       /etc/sysconfig/authconfig && echo "USESHADOW=yes"       >> /etc/sysconfig/authconfig
# sed -i "/USELOCAUTHORIZE=/d" /etc/sysconfig/authconfig && echo "USELOCAUTHORIZE=yes" >> /etc/sysconfig/authconfig

修改/etc/openldap/ldap.conf:
# vi /etc/openldap/ldap.conf
BASE    dc=hanborq, dc=com
URI     ldap://nd0-rack2-cloud ldaps://nd0-rack2-cloud:636
TLS_REQCERT      allow
TLS_CACERTDIR    /etc/openldap/cacerts

修改/etc/ldap.conf和/etc/nslcd.conf,注意这个ldap.conf是用于客户端的,不是用于ldapadd之类的工具,CentOS6.x是/etc/pam_ldap.conf:
# vi /etc/ldap.conf
host nd0-rack2-cloud
base dc=hanborq,dc=com
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem

CentOS6.x需要配置/etc/nslcd.conf:
# vi /etc/nslcd.conf
uri ldap://nd0-rack2-cloud
base dc=hanborq,dc=com
ssl start_tls
tls_reqcert allow
tls_cacertdir /etc/openldap/cacerts

CentOS6.x如果不使用sssd,就不需要配置/etc/sssd/sssd.conf:
# vi /etc/sssd/sssd.conf
...
domains = default
...
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=hanborq,dc=com
chpass_provider = ldap
id_provider = ldap
auth_provider = ldap
debug_level = 0
ldap_uri = ldap://nd0-rack2-cloud
ldap_tls_cacertdir = /etc/openldap/cacerts

CentOS6.x需要重启nslcd进程,如果用非加密方式,则必须修改/etc/sysconfig/authconfig里面的FORCELEGACY=no为yes,使用TLS,则不需要修改:
# sed -i "/FORCELEGACY=/d" /etc/sysconfig/authconfig && echo "FORCELEGACY=yes" >> /etc/sysconfig/authconfig
# service nslcd restart
# service sssd restart

修改NSS:
# vi /etc/nsswitch.conf
...
passwd:     files ldap
shadow:     files ldap
group:      files ldap
...
netgroup:   files ldap
...
automount:  files ldap
...

修改系统鉴权:
# vi /etc/pam.d/system-auth
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
...
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
...
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
...
session     required      pam_unix.so
session     optional      pam_ldap.so


测试:
刚才已经导入了linux的所有用户到LDAP,现在我们删除掉一个linux用户,用修改密码方式可以看到该用户已经在LDAP上面了:
# userdel nimbus
# passwd nimbus
Changing password for user nimbus.
Enter login(LDAP) password:
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
LDAP password information changed for nimbus
passwd: all authentication tokens updated successfully.
登录测试:
# ssh [email protected]
可以登录。