传输加密(TLS)
2.4.1 注意事项
1) 如果在生产环境安装,注意证书的时间问题。可修改CA.pl脚本
2) 关于/etc/pki/tls/misc目录下的CA.pl脚本,要安装
yum install openssl-perl openssl-devel
3) 客户端工具即使没有CA颁发的证书,也能够通过636端口进行加密传输。前提是OpenLDAP服务器有自己的证书(公钥)、私钥。
4) CA只是签证的“机构”。
5) 要实现传输加密,不是必须要为客户端发送CA的证书文件。
在/etc/ldap.conf的配置文件中
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes
此文件中tls_checkpeer默认是yes,当设置为no的时候,就可以不必为客户端发送CA的证书文件。
6) 在/etc/ldap.conf配置文件中,ssl on要与ldaps相对应,开启ssl on就会使用ldaps,并且ssl start_tl sssl on这两个语句一定要保持这个顺序。上下颠倒的话,会提示“重复启用TLS”的错误。
7) /etc/openldap/ldap.conf这个配置文件是工具的配置文件,debug调试
ldapsearch -H
ldaps://192.168.60.136 -d225
8) TLSVerifyClient、TLS_REQCERT、tls_checkpeer这三个变量分别对应/etc/openldap/slapd.conf、/etc/openldap/ldap.conf、/etc/ldap.conf三个配置文件。
9) 如果指定的域名,就全部用域名,否则全部用IP地址
2.4.2 配置证书过程
分为3个步骤,首先把CA建立起来,然后让此CA签发一个server的证书和一个client的证书。
需要特别注意的是创建证书时,输入Common Name的时候如果输入FQDN,客户端就指定FQDN连,如果输入IP,客户端就指定IP连
2.4.3 创建CA
这里关系到两个目录,/etc/pki/tls/misc是工作目录,/etc/pki/CA是存放所有CA相关文件的目录。完成此步骤后,会在/etc/pki/CA目录下生成一系列文件,其中最重要的是
/etc/pki/CA/cakey.pem   CA的私钥文件
/etc/pki/CA/cacert.pem  CA的证书文件
注意:如果脚本检测到/etc/pki/CA下面有文件存在,那么script会安静的退出,不会创建任何东西。把/etc/pki/CA下的文件全部删除,script就可以正常工作了

cd /etc/pki/tls/misc/
rm /etc/pki/CA/ -rf
/etc/pki/tls/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..................................++++++
.....++++++
writing new private key to '../../CA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldapm.dh.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
      c4:87:8a:c3:fd:11:b2:61
        Validity
      Not Before: Jul 23 06:43:39 2010 GMT
      Not After : Jul 22 06:43:39 2013 GMT
        Subject:
      countryName         = GB
      stateOrProvinceName       = Berkshire
      organizationName    = My Company Ltd
      commonName          = ldapm.dh.cn
        X509v3 extensions:
      X509v3 Subject Key Identifier:
          4B:11:F1:EE:53:DC:74:2A:66:F4:C5:E4:5A:15:61:8B:7A:4D:1F:2D
      X509v3 Authority Key Identifier:
          keyid:4B:11:F1:EE:53:DC:74:2A:66:F4:C5:E4:5A:15:61:8B:7A:4D:1F:2D
          DirName:/C=GB/ST=Berkshire/O=My Company Ltd/CN=ldapm.dh.cn
          serial:C4:87:8A:C3:FD:11:B2:61
      X509v3 Basic Constraints:
          CA:TRUE
Certificate is to be certified until Jul 22 06:43:39 2013 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
2.4.4 创建server证书
/etc/pki/tls/misc/CA.pl -newreq-nodes
-nodes参数的作用是,避免每次重启OpenLDAP服务器都要输入密码。
Generating a 1024 bit RSA private key
...............++++++
.++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldapm.dh.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
2.4.5 签证
/etc/pki/tls/misc/CA.pl -sign
对证书进行签证
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
      c4:87:8a:c3:fd:11:b2:62
        Validity
      Not Before: Jul 23 06:52:31 2010 GMT
      Not After : Jul 23 06:52:31 2011 GMT
        Subject:
      countryName         = GB
      stateOrProvinceName       = Berkshire
      localityName        = Newbury
      organizationName    = My Company Ltd
      commonName          = ldapm.dh.cn
        X509v3 extensions:
      X509v3 Basic Constraints:
          CA:FALSE
      Netscape Comment:
          OpenSSL Generated Certificate
      X509v3 Subject Key Identifier:
          BE:21:BD:4C:39:C1:B4:26:B4:EB:ED:B6:42:36:97:1F:97:49:15:49
      X509v3 Authority Key Identifier:
          keyid:4B:11:F1:EE:53:DC:74:2A:66:F4:C5:E4:5A:15:61:8B:7A:4D:1F:2D
Certificate is to be certified until Jul 23 06:52:31 2011 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
运行完两个步骤后,会发现当前目录下创建了3个文件:
newreq.pem 创建证书请求文件,没什么用了
newcert.pem CA签发的证书
newkey.pem 证书对应的私钥
转移文件
mv new* /etc/openldap/cacerts/
cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/
属主
cd /etc/openldap/cacerts/
chown ldap.ldap *
设置合适的权限
chmod 644 newcert.pem
chmod 600 newkey.pem
把这两个文件和CA的证书文件复制到/etc/openldap/cacerts目录下。
将CA的证书文件(cacert.pem)放到客户端的/etc/openldap/cacerts目录下。
2.4.6 创建客户端证书(暂时未做)
创建client的证书和上面创建server的证书类似。不过要注意的是
1)在输入Common Name的时候输入clien的fully qualified name,或者IP地址。
2)证书文件和私钥文件可以命名为client.cert, client.key,它们和cacert.pem也拷贝到client端的/etc/openldap/cacerts
加在客户端的/etc/ldap.conf文件中
tls_cert /etc/openldap/cacerts/newcert.pem
tls_key /etc/openldap/cacerts/newkey.pem
2.4.7 配置文件
服务器端
1•/etc/openldap/slapd.conf(主配置文件)
TLSCipherSuite   HIGH:MEDIUM:+SSLv2:+TLSv1:+SSLv3
TLSCACertificateFile   /etc/openldap/cacerts/cacert.pem
TLSCertificateFile     /etc/openldap/cacerts/newcert.pem
TLSCertificateKeyFile  /etc/openldap/cacerts/newkey.pem
TLSVerifyClient         allow
# TLSVerifyClient never/allow/try/demand这几个值,是针对客户端的证书文件认证等级。如果设置为demand,则客户端必须要有自己的经过CA签证的证书文件。
2•/etc/openldap/ldap.conf(ldapsearch等工具的配置文件)
BASE dc=dh,dc=cn
URI ldaps://192.168.60.136/
客户端
3•/etc/ldap.conf
ssl start_tls
ssl on
tls_cacertfile /etc/openldap/cacerts/cacert.pem
uri ldaps://192.168.60.136/
pam_password md5
注意:
ldaps://192.168.60.136/
后面的IP地址,要对应创建证书时候的IP,如果创建证书的时候用域名,在这里也要用域名。
注释:
TLSVerifyClient never
设置是否验证client的身份,其值可以是never/allow/try/demand,配置什么值取决于安全策略。仅仅就配置来说,如果不需要认证client端的身份,那么client只需要有CA的证书就可以了,如果需要认证client端的身份,那么client还必须要有它自己的证书。
/etc/openldap/ldap.conf中的配置文件
测试用的配置文件(可在其他地方成功登录):
[root@mailsrv cacerts]# cat /etc/ldap.conf |grep -v '^#'|sed /^$/d
base dc=dh,dc=cn
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
tls_checkpeer yes
tls_ciphers TLSv1
tls_cert /etc/openldap/cacerts/newcert.pem
tls_key /etc/openldap/cacerts/newkey.pem
uri ldaps://192.168.60.136/
ssl start_tls
ssl on
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts
pam_password md5
[root@mailsrv cacerts]# cat /etc/openldap/ldap.conf |grep -v '^#'|sed /^$/d
URI ldaps://192.168.60.136/
BASE dc=dh,dc=cn
TLS_CACERTDIR /etc/openldap/cacerts
2.4.8 举例(S/C配置文件)
服务器配置文件1:
cat /etc/openldap/slapd.conf |grep -v '^#'|sed /^$/d       
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/openldap.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
access to attrs=shadowLastChange,userPassword by self write by * auth
access to * by * read
TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCACertificateFile   /etc/openldap/cacerts/cacert.pem
TLSCertificateFile     /etc/openldap/cacerts/newcert.pem
TLSCertificateKeyFile  /etc/openldap/cacerts/newkey.pem
TLSVerifyClient         allow
loglevel        -1
database        bdb
suffix          "dc=dh,dc=cn"
rootdn          "cn=ning,dc=dh,dc=cn"
rootpw          {MD5}4QrcOUm6Wau+VuBX8g+IPg==
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
replogfile /var/lib/ldap/replog
replica host=192.168.60.132:389
        suffix="dc=dh,dc=cn"
        binddn="cn=ning,dc=dh,dc=cn"
        credentials=654321
        bindmethod=simple
        tls=no
服务器配置文件2:
cat /etc/openldap/ldap.conf |grep -v '^#'|sed /^$/d         
URI ldaps://192.168.60.136/
BASE dc=dh,dc=cn
TLS_CACERTDIR /etc/openldap/cacerts
客户端配置文件(客户端连LDAP服务器,只需要配好/etc/ldap.conf这个文件)
注意:ssl start_tl sssl on这两个语句一定要保持这个顺序。上下颠倒的话,会提示“重复启用TLS”的错误
cat /etc/ldap.conf |grep -v '^#'|sed /^$/d
base dc=dh,dc=cn
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
uri ldaps://192.168.60.136/
ssl start_tls
ssl on
tls_cacertfile /etc/openldap/cacerts/cacert.pem
pam_password md5
tls_cacertdir /etc/openldap/cacerts
2.4.9 测试/验证
2.4.9.1 证书测试
openssl s_client -connect 192.168.60.136:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem
2.4.9.2 tcpdump
tcpdump [-nn] [-i 接口] [-w 储存档名] [-c 次数] [-Ae] [-qX] [-r 文件] [所捕获的数据内容]
参数:
-nn,直接以IP及port number显示,而非主机名与服务器名
-i,后面接要监听的网络接口,如eth0
-w,把监听所得的数据包数据储存下来
-c,监听的数据包数量
-A,数据包的内容以ASCII显示,通常用来捕捉WWW的网页数据
-e,使用资料连接层(OSI第二层)的MAC数据包数据来显示
-q,仅列出较为简短的数据包信息,每一行的内容比较精简
-X,可以列出十六进制(hex)以及ASCII的数据包内容,用于监听数据包
-r,从后面的文件将数据包读出来,这个文件是-w生成的
注意,所捕获的数据包信息,通常加入条件进行简化
‘host foo’
‘host 127.0.0.1’
‘net 192.168’
‘src host 127.0.0.1’
‘dst net 192.168’
‘tcp port 21’
还可以利用and与or进行数据包的整合显示
例如:tcpdump –i eth0 –nn port 21
再例如,测试数据包的流向
• 先在一个终端窗口出入’tcpdump –i lo -nn’的监听
• 再打开一个终端对本机登陆’ssh localhost’
查看输出结果
在router上面监听FTP明文的传输数据
tcpdump –I lo –nn –X ‘port 21’
为了让网络接口可以让tcpdump监听,所以执行tcpdump时,网络接口会启动在“混在模式(promiscuous)”
问题:如何使用tcpdump监听来自eth0适配卡且通信协议为port 22,目标来源为192.168.1.100的数据包
tcpdump –i eth0 –nn ‘port 22 and src host 192.168.1.100’
2.4.9.3 加密验证
在192.168.60.136上,LDAP服务器上,先不用TLS加密,让数据走389端口
[root@mysql01 ~]# tcpdump -i eth0 -nn -X 'port 389 and src host 192.168.60.136'  
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:09:22.214849 IP 192.168.60.136.389 > 192.168.60.132.58077: S 3493217345:3493217345(0) ack 4120875423 win 5792
        0x0000:  4500 003c 0000 4000 4006 405f c0a8 3c88  E..<..@.@.@_..<.
        0x0010:  c0a8 3c84 0185 e2dd d036 4441 f59f 919f  ..<......6DA....
        0x0020:  a012 16a0 51a7 0000 0204 05b4 0402 080a  ....Q...........
        0x0030:  2071 a9d3 0a3f 90b0 0103 0304            .q...?......
17:09:22.215042 IP 192.168.60.136.389 > 192.168.60.132.58077: . ack 15 win 362
        0x0000:  4500 0034 ed91 4000 4006 52d5 c0a8 3c88  E..4..@[email protected]...<.
        0x0010:  c0a8 3c84 0185 e2dd d036 4442 f59f 91ad  ..<......6DB....
        0x0020:  8010 016a 9597 0000 0101 080a 2071 a9d3  ...j.........q..
        0x0030:  0a3f 90b1                                .?..
17:09:22.216399 IP 192.168.60.136.389 > 192.168.60.132.58077: P 1:15(14) ack 15 win 362
        0x0000:  4500 0042 ed92 4000 4006 52c6 c0a8 3c88  E..B..@[email protected]...<.
        0x0010:  c0a8 3c84 0185 e2dd d036 4442 f59f 91ad  ..<......6DB....
        0x0020:  8018 016a fa91 0000 0101 080a 2071 a9d4  ...j.........q..
        0x0030:  0a3f 90b1 300c 0201 0161 070a 0100 0400  .?..0....a......
        0x0040:  0400                                     ..
17:09:22.217659 IP 192.168.60.136.389 > 192.168.60.132.58077: P 15:258(243) ack 205 win 429
        0x0000:  4500 0127 ed93 4000 4006 51e0 c0a8 3c88  E..'..@[email protected]...<.
        0x0010:  c0a8 3c84 0185 e2dd d036 4450 f59f 926b  ..<......6DP...k
        0x0020:  8018 01ad fb76 0000 0101 080a 2071 a9d6  .....v.......q..
        0x0030:  0a3f 90b3 3081 f002 0102 6481 ea04 2075  .?..0.....d....u
        0x0040:  6964 3d74 6573 7430 382c 6f75 3d50 656f  id=test08,ou=Peo
        0x0050:  706c                                     pl
……
从内容输出可以看到id=test08,ou=Peopl这些信息,如果使用TLS加密,这些信息会加密,不以明文显示。
tcpdump -i eth0 -nn -X 'port 636 and src host 192.168.60.136'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:50:26.572551 IP 192.168.60.136.636 > 192.168.60.132.42959: S 1791535000:1791535000(0) ack 2424350218 win 5792
        0x0000:  4500 003c 0000 4000 4006 405f c0a8 3c88  E..<..@.@.@_..<.
        0x0010:  c0a8 3c84 027c a7cf 6ac8 a798 9080 a60a  ..<..|..j.......
        0x0020:  a012 16a0 a69a 0000 0204 05b4 0402 080a  ................
        0x0030:  2097 45ae 0a65 2c79 0103 0304            ..E..e,y....
17:50:26.590293 IP 192.168.60.136.636 > 192.168.60.132.42959: . ack 143 win 429
        0x0000:  4500 0034 e236 4000 4006 5e30 c0a8 3c88  E..4.6@.@.^0..<.
        0x0010:  c0a8 3c84 027c a7cf 6ac8 a799 9080 a698  ..<..|..j.......
        0x0020:  8010 01ad e9a2 0000 0101 080a 2097 45c1  ..............E.
        0x0030:  0a65 2c8c                                .e,.
17:50:26.590735 IP 192.168.60.136.636 > 192.168.60.132.42959: . 1:1449(1448) ack 143 win 429
        0x0000:  4500 05dc e237 4000 4006 5887 c0a8 3c88  E....7@[email protected]...<.
        0x0010:  c0a8 3c84 027c a7cf 6ac8 a799 9080 a698  ..<..|..j.......
        0x0020:  8010 01ad 002c 0000 0101 080a 2097 45c1  .....,........E.
        0x0030:  0a65 2c8c 1603 0100 4a02 0000 4603 014c  .e,.....J...F..L
        0x0040:  63c3 e222 131b aea6 e2dd f2f5 f525 3eb6  c..".........%>.
        0x0050:  5270                                     Rp
17:50:26.590792 IP 192.168.60.136.636 > 192.168.60.132.42959: P 1449:1736(287) ack 143 win 429
        0x0000:  4500 0153 e238 4000 4006 5d0f c0a8 3c88  E..S.8@.@.]...<.
        0x0010:  c0a8 3c84 027c a7cf 6ac8 ad41 9080 a698  ..<..|..j..A....
        0x0020:  8018 01ad fba2 0000 0101 080a 2097 45c2  ..............E.
        0x0030:  0a65 2c8c 48a5 92de e694 da5f 4112 2a40  .e,.H......_A.*@
        0x0040:  7acf 11d7 bc85 839a 8062 89a7 401a a4b5  z........b..@...
        0x0050:  1b83                                     ..
17:50:26.592304 IP 192.168.60.136.636 > 192.168.60.132.42959: . ack 1926 win 791
        0x0000:  4500 0034 e239 4000 4006 5e2d c0a8 3c88  E..4.9@.@.^-..<.
        0x0010:  c0a8 3c84 027c a7cf 6ac8 ae60 9080 ad8f  ..<..|..j..`....
        0x0020:  8010 0317 da74 0000 0101 080a 2097 45c3  .....t........E.
        0x0030:  0a65 2c90                                .e,.
17:50:26.595519 IP 192.168.60.136.636 > 192.168.60.132.42959: P 1736:1795(59) ack 1926 win 791
        0x0000:  4500 006f e23a 4000 4006 5df1 c0a8 3c88  E..o.:@.@.]...<.
        0x0010:  c0a8 3c84 027c a7cf 6ac8 ae60 9080 ad8f  ..<..|..j..`....
        0x0020:  8018 0317 fabe 0000 0101 080a 2097 45c6  ..............E.
        0x0030:  0a65 2c90 1403 0100 0101 1603 0100 30ae  .e,...........0.
        0x0040:  bc9e dd29 8a78 843b b624 62e8 6094 efb9  ...).x.;.$b.`...
        0x0050:  ed45                                     .E
……
2.4.9.4 关于客户端工具登录问题
比如Softerra LDAP Administrator 2010.2 (64-bit)、及其他Web客户端,都可以没有CA签发的证书,也可以实现加密传输,功能依赖于服务器自己的证书和私钥。
newcert.pem  newkey.pem
具体情况查看CA机构和证书相关内容
2.4.10 证书的导入
1) 将CA的证书文件保存为后缀为.cer的文件名,例如cacert.cer
2) 双击cacert.cer
3) 安装证书:选择“受信任的根证书颁发机构” 
2.4.11 问题
1) CA证书与服务器证书的关系
Server certificate
subject=/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=mysql01.dh.cn
issuer=/C=GB/ST=Berkshire/O=My Company Ltd/CN=192.168.60.136
---
Acceptable client certificate CA names
/C=GB/ST=Berkshire/O=My Company Ltd/CN=192.168.60.136
/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=mysql01.dh.cn
如果出现红色部分,须将主配置文件下面的变量设置成 allow
TLSVerifyClient         allow
2) 系统的版本问题
在CentOS5.2X64上,内核版本是2.6.18-92.el5,它的setup有个问题
 
[ ] Use MD5 Passwords  总是处于不能选中的状态。
我在CentOS5.5X64和CentOS5.4X32上面都没有这种情况。
这样的现象,使客户机进行LDAP认证时,su - usernanme不能成功,当在CentOS5.5X64和CentOS5.4X32系统上直接su切换用户,就可以成功。