ldap服务器与客户端配置TLS SSL认证，以及phpldapadmin配置https认证

ldap服务器与客户端配置TLS SSL认证

ldap监听389/tcp端口
ldaps监听636/tcp端口

创建CA证书
yum -y install openssl
cd /etc/pki/CA
ls private/
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 -subj “/C=CN/ST=BeiJing/L=BeiJing/O=bjums.cn/OU=edu/CN=ca.bjums.cn”
（创建十年的证书，这里如果只写到-subj之前会采用交互式创建）

touch index.txt
（黄建一个索引文件，如果之后给https做证书报错，重新创建索引文件即可）
echo “01” > serial

ldap服务器创建证书请求

cd /etc/openldap/certs/

(umask 077;openssl genrsa -out openldapkey135.pem 2048)
openssl req -new -key openldapkey135.pem -out openldap135.csr -days 3650 -subj “/C=CN/ST=BeiJing/L=BeiJing/O=bjums.cn/OU=edu/CN=192.168.153.135”

CA证书服务器签发证书
cd /etc/pki/CA/
openssl ca -in /etc/openldap/certs/openldap135.csr -out certs/openldapcert135.pem -days 3650

Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 11 06:46:13 2020 GMT
Not After : Mar 11 06:46:13 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = bjums.cn
organizationalUnitName = edu
commonName = 192.168.153.135
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F3:EA:10:DD:6E:65:61:5D:0E:AB:EB:08:4B:CC:47:19:30:3E:79:17
X509v3 Authority Key Identifier:
keyid:72:B0:84:54:5E:8B:40:5F:FF:90:67:33:F9:9D:6C:4A:D2:8A:FA:57

Certificate is to be certified until Mar 11 06:46:13 2021 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@ldap CA]# ls
cacert.pem crl index.txt.attr newcerts serial
certs index.txt index.txt.old private serial.old

配置openldap

[root@ldap CA]# cp certs/openldapcert135.pem cacert.pem /etc/openldap/certs/
您在 /var/spool/mail/root 中有新邮件

[root@ldap CA]# chown -R ldap:ldap /etc/openldap/certs
[root@ldap CA]# chmod -R 0400 /etc/openldap/certs/openldap*
[root@ldap CA]# chmod -R 0400 /etc/openldap/certs/cacert.pem
千万别把certs文件设置成0400，否则无法读取

[root@ldap openldap]# vim /etc/openldap/slapd.ldif
不要空行，制定证书文件的位置，never是干嘛的man手册查完我忘了

#TLS settings

olcTLSCACertificatePath: /etc/openldap/certs.pem
olcTLSCertificateFile: /etc/openldap/certs/openldapcert135.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/openldapkey135.pem
OLcTLSCVerifyClient: never

这脚本是用来初始化openldap配置的
[root@ldap openldap]# cat init_config.sh
#!/bin/bash
rm -rf /etc/openldap/slapd.d/*
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

修改客户端配置文件，加入ldaps
[root@ldap openldap]# vim /etc/sysconfig/slapd
SLAPD_URLS=“ldapi:/// ldap:/// ldaps://”

重启守护进程
[root@ldap openldap]# systemctl daemon-reload

./init_config.sh 启动脚本

可以通过客户端LDAP admin连接 ssl 636 tls 测试是否正常

给客户端配置tls/ssl，这里配置各种查询权限，有证书的能不能查，没有证书的能不能查这类的。
vim /etc/openldap/ldap.conf
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/certs

命令行查询测试
ldapsearch -x LLL -H ldaps:/// -b dc=bjums,dc=cn dn

phpldapadmin配置https认证

mkdir/etc/httpd/certs
cd /etc/httpd/certs

(umask 077;openssl genrsa -out openldapadmin.key 2048)

[root@ldap certs]# openssl req -new -key openldapadmin.key -out openldapadmin.csr -days 3650 -subj “/C=CN/ST=BeiJing/L=BeiJing/O=bjums.cn/OU=edu/CN=192.168.153.135”

[root@ldap certs]# ll
总用量 8
-rw-r–r--. 1 root root 1009 3月 11 16:52 openldapadmin.csr
-rw-------. 1 root root 1679 3月 11 16:49 openldapadmin.key

openssl ca -in openldapadmin.csr -out /etc/pki/CA/certs/openldapadmin.crt -days 3650

cp /etc/pki/CA/certs/openldapadmin.crt ./
chown -R apache:apache /etc/httpd/certs/
chmod 0400 /etc/httpd/certs/*

tcp LISTEN 0 128 :::443 :: users:((“httpd”,pid=28402,fd=6),(“httpd”,pid=28401,fd=6),(“httpd”,pid=28400,fd=6)