LDAP启用SSL/TLS
一、 利用redhat-idm-console控制台生成ssl证书请求文件
[root@station2 ~]#redhat-idm-console
1、选择Manager Certificates后点击Request,生存证书请求文件
2、选择Request Certificaate manually后在Requestor information输入CA中心要求相关信息
#红色部分为CA中心定义的必须匹配的信息,其他为ldap服务器自身信息
3、在弹出对话框中输入Token Passwd(该密码为证书保护密码)的密码redhat,输入密码后next,选择“save to file”
#save to file文件即位证书请求文件dirsrv.crt(文件名自己定义)
4、将证书请求文件dirsrv.csr发送给CA中心,并由CA中心生成证书
[root@station2 ~]# scp dirsrv.csr 192.168.32.31:/root/.
[email protected]'s password:
dirsrv.csr 100% 684 0.7KB/s 00:00
[root@server1 ~]# openssl ca -in dirsrv.csr -out dirsrv.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 7 (0x7)
Validity
Not Before: Apr 13 04:08:15 2011 GMT
Not After : Apr 12 04:08:15 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = kvm,Inc.
organizationalUnitName = example.com
commonName = station2.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F4:7A:1D:90:90:F2:AD:AF:F1:97:44:1B:23:C7:39:D0:B3:82:F5:D9
X509v3 Authority Key Identifier:
keyid:82:06:F6:4D:45:71:D8:0C:EC:14:DD:44:2C:CB:78:24:5E:9D:D0:C5
Certificate is to be certified until Apr 12 04:08:15 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#CA中心生成证书
[root@server1 ~]# scp dirsrv.crt 192.168.32.32:/root/.
[email protected]'s password:
dirsrv.crt 100% 3765 3.7KB/s 00:00
[root@server1 ~]# scp /etc/pki/CA/my-ca.crt dirsrv.crt 192.168.32.32:/root/.
[email protected]'s password:
my-ca.crt 100% 1533 1.5KB/s 00:00
#将证书和CA公钥发送给ldap服务器
二、 ldap服务器利用redhat-idm-console控制台导入公钥和ca中心公钥,并开启ssl/tls认证
1、导入公钥:选择install,在in this local file对话框中输入ldap服务器公钥
#CA中心公钥导入同上
2、开启ssl/tls认证
3、编辑证书保护密码存放文件,并重启ldap服务器
[root@station2 ~]# vi /etc/dirsrv/slapd-station2/pin.txt
Internal (Software) Token:redhat
#redhat为证书保护密码
[root@station2 ~]# service dirsrv restart
Shutting down dirsrv:
station2... [确定]
Starting dirsrv:
station2... [确定]
#如果证书生成过程中有任何错误,均不能启动dirsrv服务。
[root@station2 ~]# netstat -tunpl|grep 636
tcp 0 0 :::636 :::* LISTEN 10753/ns-slapd
#636端口开启表示ldap已经开启ssl/tls认证
三、 客户端开启ssl/tls认证
[root@station2 ~]# vi /etc/openldap/ldap.conf
TLS_CACERT /etc/pki/tls/certs/my-ca.crt
[root@station2 ~]# ldapsearch -x "uid=zhangsan123" -ZZ -LLL
dn: uid=zhangsan123,ou=People,dc=station2,dc=example,dc=com
cn: zhangsam 123
sn: zhang
givenName: Emanuel
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Product Testing
ou: People
l: Santa Clara
uid: zhangsan123
telephoneNumber: +1 408 555 0933
facsimileTelephoneNumber: +1 408 555 9752
roomNumber: 3906
manager: uid=jwalker, ou=People, dc=station2,dc=example,dc=com
userPassword:: e1NTSEF9ZGcvQWpjUmhyOHAyd05tNU5Kbmo5bTFwMkJoN1VqcWltSHI1TXc9PQ=
=
#如果密码指定ca中心公钥,将无法利用-ZZ查询。客户端在从ldap服务器中获取数据时,会提示下载并导入ldap服务器的公钥。