RHCA教程:rhe423-6 LDAP开启ssl/tls认证

LDAP启用SSL/TLS

一、利用RedHat-idm-console控制台生成ssl证书请求文件

[root@station2 ~]#RedHat-idm-console

1、选择Manager Certificates后点击Request，生存证书请求文件

 

 

 

2、选择Request Certificaate manually后在Requestor information输入CA中心要求相关信息

 

#红色部分为CA中心定义的必须匹配的信息，其他为ldap服务器自身信息

3、在弹出对话框中输入Token Passwd（该密码为证书保护密码）的密码RedHat，输入密码后next，选择“save to file”

 

#save to file文件即位证书请求文件dirsrv.crt（文件名自己定义）

4、将证书请求文件dirsrv.csr发送给CA中心，并由CA中心生成证书

[root@station2 ~]# scp dirsrv.csr 192.168.32.31:/root/.

[email protected]'s password:

dirsrv.csr                            100%  684     0.7KB/s   00:00

[root@server1 ~]# openssl ca -in dirsrv.csr -out dirsrv.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 7 (0x7)

Validity

Not Before: Apr 13 04:08:15 2011 GMT

Not After : Apr 12 04:08:15 2012 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = kvm,Inc.

organizationalUnitName    = example.com

commonName                = station2.example.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

F4:7A:1D:90:90:F2:AD:AF:F1:97:44:1B:23:C7:39:D0:B3:82:F5:D9

X509v3 Authority Key Identifier:

keyid:82:06:F6:4D:45:71:D8:0C:EC:14:DD:44:2C:CB:78:24:5E:9D:D0:C5

Certificate is to be certified until Apr 12 04:08:15 2012 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

#CA中心生成证书

[root@server1 ~]# scp dirsrv.crt 192.168.32.32:/root/.

[email protected]'s password:

dirsrv.crt                              100% 3765     3.7KB/s   00:00

[root@server1 ~]# scp /etc/pki/CA/my-ca.crt dirsrv.crt 192.168.32.32:/root/.

[email protected]'s password:

my-ca.crt                              100% 1533     1.5KB/s   00:00

#将证书和CA公钥发送给ldap服务器

二、ldap服务器利用RedHat-idm-console控制台导入公钥和ca中心公钥，并开启ssl/tls认证

1、导入公钥：选择install，在in this local file对话框中输入ldap服务器公钥

 

#CA中心公钥导入同上

2、开启ssl/tls认证

 

3、编辑证书保护密码存放文件，并重启ldap服务器

[root@station2 ~]# vi /etc/dirsrv/slapd-station2/pin.txt

Internal (Software) Token:RedHat

#RedHat为证书保护密码

[root@station2 ~]# service dirsrv restart

Shutting down dirsrv:

station2...                                            [确定]

Starting dirsrv:

station2...                                            [确定]

#如果证书生成过程中有任何错误，均不能启动dirsrv服务。

[root@station2 ~]# netstat -tunpl|grep 636

tcp        0      0 :::636            :::*        LISTEN   10753/ns-slapd

#636端口开启表示ldap已经开启ssl/tls认证

三、客户端开启ssl/tls认证

[root@station2 ~]# vi /etc/openldap/ldap.conf

TLS_CACERT /etc/pki/tls/certs/my-ca.crt

[root@station2 ~]# ldapsearch -x "uid=zhangsan123" -ZZ -LLL

dn: uid=zhangsan123,ou=People,dc=station2,dc=example,dc=com

cn: zhangsam 123

sn: zhang

givenName: Emanuel

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

ou: Product Testing

ou: People

l: Santa Clara

uid: zhangsan123

telephoneNumber: +1 408 555 0933

facsimileTelephoneNumber: +1 408 555 9752

roomNumber: 3906

manager: uid=jwalker, ou=People, dc=station2,dc=example,dc=com

userPassword:: e1NTSEF9ZGcvQWpjUmhyOHAyd05tNU5Kbmo5bTFwMkJoN1VqcWltSHI1TXc9PQ=

=

#如果密码指定ca中心公钥，将无法利用-ZZ查询。客户端在从ldap服务器中获取数据时，会提示下载并导入ldap服务器的公钥。

 

  

原文来自：http://www.linuxidc.com/Linux/2011-04/34564.htm