OpenLDAP加密传输配置(CA服务器与openldap服务器异机)
阅读视图
- 环境准备
- CA证书服务器搭建
- OpenLDAP服务端与CA集成
- OpenLDAP客户端配置
- 客户端测试验证
- 故障处理
1. 环境准备
- 服务器规划
主机 | 系统版本 | IP地址 | 主机名 | 时间同步 | 防火墙 | SElinux |
---|---|---|---|---|---|---|
ldap服务端 | Centos 6.9最小化安装 | 192.168.244.17 | mldap01.gdy.com | 必须同步 | 关闭 | 关闭 |
ldap客户端 | Centos 6.9最小化安装 | 192.168.244.18 | test01.gdy.com | 必须同步 | 关闭 | 关闭 |
CA证书服务器 | Centos 6.9最小化安装 | 192.168.244.23 | mldap01.gdy.com | 必须同步 | 关闭 | 关闭 |
- 本文环境按照02-openldap服务端安装配置搭建出最基本的环境,用户数据来自02-openldap服务端安装配置中的第十步
2. CA证书服务器搭建
-
安装OpenSSL软件
[root@ca ~]# rpm -qa | grep openssl
openssl-1.0.1e-57.el6.x86_64 -
CA中心生成自身私钥,命令如下。
[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................................................+++
......................+++
e is 65537 (0x10001) -
CA签发自身公钥,命令如下。
[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:GDY
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.gdy.com
Email Address []:ca@gdy.com其中,各个字段含义如下。
- Country Name(2 letter code):两个字母的国家代号
- State or Province Name(full name)[]:省份
- Locality Name(eg, city)[Default City]:市或地区
- Organization Name(eg, company)[Default Company Ltd]: 公司名称
- Organizational Unit Name(eg, section)[]:部门名称,例如Tech
- Common Name(eg, your name or your server's hostname)[]:通用名称,例如OL服务器的域名或IP地址。
- Email Address []:邮件地址
-
创建数据库文件及证书序列文件,命令如下
[root@ca CA]# ls -lh
total 20K
-rw-r--r-- 1 root root 1.4K Jun 1 17:04 cacert.pem
drwxr-xr-x. 2 root root 4.0K Mar 23 2017 certs
drwxr-xr-x. 2 root root 4.0K Mar 23 2017 crl
drwxr-xr-x. 2 root root 4.0K Mar 23 2017 newcerts
drwx------. 2 root root 4.0K Jun 1 17:01 private
[root@ca CA]# touch serial index.txt
[root@ca CA]# echo "01" > serial目录文件用途如下
- cacert.pem:CA自身证书文件(可根据自己需求进行修改)
- certs:客户端证书存放目录
- crl:CA吊销的客户端证书存放目录
- newcerts:生成新证书存放目录
- index.txt:存放客户端证书信息
- serial:客户端证书编号(编号可自定义),用于识别客户端证书。
- private:存放CA自身私钥的目录
-
通过OpenSSL命令获取根证书信息,命令如下
[root@ca CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14795263444614255073 (0xcd5355b6d68e11e1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com
Validity
Not Before: Jun 5 07:06:49 2018 GMT
Not After : May 12 07:06:49 2118 GMT
Subject: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:0a:fa:87:16:4b:75:94:d6:98:a5:75:f5:93:
44:60:0c:c4:bc:d6:5e:3e:be:4c:29:41:36:5c:2d:
b8:c8:1e:97:10:38:0a:2d:60:0e:d9:38:5f:f5:7b:
ab:af:b6:35:d5:48:c0:50:c3:1e:17:5b:a8:c6:f8:
75:55:c7:0b:fb:7e:68:fc:a6:77:f9:7a:9a:d0:8f:
5a:c6:ca:c7:a7:b5:34:d4:ca:13:d6:3c:b6:aa:86:
7e:8f:17:24:f7:ce:b0:5f:11:3b:8a:6a:40:50:cc:
5c:b5:cc:b3:e2:17:be:f6:ab:f6:ae:6a:2f:58:88:
5f:12:65:58:cb:17:5e:00:51:ec:31:64:a7:d6:02:
63:b3:63:cc:00:87:49:67:a2:60:a0:82:ed:a8:08:
c5:77:c1:0a:04:42:9d:f2:c5:31:e7:b4:ee:67:f7:
28:05:27:a0:b3:06:b0:89:b5:8d:3c:14:79:6c:30:
ca:d3:90:8f:e5:72:61:13:c3:4d:bc:5a:80:9f:85:
3a:20:4c:9b:0d:bb:c0:bd:d5:98:65:0b:0e:29:e2:
45:ed:c2:e8:1c:74:e7:94:9b:07:49:28:06:13:44:
98:b5:a9:e3:46:59:99:77:e8:12:a8:91:38:bc:9f:
ef:48:b2:8f:58:8d:7c:a3:ba:fb:4f:e3:7b:8c:65:
20:6b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D
X509v3 Authority Key Identifier:
keyid:FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
38:9c:52:b7:a2:d8:03:60:ec:78:2a:4b:9b:b8:02:10:44:09:
39:d3:e9:d0:b2:9a:bc:d5:2d:1d:a1:92:12:d7:06:c7:2c:c7:
27:95:a5:8d:f1:db:e5:7b:09:d4:0e:a1:70:d9:d9:59:7b:54:
5a:a0:19:b8:d4:ec:36:23:cf:8f:c1:a3:c3:a6:99:a6:3e:dc:
1c:cc:8a:53:20:07:a6:f7:5d:c2:9d:7f:e2:ef:07:eb:f3:ca:
c2:9b:6d:47:f1:34:70:e7:56:44:db:2d:8a:46:26:21:ce:99:
62:21:b2:05:51:86:8c:ba:25:9e:3b:81:e8:0f:68:73:21:75:
d7:64:c2:ed:4a:3b:4a:9d:74:da:ca:3a:4f:df:1f:c1:a5:88:
6e:08:a8:2f:9b:f8:75:00:0d:53:6b:be:24:97:f8:03:6a:69:
87:56:ec:57:ae:85:a4:9c:71:fa:dd:f8:e6:d9:8c:69:d8:ab:
66:6e:da:c8:5d:2f:a7:34:b5:17:65:79:3e:02:d9:81:64:6e:
37:9d:e6:26:59:18:73:83:f6:06:c4:a0:ff:7e:90:e2:a3:5f:
a7:01:41:c0:e6:bc:c8:ce:b6:19:0a:78:19:f6:16:9d:45:9b:
e3:46:9c:6f:ca:d5:29:61:4b:38:95:e9:65:b5:62:8d:78:c4:
83:8b:f8:10 自建CA完成
3. OpenLDAP服务端与CA集成
-
在openldap服务器上生成密钥
[root@mldap01 ~]# mkdir -pv /etc/openldap/ssl
mkdir: created directory `/etc/openldap/ssl'
[root@mldap01 ~]# cd /etc/openldap/ssl
[root@mldap01 ssl]# (umask 077; openssl genrsa -out ldapkey.pem 1024)
Generating RSA private key, 1024 bit long modulus
............................++++++
...++++++
e is 65537 (0x10001)
[root@mldap01 ssl]# ls -lh
total 4.0K
-rw------- 1 root root 887 Jun 5 15:26 ldapkey.pem -
OpenLDAP服务端向CA申请证书签署请求,命令如下
[root@mldap01 ssl]# openssl req -new -key ldapkey.pem -out ldap.csr -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:GDY
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:mldap01.gdy.com
Email Address []:mldap@gdy.com Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: -
CA服务器核实并签发证书
如果CA服务器与openldap服务器不在同一台,需要将上述步骤生成的ldap.csr文件上传到CA服务器签署
先在openldap服务器上将ldap.csr文件上传到CA服务器签署
[root@mldap01 ssl]# scp ldap.csr root@ca:/root/
The authenticity of host 'ca (192.168.244.23)' can't be established.
RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ca,192.168.244.23' (RSA) to the list of known hosts.
root@ca's password:
ldap.csr 100% 696 0.7KB/s 00:00 [root@ca ~]# openssl ca -in ldap.csr -out ldapcert.pem -days 36500
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 5 10:00:26 2018 GMT
Not After : May 12 10:00:26 2118 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = GDY
organizationalUnitName = Tech
commonName = mldap01.gdy.com
emailAddress = mldap@gdy.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
26:1C:25:DA:AD:A0:E3:72:43:CD:AC:7F:77:9E:37:BD:1B:EF:1A:FE
X509v3 Authority Key Identifier:
keyid:CB:DE:C2:81:45:FE:B3:10:02:95:DA:49:16:F6:FA:03:13:F6:3E:2E Certificate is to be certified until May 12 10:00:26 2118 GMT (36500 days)
Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated 然后将生成的ldapcert.pem文件和ca公钥文件发送至Openldap服务器/etc/openldap/ssl目录下
[root@ca ~]# scp ldapcert.pem /etc/pki/CA/cacert.pem root@192.168.244.17:/etc/openldap/ssl/
The authenticity of host '192.168.244.17 (192.168.244.17)' can't be established.
RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.244.17' (RSA) to the list of known hosts.
root@192.168.244.17's password:
ldapcert.pem 100% 3828 3.7KB/s 00:00
cacert.pem 100% 1391 1.4KB/s 00:00 -
OpenLDAP TLS/SASL部署
修改证书权限
[root@mldap01 ssl]# chown ldap.ldap -R /etc/openldap
[root@mldap01 ssl]# chmod -R 0400 /etc/openldap/ssl/* 修改OpenLDAP配置文件,添加证书文件
[root@mldap01 ~]# vim /etc/openldap/slapd.conf
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldapkey.pem
TlsVerifyClient neverTLSVerifyClient 设置是否验证客户端身份。Value可以取下面几个值
- never: 服务器响应用户请求时,不需要验证客户端的身份,只需要提供CA公有证书即可。
- allow:服务器响应用户请求时,服务要求验证客户端的身份,如果客户端没有证书或者证书无效,会话依然进行。
- try:客户端提供证书,如果证书有误,则终止连接。若无证书,会话继续进行。
- demand:服务器端需要对客户端证书进行验证,客户端需要向CA申请证书。
开启OpenSSL功能,命令如下
[root@mldap01 ~]# vim /etc/sysconfig/ldap
# Options of slapd (see man slapd)
#SLAPD_OPTIONS= # At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=yes # Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=yes # Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes删除并重新生成默认数据配置库
[root@mldap01 ~]# rm -rf /etc/openldap/slapd.d/*
[root@mldap01 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
[root@mldap01 ~]# chown ldap.ldap -R /etc/openldap/
[root@mldap01 ~]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ] -
通过CA证书公钥验证OpenLDAP服务端证书的合法性,命令如下
[root@mldap01 ~]# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem
/etc/openldap/ssl/ldapcert.pem: OK -
确认当前套接字是否通过CA的验证,命令如下
[root@mldap01 ssl]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = CN, ST = Shanghai, L = Shanghai, O = GDY, OU = Tech, CN = ca.gdy.com, emailAddress = ca@gdy.com
verify return:1
depth=0 C = CN, ST = Shanghai, O = GDY, OU = Tech, CN = mldap01.gdy.com, emailAddress = mldap@gdy.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=CN/ST=Shanghai/O=GDY/OU=Tech/CN=mldap01.gdy.com/emailAddress=mldap@gdy.com
i:/C=CN/ST=Shanghai/L=Shanghai/O=GDY/OU=Tech/CN=ca.gdy.com/emailAddress=ca@gdy.com
-----BEGIN CERTIFICATE-----
MIIDajCCAlKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCQ04x
4. OpenLDAP客户端配置
-
将CA公钥证书发送至客户端
[root@mldap01 ssl]# scp cacert.pem root@192.168.244.18:/etc/openldap/ssl/
-
配置
/etc/openldap/ldap.conf
[root@test01 ~]# grep -Ev "^$|^#" /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/ssl
TLS_CACERT /etc/openldap/ssl/cacert.pem
TLS_REQCERT never
BASE dc=gdy,dc=com
URI ldaps://mldap01.gdy.comTLS_REQCERT [never allow try demand | hard] # 设置是否在TLS会话中检查server证书。
- Never:不检查任何证书。
- Allow:检查server证书,没有证书或证书错误,都允许连接。
- Try:检查server证书,没有证书(允许连接),证书错误(终止连接)。
- demand | hard:检查server证书,没有证书或证书错误都将立即终止连接。
-
配置
/etc/nslcd.conf
[root@test01 ~]# grep -Ev "^$|^#" /etc/nslcd.conf
uid nslcd
gid ldap
uri ldaps://mldap01.gdy.com
base dc=gdy,dc=com
ssl on
tls_cacertdir /etc/openldap/ssl
tls_cacertfile /etc/openldap/ssl/cacert.pem
tls_reqcert never -
配置
/etc/pam_ldap.conf
[root@test01 ~]# grep -Ev "^$|^#" /etc/pam_ldap.conf
host 127.0.0.1
base dc=gdy,dc=com
uri ldaps://mldap01.gdy.com
ssl on
tls_cacertdir /etc/openldap/ssl
tls_cacertfile /etc/openldap/ssl/cacert.pem
tls_reqcert never
bind_policy soft
5. 客户端测试验证
-
通过客户端匿名测试SSL连接是否正常,命令如下
[root@test01 ~]# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
ldap_start_tls: Operations error (1)
additional info: TLS already started
anonymous
Result: Success (0) -
LDAP用户验证密码, 命令如下
[root@test01 ~]# ldapwhoami -D "uid=user1,ou=people,dc=gdy,dc=com" -W -H ldaps://mldap01.gdy.com -v
ldap_initialize( ldaps://mldap01.gdy.com:636/??base )
Enter LDAP Password:
dn:uid=user1,ou=people,dc=gdy,dc=com
Result: Success (0) -
在客户端搜索OpenLDAP域信息, 命令如下
[root@test01 ~]# ldapsearch -x -b 'dc=gdy,dc=com' -H ldaps://mldap01.gdy.com
# extended LDIF
#
# LDAPv3
# base <dc=gdy,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# # gdy.com
dn: dc=gdy,dc=com
dc: gdy
objectClass: top
objectClass: domain # people, gdy.com
... 省略
故障处理
-
openssl s_client连接时报错如下
[root@mldap01 ~]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
139640374728520:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---没有解决:openldap和ca服务器不在同一台时没有这个问题, 下次我ca和ldap服务器使用同一个名字试试