09-OpenLDAP加密传输配置

时间:2023-03-08 15:43:14
09-OpenLDAP加密传输配置

OpenLDAP加密传输配置(CA服务器与openldap服务器异机)

阅读视图

  1. 环境准备
  2. CA证书服务器搭建
  3. OpenLDAP服务端与CA集成
  4. OpenLDAP客户端配置
  5. 客户端测试验证
  6. 故障处理

1. 环境准备

  1. 服务器规划
主机 系统版本 IP地址 主机名 时间同步 防火墙 SElinux
ldap服务端 Centos 6.9最小化安装 192.168.244.17 mldap01.gdy.com 必须同步 关闭 关闭
ldap客户端 Centos 6.9最小化安装 192.168.244.18 test01.gdy.com 必须同步 关闭 关闭
CA证书服务器 Centos 6.9最小化安装 192.168.244.23 mldap01.gdy.com 必须同步 关闭 关闭
  1. 本文环境按照02-openldap服务端安装配置搭建出最基本的环境,用户数据来自02-openldap服务端安装配置中的第十步

2. CA证书服务器搭建

  1. 安装OpenSSL软件

    [root@ca ~]# rpm -qa | grep openssl
    openssl-1.0.1e-57.el6.x86_64
  2. CA中心生成自身私钥,命令如下。

    [root@ca ~]# cd /etc/pki/CA/
    [root@ca CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
    Generating RSA private key, 2048 bit long modulus
    .................................................+++
    ......................+++
    e is 65537 (0x10001)
  3. CA签发自身公钥,命令如下。

    [root@ca CA]# openssl  req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Shanghai
    Locality Name (eg, city) [Default City]:Shanghai
    Organization Name (eg, company) [Default Company Ltd]:GDY
    Organizational Unit Name (eg, section) []:Tech
    Common Name (eg, your name or your server's hostname) []:ca.gdy.com
    Email Address []:ca@gdy.com

    其中,各个字段含义如下。

    • Country Name(2 letter code):两个字母的国家代号
    • State or Province Name(full name)[]:省份
    • Locality Name(eg, city)[Default City]:市或地区
    • Organization Name(eg, company)[Default Company Ltd]: 公司名称
    • Organizational Unit Name(eg, section)[]:部门名称,例如Tech
    • Common Name(eg, your name or your server's hostname)[]:通用名称,例如OL服务器的域名或IP地址。
    • Email Address []:邮件地址
  4. 创建数据库文件及证书序列文件,命令如下

    [root@ca CA]# ls -lh
    total 20K
    -rw-r--r-- 1 root root 1.4K Jun 1 17:04 cacert.pem
    drwxr-xr-x. 2 root root 4.0K Mar 23 2017 certs
    drwxr-xr-x. 2 root root 4.0K Mar 23 2017 crl
    drwxr-xr-x. 2 root root 4.0K Mar 23 2017 newcerts
    drwx------. 2 root root 4.0K Jun 1 17:01 private
    [root@ca CA]# touch serial index.txt
    [root@ca CA]# echo "01" > serial

    目录文件用途如下

    • cacert.pem:CA自身证书文件(可根据自己需求进行修改)
    • certs:客户端证书存放目录
    • crl:CA吊销的客户端证书存放目录
    • newcerts:生成新证书存放目录
    • index.txt:存放客户端证书信息
    • serial:客户端证书编号(编号可自定义),用于识别客户端证书。
    • private:存放CA自身私钥的目录
  5. 通过OpenSSL命令获取根证书信息,命令如下

    [root@ca CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 14795263444614255073 (0xcd5355b6d68e11e1)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com
    Validity
    Not Before: Jun 5 07:06:49 2018 GMT
    Not After : May 12 07:06:49 2118 GMT
    Subject: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    00:ba:0a:fa:87:16:4b:75:94:d6:98:a5:75:f5:93:
    44:60:0c:c4:bc:d6:5e:3e:be:4c:29:41:36:5c:2d:
    b8:c8:1e:97:10:38:0a:2d:60:0e:d9:38:5f:f5:7b:
    ab:af:b6:35:d5:48:c0:50:c3:1e:17:5b:a8:c6:f8:
    75:55:c7:0b:fb:7e:68:fc:a6:77:f9:7a:9a:d0:8f:
    5a:c6:ca:c7:a7:b5:34:d4:ca:13:d6:3c:b6:aa:86:
    7e:8f:17:24:f7:ce:b0:5f:11:3b:8a:6a:40:50:cc:
    5c:b5:cc:b3:e2:17:be:f6:ab:f6:ae:6a:2f:58:88:
    5f:12:65:58:cb:17:5e:00:51:ec:31:64:a7:d6:02:
    63:b3:63:cc:00:87:49:67:a2:60:a0:82:ed:a8:08:
    c5:77:c1:0a:04:42:9d:f2:c5:31:e7:b4:ee:67:f7:
    28:05:27:a0:b3:06:b0:89:b5:8d:3c:14:79:6c:30:
    ca:d3:90:8f:e5:72:61:13:c3:4d:bc:5a:80:9f:85:
    3a:20:4c:9b:0d:bb:c0:bd:d5:98:65:0b:0e:29:e2:
    45:ed:c2:e8:1c:74:e7:94:9b:07:49:28:06:13:44:
    98:b5:a9:e3:46:59:99:77:e8:12:a8:91:38:bc:9f:
    ef:48:b2:8f:58:8d:7c:a3:ba:fb:4f:e3:7b:8c:65:
    20:6b
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Subject Key Identifier:
    FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D
    X509v3 Authority Key Identifier:
    keyid:FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D X509v3 Basic Constraints:
    CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
    38:9c:52:b7:a2:d8:03:60:ec:78:2a:4b:9b:b8:02:10:44:09:
    39:d3:e9:d0:b2:9a:bc:d5:2d:1d:a1:92:12:d7:06:c7:2c:c7:
    27:95:a5:8d:f1:db:e5:7b:09:d4:0e:a1:70:d9:d9:59:7b:54:
    5a:a0:19:b8:d4:ec:36:23:cf:8f:c1:a3:c3:a6:99:a6:3e:dc:
    1c:cc:8a:53:20:07:a6:f7:5d:c2:9d:7f:e2:ef:07:eb:f3:ca:
    c2:9b:6d:47:f1:34:70:e7:56:44:db:2d:8a:46:26:21:ce:99:
    62:21:b2:05:51:86:8c:ba:25:9e:3b:81:e8:0f:68:73:21:75:
    d7:64:c2:ed:4a:3b:4a:9d:74:da:ca:3a:4f:df:1f:c1:a5:88:
    6e:08:a8:2f:9b:f8:75:00:0d:53:6b:be:24:97:f8:03:6a:69:
    87:56:ec:57:ae:85:a4:9c:71:fa:dd:f8:e6:d9:8c:69:d8:ab:
    66:6e:da:c8:5d:2f:a7:34:b5:17:65:79:3e:02:d9:81:64:6e:
    37:9d:e6:26:59:18:73:83:f6:06:c4:a0:ff:7e:90:e2:a3:5f:
    a7:01:41:c0:e6:bc:c8:ce:b6:19:0a:78:19:f6:16:9d:45:9b:
    e3:46:9c:6f:ca:d5:29:61:4b:38:95:e9:65:b5:62:8d:78:c4:
    83:8b:f8:10
  6. 自建CA完成

3. OpenLDAP服务端与CA集成

  1. 在openldap服务器上生成密钥

    [root@mldap01 ~]# mkdir -pv /etc/openldap/ssl
    mkdir: created directory `/etc/openldap/ssl'
    [root@mldap01 ~]# cd /etc/openldap/ssl
    [root@mldap01 ssl]# (umask 077; openssl genrsa -out ldapkey.pem 1024)
    Generating RSA private key, 1024 bit long modulus
    ............................++++++
    ...++++++
    e is 65537 (0x10001)
    [root@mldap01 ssl]# ls -lh
    total 4.0K
    -rw------- 1 root root 887 Jun 5 15:26 ldapkey.pem
  2. OpenLDAP服务端向CA申请证书签署请求,命令如下

    [root@mldap01 ssl]# openssl req -new -key ldapkey.pem -out ldap.csr -days 36500
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Shanghai
    Locality Name (eg, city) [Default City]:Shanghai
    Organization Name (eg, company) [Default Company Ltd]:GDY
    Organizational Unit Name (eg, section) []:Tech
    Common Name (eg, your name or your server's hostname) []:mldap01.gdy.com
    Email Address []:mldap@gdy.com Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
  3. CA服务器核实并签发证书

    如果CA服务器与openldap服务器不在同一台,需要将上述步骤生成的ldap.csr文件上传到CA服务器签署

    先在openldap服务器上将ldap.csr文件上传到CA服务器签署
    [root@mldap01 ssl]# scp ldap.csr root@ca:/root/
    The authenticity of host 'ca (192.168.244.23)' can't be established.
    RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'ca,192.168.244.23' (RSA) to the list of known hosts.
    root@ca's password:
    ldap.csr 100% 696 0.7KB/s 00:00 [root@ca ~]# openssl ca -in ldap.csr -out ldapcert.pem -days 36500
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 1 (0x1)
    Validity
    Not Before: Jun 5 10:00:26 2018 GMT
    Not After : May 12 10:00:26 2118 GMT
    Subject:
    countryName = CN
    stateOrProvinceName = Shanghai
    organizationName = GDY
    organizationalUnitName = Tech
    commonName = mldap01.gdy.com
    emailAddress = mldap@gdy.com
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    26:1C:25:DA:AD:A0:E3:72:43:CD:AC:7F:77:9E:37:BD:1B:EF:1A:FE
    X509v3 Authority Key Identifier:
    keyid:CB:DE:C2:81:45:FE:B3:10:02:95:DA:49:16:F6:FA:03:13:F6:3E:2E Certificate is to be certified until May 12 10:00:26 2118 GMT (36500 days)
    Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated 然后将生成的ldapcert.pem文件和ca公钥文件发送至Openldap服务器/etc/openldap/ssl目录下
    [root@ca ~]# scp ldapcert.pem /etc/pki/CA/cacert.pem root@192.168.244.17:/etc/openldap/ssl/
    The authenticity of host '192.168.244.17 (192.168.244.17)' can't be established.
    RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.244.17' (RSA) to the list of known hosts.
    root@192.168.244.17's password:
    ldapcert.pem 100% 3828 3.7KB/s 00:00
    cacert.pem 100% 1391 1.4KB/s 00:00
  4. OpenLDAP TLS/SASL部署

    修改证书权限
    [root@mldap01 ssl]# chown ldap.ldap -R /etc/openldap
    [root@mldap01 ssl]# chmod -R 0400 /etc/openldap/ssl/* 修改OpenLDAP配置文件,添加证书文件
    [root@mldap01 ~]# vim /etc/openldap/slapd.conf
    #TLSCACertificatePath /etc/openldap/certs
    #TLSCertificateFile "\"OpenLDAP Server\""
    #TLSCertificateKeyFile /etc/openldap/certs/password
    TLSCACertificateFile /etc/openldap/ssl/cacert.pem
    TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
    TLSCertificateKeyFile /etc/openldap/ssl/ldapkey.pem
    TlsVerifyClient never

    TLSVerifyClient 设置是否验证客户端身份。Value可以取下面几个值

    • never: 服务器响应用户请求时,不需要验证客户端的身份,只需要提供CA公有证书即可。
    • allow:服务器响应用户请求时,服务要求验证客户端的身份,如果客户端没有证书或者证书无效,会话依然进行。
    • try:客户端提供证书,如果证书有误,则终止连接。若无证书,会话继续进行。
    • demand:服务器端需要对客户端证书进行验证,客户端需要向CA申请证书。

    开启OpenSSL功能,命令如下

    [root@mldap01 ~]# vim /etc/sysconfig/ldap
    # Options of slapd (see man slapd)
    #SLAPD_OPTIONS= # At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
    #
    # Run slapd with -h "... ldap:/// ..."
    # yes/no, default: yes
    SLAPD_LDAP=yes # Run slapd with -h "... ldapi:/// ..."
    # yes/no, default: yes
    SLAPD_LDAPI=yes # Run slapd with -h "... ldaps:/// ..."
    # yes/no, default: no
    SLAPD_LDAPS=yes

    删除并重新生成默认数据配置库

    [root@mldap01 ~]# rm -rf /etc/openldap/slapd.d/*
    [root@mldap01 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
    config file testing succeeded
    [root@mldap01 ~]# chown ldap.ldap -R /etc/openldap/
    [root@mldap01 ~]# /etc/init.d/slapd restart
    Stopping slapd: [ OK ]
    Starting slapd: [ OK ]
  5. 通过CA证书公钥验证OpenLDAP服务端证书的合法性,命令如下

    [root@mldap01 ~]# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem
    /etc/openldap/ssl/ldapcert.pem: OK
  6. 确认当前套接字是否通过CA的验证,命令如下

    [root@mldap01 ssl]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    SSL_connect:SSLv3 read server hello A
    depth=1 C = CN, ST = Shanghai, L = Shanghai, O = GDY, OU = Tech, CN = ca.gdy.com, emailAddress = ca@gdy.com
    verify return:1
    depth=0 C = CN, ST = Shanghai, O = GDY, OU = Tech, CN = mldap01.gdy.com, emailAddress = mldap@gdy.com
    verify return:1
    SSL_connect:SSLv3 read server certificate A
    SSL_connect:SSLv3 read server key exchange A
    SSL_connect:SSLv3 read server done A
    SSL_connect:SSLv3 write client key exchange A
    SSL_connect:SSLv3 write change cipher spec A
    SSL_connect:SSLv3 write finished A
    SSL_connect:SSLv3 flush data
    SSL_connect:SSLv3 read finished A
    ---
    Certificate chain
    0 s:/C=CN/ST=Shanghai/O=GDY/OU=Tech/CN=mldap01.gdy.com/emailAddress=mldap@gdy.com
    i:/C=CN/ST=Shanghai/L=Shanghai/O=GDY/OU=Tech/CN=ca.gdy.com/emailAddress=ca@gdy.com
    -----BEGIN CERTIFICATE-----
    MIIDajCCAlKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCQ04x

4. OpenLDAP客户端配置

  1. 将CA公钥证书发送至客户端

    [root@mldap01 ssl]# scp cacert.pem root@192.168.244.18:/etc/openldap/ssl/
    
    
  2. 配置/etc/openldap/ldap.conf

    [root@test01 ~]# grep -Ev "^$|^#" /etc/openldap/ldap.conf
    TLS_CACERTDIR /etc/openldap/ssl
    TLS_CACERT /etc/openldap/ssl/cacert.pem
    TLS_REQCERT never
    BASE dc=gdy,dc=com
    URI ldaps://mldap01.gdy.com

    TLS_REQCERT [never allow try demand | hard] # 设置是否在TLS会话中检查server证书。

    • Never:不检查任何证书。
    • Allow:检查server证书,没有证书或证书错误,都允许连接。
    • Try:检查server证书,没有证书(允许连接),证书错误(终止连接)。
    • demand | hard:检查server证书,没有证书或证书错误都将立即终止连接。
  3. 配置/etc/nslcd.conf

    [root@test01 ~]# grep -Ev "^$|^#" /etc/nslcd.conf
    uid nslcd
    gid ldap
    uri ldaps://mldap01.gdy.com
    base dc=gdy,dc=com
    ssl on
    tls_cacertdir /etc/openldap/ssl
    tls_cacertfile /etc/openldap/ssl/cacert.pem
    tls_reqcert never
  4. 配置/etc/pam_ldap.conf

    [root@test01 ~]# grep -Ev "^$|^#" /etc/pam_ldap.conf
    host 127.0.0.1
    base dc=gdy,dc=com
    uri ldaps://mldap01.gdy.com
    ssl on
    tls_cacertdir /etc/openldap/ssl
    tls_cacertfile /etc/openldap/ssl/cacert.pem
    tls_reqcert never
    bind_policy soft

5. 客户端测试验证

  1. 通过客户端匿名测试SSL连接是否正常,命令如下

    [root@test01 ~]# ldapwhoami -v -x -Z
    ldap_initialize( <DEFAULT> )
    ldap_start_tls: Operations error (1)
    additional info: TLS already started
    anonymous
    Result: Success (0)
  2. LDAP用户验证密码, 命令如下

    [root@test01 ~]# ldapwhoami -D "uid=user1,ou=people,dc=gdy,dc=com" -W -H ldaps://mldap01.gdy.com -v
    ldap_initialize( ldaps://mldap01.gdy.com:636/??base )
    Enter LDAP Password:
    dn:uid=user1,ou=people,dc=gdy,dc=com
    Result: Success (0)
  3. 在客户端搜索OpenLDAP域信息, 命令如下

    [root@test01 ~]# ldapsearch -x -b 'dc=gdy,dc=com' -H ldaps://mldap01.gdy.com
    # extended LDIF
    #
    # LDAPv3
    # base <dc=gdy,dc=com> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    # # gdy.com
    dn: dc=gdy,dc=com
    dc: gdy
    objectClass: top
    objectClass: domain # people, gdy.com
    ... 省略

故障处理

  1. openssl s_client连接时报错如下

    [root@mldap01 ~]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    139640374728520:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 247 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---

    没有解决:openldap和ca服务器不在同一台时没有这个问题, 下次我ca和ldap服务器使用同一个名字试试