LDAP 开启 TLS

服务端

自定义CA签名证书

• 创建根密钥

openssl genrsa -out laoshirenCA.key 2048

• 创建自签名根证书

openssl req -x509 -new -nodes -key laoshirenCA.key -sha256 -days 1024 -out laoshirenCA.pem

输出：

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shenzhen
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:SYS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:# 此处写自己的 LDAP 服务IP 或者域名
Email Address []:xxx@xxx.com

• LDAP服务器创建私钥

openssl genrsa -out laoshirenldap.key 2048

• 创建证书签名请求

openssl req -new -key laoshirenldap.key -out laoshirenldap.csr

输出：

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shenzhen
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:SYS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:# 此处写自己的 LDAP 服务IP 或者域名
Email Address []:xxx@xxx.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

• 使用自定义根CA签署证书签名请求

openssl x509 -req -in laoshirenldap.csr -CA laoshirenCA.pem -CAkey laoshirenCA.key -CAcreateserial -out laoshirenldap.crt -days 1460 -sha256

• 拷贝使用到的证书到应用目录并更改权限

cp laoshirenldap.{crt,key} laoshirenCA.pem /etc/openldap/certs/
chown -R ldap:ldap /etc/openldap/certs/

配置 LDAP开启 TLS

1. 导入证书到配置文件

   vim certs.ldif
   # 按照此顺序（报错时切换顺序尝试）
   dn: cn=config
   changetype: modify
   replace: olcTLSCertificateFile
   olcTLSCertificateFile: /etc/openldap/certs/laoshirenldap.crt
   
   dn: cn=config
   changetype: modify
   replace: olcTLSCACertificateFile
   olcTLSCACertificateFile: /etc/openldap/certs/laoshirenCA.pem
   
   dn: cn=config
   changetype: modify
   replace: olcTLSCertificateKeyFile
   olcTLSCertificateKeyFile: /etc/openldap/certs/laoshirenldap.key
   

2. 导入配置

   ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif
   

3. 验证服务

   #StartTLS 继续使用389端口
   netstat -nlp -t |grep :389
   tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      12483/slapd
   tcp6       0      0 :::389                  :::*                    LISTEN      12483/slapd
   

4. 更改服务配置文件

   # 配置认证方式
   vim /etc/openldap/ldap.conf
   TLS_REQCERT  never
   

5. 测试 StartTLS

   执行ldapsearch -x -ZZ后，查看日志，内容有　TLS established tls_ssf=256 ssf=256, 服务端配置正常
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 fd=26 ACCEPT from IP=[::1]:52758 (IP=[::]:389)
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 op=0 EXT oid=1.3.6.1.4.1.1466.20037
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 op=0 STARTTLS
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 op=0 RESULT oid= err=0 text=
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 fd=26 TLS established tls_ssf=256 ssf=256
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 op=1 BIND dn='' method=128
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 op=1 RESULT tag=97 err=0 text=
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 op=2 SRCH base='' scope=2 deref=0 filter='(objectClass=*)'
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 op=3 UNBIND
   Jan  9 01:17:31 ldap-server slapd[12483]: conn=1067 fd=26 closed
   
   

客户端

• 使用nslcd(Naming services LDAP client daemon)

# StartTLS
authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldap://172.16.10.220 --ldapbasedn='dc=laoshiren,dc=com' --enablemkhomedir --update

• 使用服务器证书

# 下载
wget http://xxxxxx/laoshirenCA.pem -O /etc/openldap/cacerts/laoshirenCA.pem
# 或
scp laoshirenCA.pem 172.16.10.10:/etc/openldap/cacerts/

• 创建CA证书的c哈希

/etc/pki/tls/misc/c_hash /etc/openldap/cacerts/laoshirenCA.pem
61450bc7.0 => /etc/openldap/cacerts/laoshirenCA.pem

• 创建证书哈希链接

ln -s /etc/openldap/cacerts/laoshirenCA.pem

• 配置使用证书与验证方式

vim /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/laoshirenCA.pem
TLS_REQCERT never

• 配置 mslcd 启用start_tls

vim /etc/nslcd.conf

# StartTLS
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/laoshirenCA.pem
tls_reqcert never

systemctl restart nslcd
systemctl enable nslcd

• 指定 LDAP 检索顺序

由它规定通过哪些途径以及按照什么顺序以及通过这些途径来查找特定类型的信息，还可以指定某个方法奏效或失效时系统将采取什么动作

vim /etc/nsswitch.conf
变更为
passwd:     files ldap
shadow:     files ldap
group:      files ldap

• 测试 TLS

ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
anonymous
Result: Success (0)

ldapsearch -x -Z -H ldap://172.16.10.220 -b 'ou=Group,dc=laoshiren,dc=com'
# extended LDIF
#
# LDAPv3
# base <ou=Group,dc=laoshiren,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Group, laoshiren.com
dn: ou=Group,dc=laoshiren,dc=com
objectClass: organizationalUnit
ou: Group

# linux_group, Group, laoshiren.com
dn: cn=linux_group,ou=Group,dc=laoshiren,dc=com
cn: linux_group
gidNumber: 500
objectClass: posixGroup
objectClass: top

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2