集成TLS-自签名证书配置过程
LDAP服务器:10.8.96.117
LDAP客户端: 10.8.97.99
1 ldap服务器配置自签名证书
cd /etc/openldap/certs/
openssl genrsa -out ldap.key 1024 //创建私钥
openssl req -new -key ldap.key -out ldap.csr //生成签名请求 并输入相关信息省略
openssl x509 -req -days 1095 -in ldap.csr -signkey ldap.key -out ldap.crt //公钥 自签名
2.修改目录权限及所有者
# chmod 700 certs/
# chown ldap.ldap certs/ -R
3.修改配置文件,添加证书路径
# vim /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/certs //更改证书目录
TLS_REQCERT allow //允许自签名证书(服务器、客户机都加入)
# vim /etc/openldap/slapd.conf //修改配置文件
TLSCertificateFile /etc/openldap/certs/ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap.key
4.重新生成配置文件并启动服务
# service slapd stop
# rm -rf /etc/openldap/slapd.d/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
# chown ldap.ldap /etc/openldap/slapd.d/ -R
# slapd -h "ldaps:///" //启动服务,监听636端口 端口已经不是389
5. 服务器本地测试
#ldapwhoami -v -x -Z -H ldaps://10.8.96.117
ldap_initialize(ldaps://10.8.96.117:636/??base)
ldap_start_tls: Operations error (1)
additional info: TLS already started
anonymous
Result: Success (0)
#ldapwhoami -D "uid=user1,ou=People,dc=website80,dc=com" -W -H ldaps://10.8.96.117 -v
ldap_initialize(ldaps://10.8.96.117:636/??base)
Enter LDAP Password:
dn:uid=user1,ou=People,dc=website80,dc=com
Result: Success (0)
6.远程连接测试
客户端ip:10.8.97.99
安装ldapclient: yum install openldap-clients
# ldapwhoami -v -x -Z -H ldaps://10.8.96.117
ldap_initialize(ldaps://10.8.96.117:636/??base)
ldap_start_tls: Operations error (1)
additional info: TLS already started
anonymous
Result: Success (0)
#ldapwhoami -D "uid=user1,ou=People,dc=website80,dc=com" -W -H ldaps://10.8.96.117 -v
ldap_initialize(ldaps://10.8.96.117:636/??base)
Enter LDAP Password:
dn:uid=user1,ou=People,dc=website80,dc=com
Result: Success (0)
执行此命令时,在ldap服务器10.8.96.117 抓包( tcpdump -i eth0 port 636 -w /tmp/b.pcap) ,客户端和ldap服务器传输的密码使用tls1.2进行加密
7.脚本客户端
python样例:
yum install python-ldap
import ldap
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
l = ldap.initialize("ldaps://10.8.96.117:636")
l.set_option(ldap.OPT_REFERRALS, 0)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
l.set_option( ldap.OPT_X_TLS_DEMAND, True )
l.set_option( ldap.OPT_DEBUG_LEVEL, 255 )
l.simple_bind_s('uid=username,ou=People,dc=domain,dc=com','123456') #验证成功
l.simple_bind_s('uid=username,ou=People,dc=domain,dc=com','1234567') #验证失败
8.FAQ
1)证书路径:/etc/openldap/certs/ldap.crt 如果写错,会导致校验失败 看到形如这样的错误: TLS error -5938:Encountered
2)自签名证书,在客户端的配置文件中(/etc/openldap/ldap.conf)需要增加:TLS_REQCERT allow ,允许自签名证书,否则
#ldapwhoami -v -x -Z -H ldaps://10.8.96.117 会看到如下错误:
ldap_initialize(ldaps://10.8.96.117:636/??base)
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
参考资料:
配置 OpenLDAP 使用 SSL/TLS 加密数据通信
http://www.ibm.com/developerworks/cn/linux/1312\_zhangchao\_opensslldap/
Openldap集成tls/ssl