OpenLDAP加密传输配置(CA服务器与openldap服务器异机)
阅读视图
- 环境准备
- CA证书服务器搭建
- OpenLDAP服务端与CA集成
- OpenLDAP客户端配置
- 客户端测试验证
- 故障处理
1. 环境准备
- 服务器规划
| 主机 | 系统版本 | IP地址 | 主机名 | 时间同步 | 防火墙 | SElinux |
|---|---|---|---|---|---|---|
| ldap服务端 | Centos 6.9最小化安装 | 192.168.244.17 | mldap01.gdy.com | 必须同步 | 关闭 | 关闭 |
| ldap客户端 | Centos 6.9最小化安装 | 192.168.244.18 | test01.gdy.com | 必须同步 | 关闭 | 关闭 |
| CA证书服务器 | Centos 6.9最小化安装 | 192.168.244.23 | mldap01.gdy.com | 必须同步 | 关闭 | 关闭 |
- 本文环境按照02-openldap服务端安装配置搭建出最基本的环境,用户数据来自02-openldap服务端安装配置中的第十步
2. CA证书服务器搭建
-
安装OpenSSL软件
[root@ca ~]# rpm -qa | grep openssl openssl-1.0.1e-57.el6.x86_64 -
CA中心生成自身私钥,命令如下。
[root@ca ~]# cd /etc/pki/CA/ [root@ca CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus .................................................+++ ......................+++ e is 65537 (0x10001) -
CA签发自身公钥,命令如下。
[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:GDY Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:ca.gdy.com Email Address []:ca@gdy.com其中,各个字段含义如下。
- Country Name(2 letter code):两个字母的国家代号
- State or Province Name(full name)[]:省份
- Locality Name(eg, city)[Default City]:市或地区
- Organization Name(eg, company)[Default Company Ltd]: 公司名称
- Organizational Unit Name(eg, section)[]:部门名称,例如Tech
- Common Name(eg, your name or your server's hostname)[]:通用名称,例如OL服务器的域名或IP地址。
- Email Address []:邮件地址
-
创建数据库文件及证书序列文件,命令如下
[root@ca CA]# ls -lh total 20K -rw-r--r-- 1 root root 1.4K Jun 1 17:04 cacert.pem drwxr-xr-x. 2 root root 4.0K Mar 23 2017 certs drwxr-xr-x. 2 root root 4.0K Mar 23 2017 crl drwxr-xr-x. 2 root root 4.0K Mar 23 2017 newcerts drwx------. 2 root root 4.0K Jun 1 17:01 private [root@ca CA]# touch serial index.txt [root@ca CA]# echo "01" > serial目录文件用途如下
- cacert.pem:CA自身证书文件(可根据自己需求进行修改)
- certs:客户端证书存放目录
- crl:CA吊销的客户端证书存放目录
- newcerts:生成新证书存放目录
- index.txt:存放客户端证书信息
- serial:客户端证书编号(编号可自定义),用于识别客户端证书。
- private:存放CA自身私钥的目录
-
通过OpenSSL命令获取根证书信息,命令如下
[root@ca CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 14795263444614255073 (0xcd5355b6d68e11e1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com Validity Not Before: Jun 5 07:06:49 2018 GMT Not After : May 12 07:06:49 2118 GMT Subject: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ba:0a:fa:87:16:4b:75:94:d6:98:a5:75:f5:93: 44:60:0c:c4:bc:d6:5e:3e:be:4c:29:41:36:5c:2d: b8:c8:1e:97:10:38:0a:2d:60:0e:d9:38:5f:f5:7b: ab:af:b6:35:d5:48:c0:50:c3:1e:17:5b:a8:c6:f8: 75:55:c7:0b:fb:7e:68:fc:a6:77:f9:7a:9a:d0:8f: 5a:c6:ca:c7:a7:b5:34:d4:ca:13:d6:3c:b6:aa:86: 7e:8f:17:24:f7:ce:b0:5f:11:3b:8a:6a:40:50:cc: 5c:b5:cc:b3:e2:17:be:f6:ab:f6:ae:6a:2f:58:88: 5f:12:65:58:cb:17:5e:00:51:ec:31:64:a7:d6:02: 63:b3:63:cc:00:87:49:67:a2:60:a0:82:ed:a8:08: c5:77:c1:0a:04:42:9d:f2:c5:31:e7:b4:ee:67:f7: 28:05:27:a0:b3:06:b0:89:b5:8d:3c:14:79:6c:30: ca:d3:90:8f:e5:72:61:13:c3:4d:bc:5a:80:9f:85: 3a:20:4c:9b:0d:bb:c0:bd:d5:98:65:0b:0e:29:e2: 45:ed:c2:e8:1c:74:e7:94:9b:07:49:28:06:13:44: 98:b5:a9:e3:46:59:99:77:e8:12:a8:91:38:bc:9f: ef:48:b2:8f:58:8d:7c:a3:ba:fb:4f:e3:7b:8c:65: 20:6b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D X509v3 Authority Key Identifier: keyid:FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 38:9c:52:b7:a2:d8:03:60:ec:78:2a:4b:9b:b8:02:10:44:09: 39:d3:e9:d0:b2:9a:bc:d5:2d:1d:a1:92:12:d7:06:c7:2c:c7: 27:95:a5:8d:f1:db:e5:7b:09:d4:0e:a1:70:d9:d9:59:7b:54: 5a:a0:19:b8:d4:ec:36:23:cf:8f:c1:a3:c3:a6:99:a6:3e:dc: 1c:cc:8a:53:20:07:a6:f7:5d:c2:9d:7f:e2:ef:07:eb:f3:ca: c2:9b:6d:47:f1:34:70:e7:56:44:db:2d:8a:46:26:21:ce:99: 62:21:b2:05:51:86:8c:ba:25:9e:3b:81:e8:0f:68:73:21:75: d7:64:c2:ed:4a:3b:4a:9d:74:da:ca:3a:4f:df:1f:c1:a5:88: 6e:08:a8:2f:9b:f8:75:00:0d:53:6b:be:24:97:f8:03:6a:69: 87:56:ec:57:ae:85:a4:9c:71:fa:dd:f8:e6:d9:8c:69:d8:ab: 66:6e:da:c8:5d:2f:a7:34:b5:17:65:79:3e:02:d9:81:64:6e: 37:9d:e6:26:59:18:73:83:f6:06:c4:a0:ff:7e:90:e2:a3:5f: a7:01:41:c0:e6:bc:c8:ce:b6:19:0a:78:19:f6:16:9d:45:9b: e3:46:9c:6f:ca:d5:29:61:4b:38:95:e9:65:b5:62:8d:78:c4: 83:8b:f8:10 -
自建CA完成
3. OpenLDAP服务端与CA集成
-
在openldap服务器上生成密钥
[root@mldap01 ~]# mkdir -pv /etc/openldap/ssl mkdir: created directory `/etc/openldap/ssl' [root@mldap01 ~]# cd /etc/openldap/ssl [root@mldap01 ssl]# (umask 077; openssl genrsa -out ldapkey.pem 1024) Generating RSA private key, 1024 bit long modulus ............................++++++ ...++++++ e is 65537 (0x10001) [root@mldap01 ssl]# ls -lh total 4.0K -rw------- 1 root root 887 Jun 5 15:26 ldapkey.pem -
OpenLDAP服务端向CA申请证书签署请求,命令如下
[root@mldap01 ssl]# openssl req -new -key ldapkey.pem -out ldap.csr -days 36500 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:GDY Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:mldap01.gdy.com Email Address []:mldap@gdy.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: -
CA服务器核实并签发证书
如果CA服务器与openldap服务器不在同一台,需要将上述步骤生成的ldap.csr文件上传到CA服务器签署
先在openldap服务器上将ldap.csr文件上传到CA服务器签署 [root@mldap01 ssl]# scp ldap.csr root@ca:/root/ The authenticity of host 'ca (192.168.244.23)' can't be established. RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ca,192.168.244.23' (RSA) to the list of known hosts. root@ca's password: ldap.csr 100% 696 0.7KB/s 00:00 [root@ca ~]# openssl ca -in ldap.csr -out ldapcert.pem -days 36500 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 5 10:00:26 2018 GMT Not After : May 12 10:00:26 2118 GMT Subject: countryName = CN stateOrProvinceName = Shanghai organizationName = GDY organizationalUnitName = Tech commonName = mldap01.gdy.com emailAddress = mldap@gdy.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 26:1C:25:DA:AD:A0:E3:72:43:CD:AC:7F:77:9E:37:BD:1B:EF:1A:FE X509v3 Authority Key Identifier: keyid:CB:DE:C2:81:45:FE:B3:10:02:95:DA:49:16:F6:FA:03:13:F6:3E:2E Certificate is to be certified until May 12 10:00:26 2118 GMT (36500 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 然后将生成的ldapcert.pem文件和ca公钥文件发送至Openldap服务器/etc/openldap/ssl目录下 [root@ca ~]# scp ldapcert.pem /etc/pki/CA/cacert.pem root@192.168.244.17:/etc/openldap/ssl/ The authenticity of host '192.168.244.17 (192.168.244.17)' can't be established. RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.244.17' (RSA) to the list of known hosts. root@192.168.244.17's password: ldapcert.pem 100% 3828 3.7KB/s 00:00 cacert.pem 100% 1391 1.4KB/s 00:00 -
OpenLDAP TLS/SASL部署
修改证书权限 [root@mldap01 ssl]# chown ldap.ldap -R /etc/openldap [root@mldap01 ssl]# chmod -R 0400 /etc/openldap/ssl/* 修改OpenLDAP配置文件,添加证书文件 [root@mldap01 ~]# vim /etc/openldap/slapd.conf #TLSCACertificatePath /etc/openldap/certs #TLSCertificateFile ""OpenLDAP Server"" #TLSCertificateKeyFile /etc/openldap/certs/password TLSCACertificateFile /etc/openldap/ssl/cacert.pem TLSCertificateFile /etc/openldap/ssl/ldapcert.pem TLSCertificateKeyFile /etc/openldap/ssl/ldapkey.pem TlsVerifyClient neverTLSVerifyClient
设置是否验证客户端身份。Value可以取下面几个值 - never: 服务器响应用户请求时,不需要验证客户端的身份,只需要提供CA公有证书即可。
- allow:服务器响应用户请求时,服务要求验证客户端的身份,如果客户端没有证书或者证书无效,会话依然进行。
- try:客户端提供证书,如果证书有误,则终止连接。若无证书,会话继续进行。
- demand:服务器端需要对客户端证书进行验证,客户端需要向CA申请证书。
开启OpenSSL功能,命令如下
[root@mldap01 ~]# vim /etc/sysconfig/ldap # Options of slapd (see man slapd) #SLAPD_OPTIONS= # At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'! # # Run slapd with -h "... ldap:/// ..." # yes/no, default: yes SLAPD_LDAP=yes # Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=yes # Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=yes删除并重新生成默认数据配置库
[root@mldap01 ~]# rm -rf /etc/openldap/slapd.d/* [root@mldap01 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ config file testing succeeded [root@mldap01 ~]# chown ldap.ldap -R /etc/openldap/ [root@mldap01 ~]# /etc/init.d/slapd restart Stopping slapd: [ OK ] Starting slapd: [ OK ] -
通过CA证书公钥验证OpenLDAP服务端证书的合法性,命令如下
[root@mldap01 ~]# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem /etc/openldap/ssl/ldapcert.pem: OK -
确认当前套接字是否通过CA的验证,命令如下
[root@mldap01 ssl]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 C = CN, ST = Shanghai, L = Shanghai, O = GDY, OU = Tech, CN = ca.gdy.com, emailAddress = ca@gdy.com verify return:1 depth=0 C = CN, ST = Shanghai, O = GDY, OU = Tech, CN = mldap01.gdy.com, emailAddress = mldap@gdy.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=CN/ST=Shanghai/O=GDY/OU=Tech/CN=mldap01.gdy.com/emailAddress=mldap@gdy.com i:/C=CN/ST=Shanghai/L=Shanghai/O=GDY/OU=Tech/CN=ca.gdy.com/emailAddress=ca@gdy.com -----BEGIN CERTIFICATE----- MIIDajCCAlKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCQ04x
4. OpenLDAP客户端配置
-
将CA公钥证书发送至客户端
[root@mldap01 ssl]# scp cacert.pem root@192.168.244.18:/etc/openldap/ssl/ -
配置
/etc/openldap/ldap.conf[root@test01 ~]# grep -Ev "^$|^#" /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/ssl TLS_CACERT /etc/openldap/ssl/cacert.pem TLS_REQCERT never BASE dc=gdy,dc=com URI ldaps://mldap01.gdy.comTLS_REQCERT [never allow try demand | hard] # 设置是否在TLS会话中检查server证书。
- Never:不检查任何证书。
- Allow:检查server证书,没有证书或证书错误,都允许连接。
- Try:检查server证书,没有证书(允许连接),证书错误(终止连接)。
- demand | hard:检查server证书,没有证书或证书错误都将立即终止连接。
-
配置
/etc/nslcd.conf[root@test01 ~]# grep -Ev "^$|^#" /etc/nslcd.conf uid nslcd gid ldap uri ldaps://mldap01.gdy.com base dc=gdy,dc=com ssl on tls_cacertdir /etc/openldap/ssl tls_cacertfile /etc/openldap/ssl/cacert.pem tls_reqcert never -
配置
/etc/pam_ldap.conf[root@test01 ~]# grep -Ev "^$|^#" /etc/pam_ldap.conf host 127.0.0.1 base dc=gdy,dc=com uri ldaps://mldap01.gdy.com ssl on tls_cacertdir /etc/openldap/ssl tls_cacertfile /etc/openldap/ssl/cacert.pem tls_reqcert never bind_policy soft
5. 客户端测试验证
-
通过客户端匿名测试SSL连接是否正常,命令如下
[root@test01 ~]# ldapwhoami -v -x -Z ldap_initialize( <DEFAULT> ) ldap_start_tls: Operations error (1) additional info: TLS already started anonymous Result: Success (0) -
LDAP用户验证密码, 命令如下
[root@test01 ~]# ldapwhoami -D "uid=user1,ou=people,dc=gdy,dc=com" -W -H ldaps://mldap01.gdy.com -v ldap_initialize( ldaps://mldap01.gdy.com:636/??base ) Enter LDAP Password: dn:uid=user1,ou=people,dc=gdy,dc=com Result: Success (0) -
在客户端搜索OpenLDAP域信息, 命令如下
[root@test01 ~]# ldapsearch -x -b 'dc=gdy,dc=com' -H ldaps://mldap01.gdy.com # extended LDIF # # LDAPv3 # base <dc=gdy,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # gdy.com dn: dc=gdy,dc=com dc: gdy objectClass: top objectClass: domain # people, gdy.com ... 省略
故障处理
-
openssl s_client连接时报错如下
[root@mldap01 ~]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 139640374728520:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---没有解决:openldap和ca服务器不在同一台时没有这个问题, 下次我ca和ldap服务器使用同一个名字试试