openldap加密传输 nslcd

http://www.openldap.org/faq/data/cache/185.html
https://www.ibm.com/developerworks/cn/linux/1312_zhangchao_opensslldap/
http://blog.sina.com.cn/s/blog_88cdde9f01019vdt.html
http://phorum.study-area.org/index.php?topic=68194.0
http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_設定

startTLS & LDAPS

Transport Layer Security (TLS) is the standard name for the Secure Socket Layer (SSL). The terms (unless qualified with specific version numbers) are generally interchangable.

StartTLS is the name of the standard LDAP operation for initiating TLS/SSL. TLS/SSL is initiated upon successful completion of this LDAP operation. No alternative port is necessary. It is sometimes referred to as the TLS upgrade operation, as it upgrades a normal LDAP connection to one protected by TLS/SSL.

ldaps:// and LDAPS refers to "LDAP over TLS/SSL" or "LDAP Secured". TLS/SSL is initated upon connection to an alternative port (normally 636). Though the LDAPS port (636) is registered for this use, the particulars of the TLS/SSL initiation mechanism are not standardized.

Once initiated, there is no difference between ldaps:// and StartTLS. They share the same configuration options (excepting ldaps:// requires configuration of a separate listener, see slapd(8)'s -h option) and result in like security services being established. 

服务端

复制证书

cp /etc/pki/CA/{openldap.key,openldap.crt,ca.crt} /etc/openldap/certs/

配置slapd.conf

TLSVerifyClient never # 设置是否验证 client 的身份，其值可以是 never/allow/try/demand，
#never  不需要验证 client 端的身份，Client 端只需要有 CA 证书就可以了
#allow  Server会要求 client 提供证书，如果 client 端没有提供证书，会话会正常进行
#try    Client端提供了证书，但是 Server 端有可能不能校验这个证书，这个证书会被忽略，会话正常进行
#demand Server端需要认证 client 端的身份，Client 端需要有自己的证书和私钥

vim /etc/openldap/slapd.conf
添加以下项目 
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/openldap.crt
TLSCertificateKeyFile /etc/openldap/certs/openldap.key
TLSVerifyClient never #

启用LDAPS

vim /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:///" -> SLAPD_URLS="ldapi:/// ldaps:///"

# 如果使用StartTLS，这个步骤不用执行

配置生效

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

服务端口

#StartTLS 继续使用389端口
netstat -nlp -t |grep :389
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name            
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      1981/slapd                      
tcp6       0      0 :::389                  :::*                    LISTEN      1981/slapd 

#LDAPS 启用636端口
netstat -nlp -t |grep :636
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name            
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      1981/slapd          
tcp6       0      0 :::636                  :::*                    LISTEN      1981/slapd          

测试StartTLS

ldap服务器/etc/openldap/ldap.conf
添加以下内容
TLS_REQCERT  never

执行ldapsearch -x -ZZ后，查看日志，内容有　TLS established tls_ssf=256 ssf=256, 服务端配置正常
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 ACCEPT from IP=[::1]:39720 (IP=[::]:389)
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 STARTTLS
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 RESULT oid= err=0 text=
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 TLS established tls_ssf=256 ssf=256
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=1 BIND dn="" method=128
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=1 RESULT tag=97 err=0 text=
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=2 SRCH base="" scope=2 deref=0 filter="(objectClass=*)"
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=3 UNBIND
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 closed

测试LDAPS

# openssl verify -CAfile /etc/openldap/certs/ca.crt /etc/openldap/certs/openldap.crt 
/etc/openldap/certs/openldap.crt: OK

# openssl s_client -connect slave.local:636 -showcerts -state -CAfile /etc/openldap/certs/ca.crt
---
Server certificate
subject=/C=CN/ST=Beijing/O=TVM/OU=Tech Dept/CN=OPENLDAP
issuer=/C=CN/ST=Beijing/L=Beijing/O=TVM/OU=Tech Dept/CN=CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2354 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 022E6922974AD42984230001FC3CD5923A44B73FFE94CE324BA12A58B120DDBF
    Session-ID-ctx: 
    Master-Key: CCFF58FFF333BA758C31123C9DC469F4BA752B2464B6CE5C4B998012C329D319898F873617CD98F6970AEA7CE5F413D8
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1474511415
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

客户端

使用nslcd(Naming services LDAP client daemon)

yum -y install openldap-clients nss-pam-ldapd

配置客户端

# StartTLS
authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldap://master.local,ldap://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update

# LDAPS
authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldaps://master.local,ldaps://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update
# 注意　--ldapserver=ldaps://master.local,ldaps://slave.local

下载服务器的ca证书

wget http://master.local/ca.crt -O /etc/openldap/cacerts/ca.crt

# ls -lh /etc/openldap/cacerts
total 4.0K
lrwxrwxrwx 1 root root    6 Sep 22 12:31 100934e9.0 -> ca.crt
-rw------- 1 root root 1.3K Sep 22 12:30 ca.crt

配置/etc/openldap/ldap.conf

TLS_REQCERT [never、allow、try、demand | hard] # 设置是否在TLS会话中检查server证书。
Never：不检查任何证书。
Allow：检查server证书，没有证书或证书错误，都允许连接。
Try：检查server证书，没有证书（允许连接），证书错误（终止连接）。
demand | hard：检查server证书，没有证书或证书错误都将立即终止连接。

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/ca.crt
TLS_REQCERT never 

配置/etc/nslcd.conf

ssl start_tls　# StartTLS
或ssl on　# LDAPS
tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/ca.crt
tls_reqcert never

重启nslcd服务

systemctl restart nslcd
systemctl enable nslcd

配置/etc/nsswitch.conf

变更为
passwd:     files ldap
shadow:     files ldap
group:      files ldap

测试

# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
ldap_start_tls: Operations error (1)
	additional info: TLS already started
anonymous
Result: Success (0)

# ldapsearch -x -Z -H ldaps://slave.local -b 'ou=group,dc=suntv,dc=tv'
ldap_start_tls: Operations error (1)
	additional info: TLS already started
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=suntv,dc=tv> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Group, suntv.tv
dn: ou=Group,dc=suntv,dc=tv
ou: Group
objectClass: top
objectClass: organizationalUnit

# g01, Group, suntv.tv
dn: cn=g01,ou=Group,dc=suntv,dc=tv
objectClass: posixGroup
objectClass: top
cn: g01
gidNumber: 2001

# g02, Group, suntv.tv
dn: cn=g02,ou=Group,dc=suntv,dc=tv
objectClass: posixGroup
objectClass: top
cn: g02
gidNumber: 2002

# search result
search: 3
result: 0 Success

# numResponses: 4
# numEntries: 3

帐号登录测试

ssh u01@10.0.1.53

passwd