• 7.openldap使用ssl加密认证


    作者:yaoyao

    1.服务器端部署

    1.自建CA中心

    1.CA中心生成自身私钥

    #cd /etc/pki/CA
    #(umask 077; openssl genrsa -out private/cakey.pem 2048)
    

    2.CA签发自身公钥

    #openssl  req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
    输出一下内容,按照提示输入
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:BeiJing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:liuyao.com
    Organizational Unit Name (eg, section) []:Devops
    Common Name (eg, your name or your server's hostname) []:ldap.liuyao.com
    Email Address []:870000@163.com
    

    3.创建index.txt和serial文件

    index.txt文件用于存放客户端证书信息,serial文件用于存放客户端证书编号,可以自定义,用于识别客户端证书
    #touch serial index.txt
    #echo "01" > serial 
    

    4.使用openssl命令获取证书信息

    #openssl x509 -noout -text -in /etc/pki/CA/cacert.pem 
    

    2.LDAP与CA集成

    1. 获取LDAP证书

    #mkdir /etc/openldap/ssl
    #cd /etc/openldap/ssl
    服务器端生成密钥
    #(umask 077; openssl genrsa -out ldapkey.pem 1024)
    服务端向CA申请证书签署请求,相关信息必须和CA所填证书一致才可以正常签发
    openssl req -new -key ldapkey.pem -out ldap.csr -days 3650
    

    2. CA检测用户请求,通过后生成证书

    # openssl ca -in ldap.csr -out ldapcert.pem -days 3650
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Jul 31 11:01:24 2017 GMT
                Not After : Jul  8 11:01:24 2027 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = Beijing
                organizationName          = liuyao
                organizationalUnitName    = devops
                commonName                = ldap.liuyao.com
                emailAddress              = 870000@163.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    5B:9E:1A:5C:FD:B:51:BC:89:F0:33:3E:D4:E:1B:27:78:1D:95:F5:7F
                X509v3 Authority Key Identifier: 
                    keyid:76:49:FA:96:6C:F5:B7:B4:95:FC:89:F0:33:3E:5:9:9A:74:29:DB:06
    
    Certificate is to be certified until Jul  8 11:01:24 2027 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    

    3.部署

    1.修改证书权

    #cd /etc/openldap/ssl/
    #cp /etc/pki/CA/cacert.pem .
    

    2.修改配置文件

    #vim /etc/sysconfig/ldap
    SLAPD_LDAPS=yes
    
    #vim slapd.conf
    TLSCACertificateFile /etc/openldap/ssl/cacert.pem
    TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
    TLSCertificateKeyFile  /etc/openldap/ssl/ldapkey.pem
    TlsVerifyClient never
    

    3.测试并生成相关数据

    #slaptest -u
    #rm -rf /etc/openldap/slapd.d/*
    #slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
    

    5. 启动服务

    #chown ldap.ldap */* -R
    #/etc/init.d/slapd restart
    可以使用netstat -tnlp 命令查看。加密端口为636
    

    4.测试

    1. 测试服务端证书的合法性

    #openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem 
    /etc/openldap/ssl/ldapcert.pem: OK
    

    2. 测试当前套接字是否能通过CA的验证

    openssl s_client -connect ldap.liuyao.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
    

    2.客户端部署

    1. 将证书cp到客户端

    scp root@我不告诉你ip:/etc/pki/CA/cacert.pem /etc/openldap/cacerts
    

    2. 配置ldap加密

    #authconfig-tui
    配置域名地址和tls。这个地方应该有个图。但是我没有
    

    3.修改相关文件

    #vim /etc/pam_ldap.conf
    ssl on
    #vim /etc/nslcd.conf 
    ssl on
    

    4.启动服务

    #/etc/init.d/nslcd restart
    #chkconfig nslcd on
    

    5.测试

    #ldapwhoami -v -x -Z
    
    # ldapwhoami -D "uid=liuyao,ou=devops,dc=liuyao,dc=com" -W -H ldaps://ldap.liuyao.com -v 
        ldap_initialize( ldaps://ldap.liuyao.com:636/??base )
        Enter LDAP Password: 
        dn:uid=liuyao,ou=devops,dc=liuyao,dc=com                                                                      Result: Success (0)
    
  • 相关阅读:
    (补充)10.Hibernate框架的查询方式
    12.Hibernate多对多关系
    11.Hibernate一对多关系
    (补充)06.Hibernate持久化类&持久化对象
    09.Hibernate中的事务与并发
    08.Hibernate的一级缓存-->>Session
    07.Hibernate常用的接口和类---Session接口☆☆☆☆☆
    05.Hibernate常用的接口和类---Configuration类和作用
    04.Hibernate常用的接口和类---SessionFactory类和作用
    python学习笔记(字典)
  • 原文地址:https://www.cnblogs.com/liu-yao/p/7LDAP-shi-yongssl-jia-mi-ren-zheng.html
Copyright © 2020-2023  润新知