|
本文介绍在Ubuntu 18.04/16.04操作系统上使用SSL/TLS保护LDAP服务器的方法,可先安装LDAP及其客户端,参考在Ubuntu 18.04系统中安装OpenLDAP服务器的方法及Ubuntu 18.04/16.04上配置LDAP客户端,附安装phpLDAPadmin的方法。本文介绍的是使用SSL/TLS证书和密钥保护LDAP服务器,有两种方法可以获取用于保护LDAP服务器的SSL证书:使用自签名SSL证书或从受信任的CA购买SSL证书,本文介绍的是自签名证书的使用。
一、生成自签名SSL证书 登录LDAP服务器并生成要使用的SSL证书: # cd /etc/ssl/private # openssl genrsa -aes128 -out ldap_server.key 4096 Generating RSA private key, 4096 bit long modulus ………………………………………………..++ ……………………….++ e is 65537 (0x010001) Enter pass phrase for ldap_server.key: <Set passphrase> Verifying - Enter pass phrase for ldap_server.key: <Confirm passphrase> 从生成的私钥中删除密码: # openssl rsa -in ldap_server.key -out ldap_server.key Enter pass phrase for ldap_server.key: <Enter passphrase> writing RSA key 然后生成csr(请自行更改相关参数,比如云网牛站把Organization Name改成ywnz): # openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Hainan Locality Name (eg, city) []:Sanya Organization Name (eg, company) [Internet Widgits Pty Ltd]:ywnz Organizational Unit Name (eg, section) []:ywnz Common Name (e.g. server FQDN or YOUR name) []:ldap.example.com Email Address []:admin@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 然后签署你的证书: # openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650 Signature ok subject=C = KE, ST = Hainan, L = Sanya, O = ywnz, OU = ywnz, CN = ldap.example.com, emailAddress = admin@example.com Getting Private key
二、在LDAP服务器上配置SSL 将证书和密钥复制到/etc/ldap/sasl2/目录: cp /etc/ssl/private/{ldap_server.key,ldap_server.crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/ 将证书的所有权设置为openldap用户: chown -R openldap. /etc/ldap/sasl2 配置LDAP服务器以使用SSL证书,为SSL创建LDAP配置文件: # vim ldap_ssl.ldif dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key 使用以下命令应用配置: # ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
三、配置LDAP客户端 配置LDAP客户端以确保客户端和服务器之间的连接已加密,将LS_REQCERT允许行添加到/etc/ldap/ldap.conf: echo "TLS_REQCERT allow" | tee /etc/ldap/ldap.conf 现在通过取消注释文件/etc/ldap.conf下面的行来配置OpenLDAP SSL机制: # vim /etc/ldap.conf ssl start_tls ssl on 到了这步,成功实现LDAP客户端和服务器之间的SSL连接。
相关主题 |
