OpenLDAP加密传输配置(CA服务器与openldap服务器异机)

阅读视图

环境准备

CA证书服务器搭建

OpenLDAP服务端与CA集成

OpenLDAP客户端配置

客户端测试验证

故障处理

1. 环境准备

服务器规划

主机	系统版本	IP地址	主机名	时间同步	防火墙	SElinux
ldap服务端	Centos 6.9最小化安装	192.168.244.17	mldap01.gdy.com	必须同步	关闭	关闭
ldap客户端	Centos 6.9最小化安装	192.168.244.18	test01.gdy.com	必须同步	关闭	关闭
CA证书服务器	Centos 6.9最小化安装	192.168.244.23	mldap01.gdy.com	必须同步	关闭	关闭

本文环境按照02-openldap服务端安装配置搭建出最基本的环境，用户数据来自02-openldap服务端安装配置中的第十步

2. CA证书服务器搭建

安装OpenSSL软件

[root@ca ~]# rpm -qa | grep openssl
openssl-1.0.1e-57.el6.x86_64

CA中心生成自身私钥，命令如下。

[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................................................+++
......................+++
e is 65537 (0x10001)

CA签发自身公钥，命令如下。

[root@ca CA]# openssl  req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:GDY
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.gdy.com
Email Address []:[email protected]

其中，各个字段含义如下。

Country Name(2 letter code)：两个字母的国家代号
State or Province Name(full name)[]：省份
Locality Name(eg, city)[Default City]：市或地区
Organization Name(eg, company)[Default Company Ltd]: 公司名称
Organizational Unit Name(eg, section)[]：部门名称，例如Tech
Common Name(eg, your name or your server's hostname)[]：通用名称，例如OL服务器的域名或IP地址。
Email Address []：邮件地址

创建数据库文件及证书序列文件，命令如下
```
[root@ca CA]# ls -lh
total 20K
-rw-r--r--  1 root root 1.4K Jun  1 17:04 cacert.pem
drwxr-xr-x. 2 root root 4.0K Mar 23  2017 certs
drwxr-xr-x. 2 root root 4.0K Mar 23  2017 crl
drwxr-xr-x. 2 root root 4.0K Mar 23  2017 newcerts
drwx------. 2 root root 4.0K Jun  1 17:01 private
[root@ca CA]# touch serial index.txt
[root@ca CA]# echo "01" > serial 
```
目录文件用途如下
- cacert.pem：CA自身证书文件（可根据自己需求进行修改）
- certs：客户端证书存放目录
- crl：CA吊销的客户端证书存放目录
- newcerts：生成新证书存放目录
- index.txt：存放客户端证书信息
- serial：客户端证书编号（编号可自定义），用于识别客户端证书。
- private：存放CA自身私钥的目录

通过OpenSSL命令获取根证书信息，命令如下

[root@ca CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14795263444614255073 (0xcd5355b6d68e11e1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/[email protected]
        Validity
            Not Before: Jun  5 07:06:49 2018 GMT
            Not After : May 12 07:06:49 2118 GMT
        Subject: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:0a:fa:87:16:4b:75:94:d6:98:a5:75:f5:93:
                    44:60:0c:c4:bc:d6:5e:3e:be:4c:29:41:36:5c:2d:
                    b8:c8:1e:97:10:38:0a:2d:60:0e:d9:38:5f:f5:7b:
                    ab:af:b6:35:d5:48:c0:50:c3:1e:17:5b:a8:c6:f8:
                    75:55:c7:0b:fb:7e:68:fc:a6:77:f9:7a:9a:d0:8f:
                    5a:c6:ca:c7:a7:b5:34:d4:ca:13:d6:3c:b6:aa:86:
                    7e:8f:17:24:f7:ce:b0:5f:11:3b:8a:6a:40:50:cc:
                    5c:b5:cc:b3:e2:17:be:f6:ab:f6:ae:6a:2f:58:88:
                    5f:12:65:58:cb:17:5e:00:51:ec:31:64:a7:d6:02:
                    63:b3:63:cc:00:87:49:67:a2:60:a0:82:ed:a8:08:
                    c5:77:c1:0a:04:42:9d:f2:c5:31:e7:b4:ee:67:f7:
                    28:05:27:a0:b3:06:b0:89:b5:8d:3c:14:79:6c:30:
                    ca:d3:90:8f:e5:72:61:13:c3:4d:bc:5a:80:9f:85:
                    3a:20:4c:9b:0d:bb:c0:bd:d5:98:65:0b:0e:29:e2:
                    45:ed:c2:e8:1c:74:e7:94:9b:07:49:28:06:13:44:
                    98:b5:a9:e3:46:59:99:77:e8:12:a8:91:38:bc:9f:
                    ef:48:b2:8f:58:8d:7c:a3:ba:fb:4f:e3:7b:8c:65:
                    20:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D
            X509v3 Authority Key Identifier: 
                keyid:FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        38:9c:52:b7:a2:d8:03:60:ec:78:2a:4b:9b:b8:02:10:44:09:
        39:d3:e9:d0:b2:9a:bc:d5:2d:1d:a1:92:12:d7:06:c7:2c:c7:
        27:95:a5:8d:f1:db:e5:7b:09:d4:0e:a1:70:d9:d9:59:7b:54:
        5a:a0:19:b8:d4:ec:36:23:cf:8f:c1:a3:c3:a6:99:a6:3e:dc:
        1c:cc:8a:53:20:07:a6:f7:5d:c2:9d:7f:e2:ef:07:eb:f3:ca:
        c2:9b:6d:47:f1:34:70:e7:56:44:db:2d:8a:46:26:21:ce:99:
        62:21:b2:05:51:86:8c:ba:25:9e:3b:81:e8:0f:68:73:21:75:
        d7:64:c2:ed:4a:3b:4a:9d:74:da:ca:3a:4f:df:1f:c1:a5:88:
        6e:08:a8:2f:9b:f8:75:00:0d:53:6b:be:24:97:f8:03:6a:69:
        87:56:ec:57:ae:85:a4:9c:71:fa:dd:f8:e6:d9:8c:69:d8:ab:
        66:6e:da:c8:5d:2f:a7:34:b5:17:65:79:3e:02:d9:81:64:6e:
        37:9d:e6:26:59:18:73:83:f6:06:c4:a0:ff:7e:90:e2:a3:5f:
        a7:01:41:c0:e6:bc:c8:ce:b6:19:0a:78:19:f6:16:9d:45:9b:
        e3:46:9c:6f:ca:d5:29:61:4b:38:95:e9:65:b5:62:8d:78:c4:
        83:8b:f8:10

自建CA完成

3. OpenLDAP服务端与CA集成

在openldap服务器上生成密钥

[root@mldap01 ~]# mkdir -pv /etc/openldap/ssl
mkdir: created directory `/etc/openldap/ssl'
[root@mldap01 ~]# cd /etc/openldap/ssl
[root@mldap01 ssl]# (umask 077; openssl genrsa -out ldapkey.pem 1024)
Generating RSA private key, 1024 bit long modulus
............................++++++
...++++++
e is 65537 (0x10001)
[root@mldap01 ssl]# ls -lh
total 4.0K
-rw------- 1 root root 887 Jun  5 15:26 ldapkey.pem

OpenLDAP服务端向CA申请证书签署请求，命令如下

[root@mldap01 ssl]# openssl req -new -key ldapkey.pem -out ldap.csr -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:GDY
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:mldap01.gdy.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

CA服务器核实并签发证书

如果CA服务器与openldap服务器不在同一台，需要将上述步骤生成的ldap.csr文件上传到CA服务器签署

先在openldap服务器上将ldap.csr文件上传到CA服务器签署
[root@mldap01 ssl]# scp ldap.csr root@ca:/root/   
The authenticity of host 'ca (192.168.244.23)' can't be established.
RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ca,192.168.244.23' (RSA) to the list of known hosts.
root@ca's password: 
ldap.csr                                                                                                                      100%  696     0.7KB/s   00:00  

[root@ca ~]# openssl ca -in ldap.csr -out ldapcert.pem -days 36500
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  5 10:00:26 2018 GMT
            Not After : May 12 10:00:26 2118 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Shanghai
            organizationName          = GDY
            organizationalUnitName    = Tech
            commonName                = mldap01.gdy.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                26:1C:25:DA:AD:A0:E3:72:43:CD:AC:7F:77:9E:37:BD:1B:EF:1A:FE
            X509v3 Authority Key Identifier: 
                keyid:CB:DE:C2:81:45:FE:B3:10:02:95:DA:49:16:F6:FA:03:13:F6:3E:2E

Certificate is to be certified until May 12 10:00:26 2118 GMT (36500 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

然后将生成的ldapcert.pem文件和ca公钥文件发送至Openldap服务器/etc/openldap/ssl目录下
[root@ca ~]# scp ldapcert.pem /etc/pki/CA/cacert.pem [email protected]:/etc/openldap/ssl/
The authenticity of host '192.168.244.17 (192.168.244.17)' can't be established.
RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.244.17' (RSA) to the list of known hosts.
[email protected]'s password: 
ldapcert.pem                                                                                                                  100% 3828     3.7KB/s   00:00    
cacert.pem                                                                                                                    100% 1391     1.4KB/s   00:00

OpenLDAP TLS/SASL部署

修改证书权限
[root@mldap01 ssl]# chown ldap.ldap -R /etc/openldap
[root@mldap01 ssl]# chmod -R 0400 /etc/openldap/ssl/*

修改OpenLDAP配置文件，添加证书文件
[root@mldap01 ~]# vim /etc/openldap/slapd.conf
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile  /etc/openldap/ssl/ldapkey.pem
TlsVerifyClient never

TLSVerifyClient

通过CA证书公钥验证OpenLDAP服务端证书的合法性，命令如下

[root@mldap01 ~]# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem 
/etc/openldap/ssl/ldapcert.pem: OK

确认当前套接字是否通过CA的验证，命令如下

[root@mldap01 ssl]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem               
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = CN, ST = Shanghai, L = Shanghai, O = GDY, OU = Tech, CN = ca.gdy.com, emailAddress = [email protected]
verify return:1
depth=0 C = CN, ST = Shanghai, O = GDY, OU = Tech, CN = mldap01.gdy.com, emailAddress = [email protected]
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=CN/ST=Shanghai/O=GDY/OU=Tech/CN=mldap01.gdy.com/[email protected]
i:/C=CN/ST=Shanghai/L=Shanghai/O=GDY/OU=Tech/CN=ca.gdy.com/[email protected]
-----BEGIN CERTIFICATE-----
MIIDajCCAlKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCQ04x

4. OpenLDAP客户端配置

将CA公钥证书发送至客户端

[root@mldap01 ssl]# scp cacert.pem [email protected]:/etc/openldap/ssl/

配置/etc/openldap/ldap.conf
```
[root@test01 ~]# grep -Ev "^$|^#" /etc/openldap/ldap.conf 
TLS_CACERTDIR /etc/openldap/ssl
TLS_CACERT /etc/openldap/ssl/cacert.pem
TLS_REQCERT never 
BASE dc=gdy,dc=com
URI ldaps://mldap01.gdy.com
```
TLS_REQCERT [never allow try demand | hard] # 设置是否在TLS会话中检查server证书。
- Never：不检查任何证书。
- Allow：检查server证书，没有证书或证书错误，都允许连接。
- Try：检查server证书，没有证书（允许连接），证书错误（终止连接）。
- demand | hard：检查server证书，没有证书或证书错误都将立即终止连接。

配置/etc/nslcd.conf

[root@test01 ~]# grep -Ev "^$|^#" /etc/nslcd.conf 
uid nslcd
gid ldap
uri ldaps://mldap01.gdy.com
base dc=gdy,dc=com
ssl on
tls_cacertdir /etc/openldap/ssl
tls_cacertfile /etc/openldap/ssl/cacert.pem
tls_reqcert never

配置/etc/pam_ldap.conf

[root@test01 ~]# grep -Ev "^$|^#" /etc/pam_ldap.conf 
host 127.0.0.1
base dc=gdy,dc=com
uri ldaps://mldap01.gdy.com
ssl on
tls_cacertdir /etc/openldap/ssl
tls_cacertfile /etc/openldap/ssl/cacert.pem
tls_reqcert never
bind_policy soft

5. 客户端测试验证

通过客户端匿名测试SSL连接是否正常，命令如下

[root@test01 ~]# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
ldap_start_tls: Operations error (1)
        additional info: TLS already started
anonymous
Result: Success (0)

LDAP用户验证密码, 命令如下

[root@test01 ~]# ldapwhoami -D "uid=user1,ou=people,dc=gdy,dc=com" -W -H ldaps://mldap01.gdy.com -v
ldap_initialize( ldaps://mldap01.gdy.com:636/??base )
Enter LDAP Password: 
dn:uid=user1,ou=people,dc=gdy,dc=com
Result: Success (0)

在客户端搜索OpenLDAP域信息, 命令如下

[root@test01 ~]# ldapsearch -x -b 'dc=gdy,dc=com' -H ldaps://mldap01.gdy.com
# extended LDIF
#
# LDAPv3
# base <dc=gdy,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# gdy.com
dn: dc=gdy,dc=com
dc: gdy
objectClass: top
objectClass: domain

# people, gdy.com
... 省略

故障处理

openssl s_client连接时报错如下

[root@mldap01 ~]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem 
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
139640374728520:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

没有解决：openldap和ca服务器不在同一台时没有这个问题, 下次我ca和ldap服务器使用同一个名字试试

09-OpenLDAP加密传输配置