You are here
openldap加密传输 nslcd之 startTLS & LDAPS 有大用
星期三, 2022-12-28 01:55 — adminshiping1
startTLS & LDAPS
- Transport Layer Security (TLS) is the standard name for the Secure Socket Layer (SSL). The terms (unless qualified with specific version numbers) are generally interchangable.
- StartTLS is the name of the standard LDAP operation for initiating TLS/SSL. TLS/SSL is initiated upon successful completion of this LDAP operation. No alternative port is necessary. It is sometimes referred to as the TLS upgrade operation, as it upgrades a normal LDAP connection to one protected by TLS/SSL.
- ldaps:// and LDAPS refers to "LDAP over TLS/SSL" or "LDAP Secured". TLS/SSL is initated upon connection to an alternative port (normally 636). Though the LDAPS port (636) is registered for this use, the particulars of the TLS/SSL initiation mechanism are not standardized.
- Once initiated, there is no difference between ldaps:// and StartTLS. They share the same configuration options (excepting ldaps:// requires configuration of a separate listener, see slapd(8)'s -h option) and result in like security services being established.
服务端
复制证书
cp /etc/pki/CA/{openldap.key,openldap.crt,ca.crt} /etc/openldap/certs/配置slapd.conf
- TLSVerifyClient never # 设置是否验证 client 的身份,其值可以是 never/allow/try/demand,
- #never 不需要验证 client 端的身份,Client 端只需要有 CA 证书就可以了
- #allow Server会要求 client 提供证书,如果 client 端没有提供证书,会话会正常进行
- #try Client端提供了证书,但是 Server 端有可能不能校验这个证书,这个证书会被忽略,会话正常进行
- #demand Server端需要认证 client 端的身份,Client 端需要有自己的证书和私钥
- vim /etc/openldap/slapd.conf
- 添加以下项目
- TLSCACertificateFile /etc/openldap/certs/ca.crt
- TLSCertificateFile /etc/openldap/certs/openldap.crt
- TLSCertificateKeyFile /etc/openldap/certs/openldap.key
- TLSVerifyClient never #
启用LDAPS
- vim /etc/sysconfig/slapd
- SLAPD_URLS="ldapi:/// ldap:///" -> SLAPD_URLS="ldapi:/// ldaps:///"
- # 如果使用StartTLS,这个步骤不用执行
配置生效
- rm -rf /etc/openldap/slapd.d/*
- slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
- chown -R ldap:ldap /etc/openldap/slapd.d
- systemctl restart slapd
服务端口
- #StartTLS 继续使用389端口
- netstat -nlp -t |grep :389
- Active Internet connections (only servers)
- Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
- tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1981/slapd
- tcp6 0 0 :::389 :::* LISTEN 1981/slapd
- #LDAPS 启用636端口
- netstat -nlp -t |grep :636
- Active Internet connections (only servers)
- Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
- tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1981/slapd
- tcp6 0 0 :::636 :::* LISTEN 1981/slapd
测试StartTLS
- ldap服务器/etc/openldap/ldap.conf
- 添加以下内容
- TLS_REQCERT never
- 执行ldapsearch -x -ZZ后,查看日志,内容有 TLS established tls_ssf=256 ssf=256, 服务端配置正常
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 ACCEPT from IP=[::1]:39720 (IP=[::]:389)
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 STARTTLS
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 RESULT oid= err=0 text=
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 TLS established tls_ssf=256 ssf=256
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=1 BIND dn="" method=128
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=1 RESULT tag=97 err=0 text=
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=2 SRCH base="" scope=2 deref=0 filter="(objectClass=*)"
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=3 UNBIND
- Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 closed
测试LDAPS
客户端
使用nslcd(Naming services LDAP client daemon)
yum -y install openldap-clients nss-pam-ldapd配置客户端
- # StartTLS
- authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldap://master.local,ldap://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update
- # LDAPS
- authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldaps://master.local,ldaps://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update
- # 注意 --ldapserver=ldaps://master.local,ldaps://slave.local
下载服务器的ca证书
wget http://master.local/ca.crt -O /etc/openldap/cacerts/ca.crt- # ls -lh /etc/openldap/cacerts
- total 4.0K
- lrwxrwxrwx 1 root root 6 Sep 22 12:31 100934e9.0 -> ca.crt
- -rw------- 1 root root 1.3K Sep 22 12:30 ca.crt
配置/etc/openldap/ldap.conf
- TLS_REQCERT [never、allow、try、demand | hard] # 设置是否在TLS会话中检查server证书。
- Never:不检查任何证书。
- Allow:检查server证书,没有证书或证书错误,都允许连接。
- Try:检查server证书,没有证书(允许连接),证书错误(终止连接)。
- demand | hard:检查server证书,没有证书或证书错误都将立即终止连接。
- TLS_CACERTDIR /etc/openldap/cacerts
- TLS_CACERT /etc/openldap/cacerts/ca.crt
- TLS_REQCERT never
配置/etc/nslcd.conf
- ssl start_tls # StartTLS
- 或ssl on # LDAPS
- tls_cacertdir /etc/openldap/cacerts
- tls_cacertfile /etc/openldap/cacerts/ca.crt
- tls_reqcert never
重启nslcd服务
- systemctl restart nslcd
- systemctl enable nslcd
配置/etc/nsswitch.conf
- 变更为
- passwd: files ldap
- shadow: files ldap
- group: files ldap
测试
- # ldapwhoami -v -x -Z
- ldap_initialize( <DEFAULT> )
- ldap_start_tls: Operations error (1)
- additional info: TLS already started
- anonymous
- Result: Success (0)
- # ldapsearch -x -Z -H ldaps://slave.local -b 'ou=group,dc=suntv,dc=tv'
- ldap_start_tls: Operations error (1)
- additional info: TLS already started
- # extended LDIF
- #
- # LDAPv3
- # base <ou=group,dc=suntv,dc=tv> with scope subtree
- # filter: (objectclass=*)
- # requesting: ALL
- #
- # Group, suntv.tv
- dn: ou=Group,dc=suntv,dc=tv
- ou: Group
- objectClass: top
- objectClass: organizationalUnit
- # g01, Group, suntv.tv
- dn: cn=g01,ou=Group,dc=suntv,dc=tv
- objectClass: posixGroup
- objectClass: top
- cn: g01
- gidNumber: 2001
- # g02, Group, suntv.tv
- dn: cn=g02,ou=Group,dc=suntv,dc=tv
- objectClass: posixGroup
- objectClass: top
- cn: g02
- gidNumber: 2002
- # search result
- search: 3
- result: 0 Success
- # numResponses: 4
- # numEntries: 3
帐号登录测试
- ssh u01@10.0.1.53
- passwd
普通分类: