![nixsky[www.nixsky.com]](/templets/images/toplogo.gif)
这篇文档参考了http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html,那里有更详尽的介绍。
注:此配置在fc5下面通过。rhe系列会有不一样的地方。
0 在开始之前,
0.1 建议备份/etc/openldap/slapd.conf, /etc/openldap/ldap.conf
0.2 安装软件包openssl, openssl-perl.后者是用来创建CA认证的一个perl脚本包。
1 创建证书(certificate)
这一步分为3个步骤,首先把CA建立起来,然后让此CA签发一个server的证书和一个client的证书。
需要特别注意的是创建证书时,输入Common Name的时候一定要输入目标机器的fully qualified name
1.1 创建CA
这里关系到两个目录,/etc/pki/tls/misc是工作目录,/etc/pki/CA是存放所有CA相关文件的目录。
完成此步骤后,会在/etc/pki/CA目录下生成一系列文件,其中最重要的是
/etc/pki/CA/cakey.pem CA的私钥文件
/etc/pki/CA/cacert.pem CA的证书文件
tips:如果脚本检测到/etc/pki/CA下面有文件存在,那么script会安静的退出,不会创建任何东西。
把/etc/pki/CA下的文件全部删除,script就可以正常工作了
> cd /etc/pki/tls/misc
> ./CA.pl -newca
..........忽略部分信息........
writing new private key to '../../CA/private/cakey.pem'
Enter PEM pass phrase: <password>
Verifying - Enter PEM pass phrase: <password>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: <CN>
State or Province Name (full name) [Berkshire]:<shanghai>
Locality Name (eg, city) [Newbury]:<shanghai>
Organization Name (eg, company) [My Company Ltd]:<foo>
Organizational Unit Name (eg, section) []:<bar>
Common Name (eg, your name or your server's hostname) []:<myca.foo.com> !!!!full qualified name!!!
Email Address []: <someone@foo.com>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:<rain>
Check that the request matches the signature
Signature ok
..........忽略部分信息........
1.2 创建server的证书
下面我们要创建ldap server的证书。分为两步,第一步是生成一个创建证书的请求,第二步是让CA为此请求签发证书
> ./CA.pl -newreq-nodes
Generating a 1024 bit RSA private key
............++++++
.......++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:<CN>
State or Province Name (full name) [Berkshire]:<Shanghai>
Locality Name (eg, city) [Newbury]:<Shanghai>
Organization Name (eg, company) [My Company Ltd]:<foo>
Organizational Unit Name (eg, section) []:<bar>
Common Name (eg, your name or your server's hostname) []:<ldapserver.foo.com> !!!!full qualified name!!!
Email Address []:<someone@foo.com>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
> ./CA.pl -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem: <password>
Check that the request matches the signature
Signature ok
Certificate Details:
.....省略部分内容......
Certificate is to be certified until Apr 16 22:37:14 2008 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
运行完两个步骤后,你会发现当前目录下创建了3个文件:
newreq.pem 创建证书请求文件,没什么用了
newcert.pem CA签发的证书
newkey.pem 证书对应的私钥
首先我们重命名证书文件和私钥文件
mv newcert.pem server.cert
mv newkey.pem server.key
然后给他们设置合适的权限,特别是私钥文件,一定要只有owner能读。否则ssl安全体系形同虚设!
chmod 644 server.cert
chmod 600 server.key (Nobody can read it except owner!!)
最后一步是把这两个文件和CA的证书文件拷贝到openldap存放证书的目录下,一般在/etc/openldap/cacerts
如果CA和ldap server不在同一个机器上,那么用scp拷贝即可。这里假设他们在同一台机器上
mv server.cert /etc/openldap/cacerts
mv serve.key /etc/openldap/cacerts
cp ../../CA/cacert.pem /etc/openldap/cacerts
1.3 创建client的证书
创建client的证书和上面创建server的证书类似。不过要注意的是
1)在输入Common Name的时候一定要输入clien的fully qualified name!!
2)证书文件和私钥文件可以命名为client.cert, client.key,它们和cacert.pem也拷贝到client端的/etc/openldap/cacerts
2 配置server
> service ldap stop # 首先停掉openldap server.
> vi /etc/openldap/slapd.conf
加入下面4行
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem # 配置CA证书的路径
TLSCertificateFile /etc/openldap/cacerts/server.cert # 配置server证书的路径
TLSCertificateKeyFile /etc/openldap/cacerts/server.key # 配置server私钥的路径
TLSVerifyClient never
# 设置是否验证client的身份,其值可以是never/allow/try/demand
# 配置什么值取决于你的安全策略。仅仅就配置来说,
# 如果不需要认证client端的身份,那么client只需要有CA的证书就可以了
# 如果需要认证client端的身份,那么client 还 必须要有它自己的证书\
# 我们首先介绍"never"的情况下client的配置,然后介绍"demand"的情况下client的配置
ssl start_tls
# 如果client端使用TLS协议连接,那么加上这一行。否则TLS连接会失败
# 加上这一行后,both SSL and TLS can be supported by this ldap server.
3 配置client
3.1 首先我们假设ldap server不需要验证client的身份
也就是在/etc/openldap/slapd.con里,TLSVerifyClient 设置为never。
>vi /etc/openldap/ldap.conf
需要加入或修改下面的内容
URI ldaps://ldapserver.foo.com # 一定要和server的证书里输入的full qualified name一样
TLS_CACERT /etc/openldap/cacerts/cacert.pem # CA的证书
TLS_REQCERT demand # client总是要求认证server端
> service ldap restart
> ldapsearch -x
如果有正确的输入,就表示配置成功了。
3.2 如果ldap server需要验证client的身份
也就是在/etc/openldap/slapd.conf里,TLSVerifyClient设置为demand。这种情况下,client需要有自己的证书和私钥。
配置clieng的证书和私钥只能在用户home目录下的ldaprc文件里。
> vi ~/ldaprc
加入下面的内容
TLS_REQCERT demand
TLS_CERT /etc/openldap/cacerts/client.cert
TLS_KEY /etc/openldap/cacerts/client.key
注意此用户对/etc/openldap/cacerts/client.key要有可读的权限!!
> service ldap restart
> ldapsearch -x
如果有正确的输入,就表示配置成功了。
4 调试方法
4.1 在调试模式启动slapd
> slapd -d127 -h "ldap:/// ldaps:///"
-d127是指定调试级别。slapd会在当前console启动,所有的连接信息都会在屏幕上打印出来。
4.2 用openssl client连接ssl 服务器
4.2.1 对于不需要client验证的情况
> openssl s_client -connect ldapserver.foo.com:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem
file /etc/openldap/cacerts/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=CN/ST=shanghai/O=dean/OU=mobile/CN=fedora.dean.com/emailAddress=ss@ss.com
verify return:1
depth=0 /C=CN/ST=Shanga/L=shanghai/O=dean/OU=home/CN=fedora.dean.com/emailAddress=sdf@ss.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
.......省略了部分内容.......
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 03FDE102050C7828C39E03D7A3F526E6E9D256115A0ADF7793538B616C5548ED
Session-ID-ctx:
Master-Key: 07A62B4E5060BF4542E49DC33C2C6D6F10FF266F48856A780187C759A3007CF2F18ECAB49DBA8915394D52179AC8FE9B
Key-Arg : None
Krb5 Principal: None
Start Time: 1198247985
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
用"CTRL-C" 退出
4.2.2 对于需要clien验证的情况
> openssl s_client -connect ldapserver.foo.com:636 -showcerts -state \
-CAfile /etc/openldap/cacerts/cacert.pem
-cert /etc/openldap/cacerts/client.cert
-key /etc/openldap/cacerts/client.key
Power by nixsky Copyright 2004-2008