09-OpenLDAP加密傳輸配置

OpenLDAP加密傳輸配置(CA服務器與openldap服務器異機)

閱讀視圖

1. 環境準備
2. CA證書服務器搭建
3. OpenLDAP服務端與CA集成
4. OpenLDAP客戶端配置
5. 客戶端測試驗證
6. 故障處理

1. 環境準備

1. 服務器規劃

主機	系統版本	IP地址	主機名	時間同步	防火牆	SElinux
ldap服務端	Centos 6.9最小化安裝	192.168.244.17	mldap01.gdy.com	必須同步	關閉	關閉
ldap客戶端	Centos 6.9最小化安裝	192.168.244.18	test01.gdy.com	必須同步	關閉	關閉
CA證書服務器	Centos 6.9最小化安裝	192.168.244.23	mldap01.gdy.com	必須同步	關閉	關閉

1. 本文環境按照02-openldap服務端安裝配置搭建出最基本的環境，用戶數據來自02-openldap服務端安裝配置中的第十步

2. CA證書服務器搭建

1. 安裝OpenSSL軟件

   [root@ca ~]# rpm -qa | grep openssl
   openssl-1.0.1e-57.el6.x86_64

2. CA中心生成自身私鑰，命令以下。

   [root@ca ~]# cd /etc/pki/CA/
   [root@ca CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
   Generating RSA private key, 2048 bit long modulus
   .................................................+++
   ......................+++
   e is 65537 (0x10001)

3. CA簽發自身公鑰，命令以下。

   [root@ca CA]# openssl  req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:CN
   State or Province Name (full name) []:Shanghai
   Locality Name (eg, city) [Default City]:Shanghai
   Organization Name (eg, company) [Default Company Ltd]:GDY
   Organizational Unit Name (eg, section) []:Tech
   Common Name (eg, your name or your server's hostname) []:ca.gdy.com
   Email Address []:ca@gdy.com

   其中，各個字段含義以下。
   • Country Name(2 letter code)：兩個字母的國家代號
   • State or Province Name(full name)[]：省份
   • Locality Name(eg, city)[Default City]：市或地區
   • Organization Name(eg, company)[Default Company Ltd]: 公司名稱
   • Organizational Unit Name(eg, section)[]：部門名稱，例如Tech
   • Common Name(eg, your name or your server's hostname)[]：通用名稱，例如OL服務器的域名或IP地址。
   • Email Address []：郵件地址

4. 建立數據庫文件及證書序列文件，命令以下

   [root@ca CA]# ls -lh
   total 20K
   -rw-r--r--  1 root root 1.4K Jun  1 17:04 cacert.pem
   drwxr-xr-x. 2 root root 4.0K Mar 23  2017 certs
   drwxr-xr-x. 2 root root 4.0K Mar 23  2017 crl
   drwxr-xr-x. 2 root root 4.0K Mar 23  2017 newcerts
   drwx------. 2 root root 4.0K Jun  1 17:01 private
   [root@ca CA]# touch serial index.txt
   [root@ca CA]# echo "01" > serial

   目錄文件用途以下
   • cacert.pem：CA自身證書文件（可根據本身需求進行修改）
   • certs：客戶端證書存放目錄
   • crl：CA吊銷的客戶端證書存放目錄
   • newcerts：生成新證書存放目錄
   • index.txt：存放客戶端證書信息
   • serial：客戶端證書編號（編號可自定義），用於識別客戶端證書。
   • private：存放CA自身私鑰的目錄

5. 經過OpenSSL命令獲取根證書信息，命令以下

   [root@ca CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number: 14795263444614255073 (0xcd5355b6d68e11e1)
       Signature Algorithm: sha1WithRSAEncryption
           Issuer: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com
           Validity
               Not Before: Jun  5 07:06:49 2018 GMT
               Not After : May 12 07:06:49 2118 GMT
           Subject: C=CN, ST=Shanghai, L=Shanghai, O=GDY, OU=Tech, CN=ca.gdy.com/emailAddress=ca@gdy.com
           Subject Public Key Info:
               Public Key Algorithm: rsaEncryption
                   Public-Key: (2048 bit)
                   Modulus:
                       00:ba:0a:fa:87:16:4b:75:94:d6:98:a5:75:f5:93:
                       44:60:0c:c4:bc:d6:5e:3e:be:4c:29:41:36:5c:2d:
                       b8:c8:1e:97:10:38:0a:2d:60:0e:d9:38:5f:f5:7b:
                       ab:af:b6:35:d5:48:c0:50:c3:1e:17:5b:a8:c6:f8:
                       75:55:c7:0b:fb:7e:68:fc:a6:77:f9:7a:9a:d0:8f:
                       5a:c6:ca:c7:a7:b5:34:d4:ca:13:d6:3c:b6:aa:86:
                       7e:8f:17:24:f7:ce:b0:5f:11:3b:8a:6a:40:50:cc:
                       5c:b5:cc:b3:e2:17:be:f6:ab:f6:ae:6a:2f:58:88:
                       5f:12:65:58:cb:17:5e:00:51:ec:31:64:a7:d6:02:
                       63:b3:63:cc:00:87:49:67:a2:60:a0:82:ed:a8:08:
                       c5:77:c1:0a:04:42:9d:f2:c5:31:e7:b4:ee:67:f7:
                       28:05:27:a0:b3:06:b0:89:b5:8d:3c:14:79:6c:30:
                       ca:d3:90:8f:e5:72:61:13:c3:4d:bc:5a:80:9f:85:
                       3a:20:4c:9b:0d:bb:c0:bd:d5:98:65:0b:0e:29:e2:
                       45:ed:c2:e8:1c:74:e7:94:9b:07:49:28:06:13:44:
                       98:b5:a9:e3:46:59:99:77:e8:12:a8:91:38:bc:9f:
                       ef:48:b2:8f:58:8d:7c:a3:ba:fb:4f:e3:7b:8c:65:
                       20:6b
                   Exponent: 65537 (0x10001)
           X509v3 extensions:
               X509v3 Subject Key Identifier: 
                   FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D
               X509v3 Authority Key Identifier: 
                   keyid:FA:19:3B:1E:FA:2A:FE:CD:F7:CA:A3:D4:31:08:52:AF:72:08:ED:1D
   
               X509v3 Basic Constraints: 
                   CA:TRUE
       Signature Algorithm: sha1WithRSAEncryption
           38:9c:52:b7:a2:d8:03:60:ec:78:2a:4b:9b:b8:02:10:44:09:
           39:d3:e9:d0:b2:9a:bc:d5:2d:1d:a1:92:12:d7:06:c7:2c:c7:
           27:95:a5:8d:f1:db:e5:7b:09:d4:0e:a1:70:d9:d9:59:7b:54:
           5a:a0:19:b8:d4:ec:36:23:cf:8f:c1:a3:c3:a6:99:a6:3e:dc:
           1c:cc:8a:53:20:07:a6:f7:5d:c2:9d:7f:e2:ef:07:eb:f3:ca:
           c2:9b:6d:47:f1:34:70:e7:56:44:db:2d:8a:46:26:21:ce:99:
           62:21:b2:05:51:86:8c:ba:25:9e:3b:81:e8:0f:68:73:21:75:
           d7:64:c2:ed:4a:3b:4a:9d:74:da:ca:3a:4f:df:1f:c1:a5:88:
           6e:08:a8:2f:9b:f8:75:00:0d:53:6b:be:24:97:f8:03:6a:69:
           87:56:ec:57:ae:85:a4:9c:71:fa:dd:f8:e6:d9:8c:69:d8:ab:
           66:6e:da:c8:5d:2f:a7:34:b5:17:65:79:3e:02:d9:81:64:6e:
           37:9d:e6:26:59:18:73:83:f6:06:c4:a0:ff:7e:90:e2:a3:5f:
           a7:01:41:c0:e6:bc:c8:ce:b6:19:0a:78:19:f6:16:9d:45:9b:
           e3:46:9c:6f:ca:d5:29:61:4b:38:95:e9:65:b5:62:8d:78:c4:
           83:8b:f8:10

6. 自建CA完成

3. OpenLDAP服務端與CA集成

1. 在openldap服務器上生成密鑰

   [root@mldap01 ~]# mkdir -pv /etc/openldap/ssl
   mkdir: created directory `/etc/openldap/ssl'
   [root@mldap01 ~]# cd /etc/openldap/ssl
   [root@mldap01 ssl]# (umask 077; openssl genrsa -out ldapkey.pem 1024)
   Generating RSA private key, 1024 bit long modulus
   ............................++++++
   ...++++++
   e is 65537 (0x10001)
   [root@mldap01 ssl]# ls -lh
   total 4.0K
   -rw------- 1 root root 887 Jun  5 15:26 ldapkey.pem

2. OpenLDAP服務端向CA申請證書籤署請求，命令以下

   [root@mldap01 ssl]# openssl req -new -key ldapkey.pem -out ldap.csr -days 36500
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:CN
   State or Province Name (full name) []:Shanghai
   Locality Name (eg, city) [Default City]:Shanghai
   Organization Name (eg, company) [Default Company Ltd]:GDY
   Organizational Unit Name (eg, section) []:Tech
   Common Name (eg, your name or your server's hostname) []:mldap01.gdy.com
   Email Address []:mldap@gdy.com
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:

3. CA服務器覈實並簽發證書

   若是CA服務器與openldap服務器不在同一臺，須要將上述步驟生成的ldap.csr文件上傳到CA服務器簽署

   先在openldap服務器上將ldap.csr文件上傳到CA服務器簽署
   [root@mldap01 ssl]# scp ldap.csr root@ca:/root/   
   The authenticity of host 'ca (192.168.244.23)' can't be established.
   RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added 'ca,192.168.244.23' (RSA) to the list of known hosts.
   root@ca's password: 
   ldap.csr                                                                                                                      100%  696     0.7KB/s   00:00  
   
   [root@ca ~]# openssl ca -in ldap.csr -out ldapcert.pem -days 36500
   Using configuration from /etc/pki/tls/openssl.cnf
   Check that the request matches the signature
   Signature ok
   Certificate Details:
           Serial Number: 1 (0x1)
           Validity
               Not Before: Jun  5 10:00:26 2018 GMT
               Not After : May 12 10:00:26 2118 GMT
           Subject:
               countryName               = CN
               stateOrProvinceName       = Shanghai
               organizationName          = GDY
               organizationalUnitName    = Tech
               commonName                = mldap01.gdy.com
               emailAddress              = mldap@gdy.com
           X509v3 extensions:
               X509v3 Basic Constraints: 
                   CA:FALSE
               Netscape Comment: 
                   OpenSSL Generated Certificate
               X509v3 Subject Key Identifier: 
                   26:1C:25:DA:AD:A0:E3:72:43:CD:AC:7F:77:9E:37:BD:1B:EF:1A:FE
               X509v3 Authority Key Identifier: 
                   keyid:CB:DE:C2:81:45:FE:B3:10:02:95:DA:49:16:F6:FA:03:13:F6:3E:2E
   
   Certificate is to be certified until May 12 10:00:26 2118 GMT (36500 days)
   Sign the certificate? [y/n]:y
   
   
   1 out of 1 certificate requests certified, commit? [y/n]y
   Write out database with 1 new entries
   Data Base Updated
   
   而後將生成的ldapcert.pem文件和ca公鑰文件發送至Openldap服務器/etc/openldap/ssl目錄下
   [root@ca ~]# scp ldapcert.pem /etc/pki/CA/cacert.pem root@192.168.244.17:/etc/openldap/ssl/
   The authenticity of host '192.168.244.17 (192.168.244.17)' can't be established.
   RSA key fingerprint is 1a:8a:57:12:ee:68:91:a4:bd:c5:48:f1:03:a9:5f:9c.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added '192.168.244.17' (RSA) to the list of known hosts.
   root@192.168.244.17's password: 
   ldapcert.pem                                                                                                                  100% 3828     3.7KB/s   00:00    
   cacert.pem                                                                                                                    100% 1391     1.4KB/s   00:00

4. OpenLDAP TLS/SASL部署

   修改證書權限
   [root@mldap01 ssl]# chown ldap.ldap -R /etc/openldap
   [root@mldap01 ssl]# chmod -R 0400 /etc/openldap/ssl/*
   
   修改OpenLDAP配置文件，添加證書文件
   [root@mldap01 ~]# vim /etc/openldap/slapd.conf
   #TLSCACertificatePath /etc/openldap/certs
   #TLSCertificateFile "\"OpenLDAP Server\""
   #TLSCertificateKeyFile /etc/openldap/certs/password
   TLSCACertificateFile /etc/openldap/ssl/cacert.pem
   TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
   TLSCertificateKeyFile  /etc/openldap/ssl/ldapkey.pem
   TlsVerifyClient never

   TLSVerifyClient 設置是否驗證客戶端身份。Value能夠取下面幾個值
   • never: 服務器響應用戶請求時，不須要驗證客戶端的身份，只須要提供CA公有證書便可。
   • allow：服務器響應用戶請求時，服務要求驗證客戶端的身份，若是客戶端沒有證書或者證書無效，會話依然進行。
   • try：客戶端提供證書，若是證書有誤，則終止鏈接。若無證書，會話繼續進行。
   • demand：服務器端須要對客戶端證書進行驗證，客戶端須要向CA申請證書。

   開啓OpenSSL功能，命令以下
   ```shell
   [root@mldap01 ~]# vim /etc/sysconfig/ldap
   # Options of slapd (see man slapd)
   #SLAPD_OPTIONS=

   # At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
   #
   # Run slapd with -h "... ldap:/// ..."
   # yes/no, default: yes
   SLAPD_LDAP=yes

   # Run slapd with -h "... ldapi:/// ..."
   # yes/no, default: yes
   SLAPD_LDAPI=yes

   # Run slapd with -h "... ldaps:/// ..."
   # yes/no, default: no
   SLAPD_LDAPS=yes
   ```

   刪除並從新生成默認數據配置庫
   shell [root@mldap01 ~]# rm -rf /etc/openldap/slapd.d/* [root@mldap01 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ config file testing succeeded [root@mldap01 ~]# chown ldap.ldap -R /etc/openldap/ [root@mldap01 ~]# /etc/init.d/slapd restart Stopping slapd: [ OK ] Starting slapd: [ OK ]

5. 經過CA證書公鑰驗證OpenLDAP服務端證書的合法性，命令以下

   [root@mldap01 ~]# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem 
   /etc/openldap/ssl/ldapcert.pem: OK

6. 確認當前套接字是否經過CA的驗證，命令以下

   [root@mldap01 ssl]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem               
   CONNECTED(00000003)
   SSL_connect:before/connect initialization
   SSL_connect:SSLv2/v3 write client hello A
   SSL_connect:SSLv3 read server hello A
   depth=1 C = CN, ST = Shanghai, L = Shanghai, O = GDY, OU = Tech, CN = ca.gdy.com, emailAddress = ca@gdy.com
   verify return:1
   depth=0 C = CN, ST = Shanghai, O = GDY, OU = Tech, CN = mldap01.gdy.com, emailAddress = mldap@gdy.com
   verify return:1
   SSL_connect:SSLv3 read server certificate A
   SSL_connect:SSLv3 read server key exchange A
   SSL_connect:SSLv3 read server done A
   SSL_connect:SSLv3 write client key exchange A
   SSL_connect:SSLv3 write change cipher spec A
   SSL_connect:SSLv3 write finished A
   SSL_connect:SSLv3 flush data
   SSL_connect:SSLv3 read finished A
   ---
   Certificate chain
   0 s:/C=CN/ST=Shanghai/O=GDY/OU=Tech/CN=mldap01.gdy.com/emailAddress=mldap@gdy.com
   i:/C=CN/ST=Shanghai/L=Shanghai/O=GDY/OU=Tech/CN=ca.gdy.com/emailAddress=ca@gdy.com
   -----BEGIN CERTIFICATE-----
   MIIDajCCAlKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCQ04x

4. OpenLDAP客戶端配置

1. 將CA公鑰證書發送至客戶端

   [root@mldap01 ssl]# scp cacert.pem root@192.168.244.18:/etc/openldap/ssl/

2. 配置/etc/openldap/ldap.conf

   [root@test01 ~]# grep -Ev "^$|^#" /etc/openldap/ldap.conf 
   TLS_CACERTDIR /etc/openldap/ssl
   TLS_CACERT /etc/openldap/ssl/cacert.pem
   TLS_REQCERT never 
   BASE dc=gdy,dc=com
   URI ldaps://mldap01.gdy.com

   TLS_REQCERT [never allow try demand | hard] # 設置是否在TLS會話中檢查server證書。
   • Never：不檢查任何證書。
   • Allow：檢查server證書，沒有證書或證書錯誤，都容許鏈接。
   • Try：檢查server證書，沒有證書（容許鏈接），證書錯誤（終止鏈接）。
   • demand | hard：檢查server證書，沒有證書或證書錯誤都將當即終止鏈接。

3. 配置/etc/nslcd.conf

   [root@test01 ~]# grep -Ev "^$|^#" /etc/nslcd.conf 
   uid nslcd
   gid ldap
   uri ldaps://mldap01.gdy.com
   base dc=gdy,dc=com
   ssl on
   tls_cacertdir /etc/openldap/ssl
   tls_cacertfile /etc/openldap/ssl/cacert.pem
   tls_reqcert never

4. 配置/etc/pam_ldap.conf

   [root@test01 ~]# grep -Ev "^$|^#" /etc/pam_ldap.conf 
   host 127.0.0.1
   base dc=gdy,dc=com
   uri ldaps://mldap01.gdy.com
   ssl on
   tls_cacertdir /etc/openldap/ssl
   tls_cacertfile /etc/openldap/ssl/cacert.pem
   tls_reqcert never
   bind_policy soft

5. 客戶端測試驗證

1. 經過客戶端匿名測試SSL鏈接是否正常，命令以下

   [root@test01 ~]# ldapwhoami -v -x -Z
   ldap_initialize( <DEFAULT> )
   ldap_start_tls: Operations error (1)
           additional info: TLS already started
   anonymous
   Result: Success (0)

2. LDAP用戶驗證密碼, 命令以下

   [root@test01 ~]# ldapwhoami -D "uid=user1,ou=people,dc=gdy,dc=com" -W -H ldaps://mldap01.gdy.com -v
   ldap_initialize( ldaps://mldap01.gdy.com:636/??base )
   Enter LDAP Password: 
   dn:uid=user1,ou=people,dc=gdy,dc=com
   Result: Success (0)

3. 在客戶端搜索OpenLDAP域信息, 命令以下

   [root@test01 ~]# ldapsearch -x -b 'dc=gdy,dc=com' -H ldaps://mldap01.gdy.com
   # extended LDIF
   #
   # LDAPv3
   # base <dc=gdy,dc=com> with scope subtree
   # filter: (objectclass=*)
   # requesting: ALL
   #
   
   # gdy.com
   dn: dc=gdy,dc=com
   dc: gdy
   objectClass: top
   objectClass: domain
   
   # people, gdy.com
   ... 省略

故障處理

1. openssl s_client鏈接時報錯以下

   [root@mldap01 ~]# openssl s_client -connect mldap01.gdy.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem 
   CONNECTED(00000003)
   SSL_connect:before/connect initialization
   SSL_connect:SSLv2/v3 write client hello A
   139640374728520:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
   ---
   no peer certificate available
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 0 bytes and written 247 bytes
   ---
   New, (NONE), Cipher is (NONE)
   Secure Renegotiation IS NOT supported
   Compression: NONE
   Expansion: NONE
   ---

   沒有解決：openldap和ca服務器不在同一臺時沒有這個問題, 下次我ca和ldap服務器使用同一個名字試試