使用SSL 配置OpenLDAP以进行安全通信。在此设置中,LDAP客户端通信通过安全端口636而不是非安全端口389进行。
初始化配置
os: CentOS Linux release 7.4.1708
关闭selinux和防火墙
setenforce 0
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
systemctl disable firewalld.service && systemctl stop firewalld.service
systemctl stop NetworkManager && systemctl disable NetworkManager
更换系统源
sed -e 's!^#baseurl=!baseurl=!g' \
-e 's!^mirrorlist=!#mirrorlist=!g' \
-e 's!mirror.centos.org!mirrors.ustc.edu.cn!g' \
-i /etc/yum.repos.d/CentOS-Base.repo
yum install -y epel-release
sed -e 's!^mirrorlist=!#mirrorlist=!g' \
-e 's!^#baseurl=!baseurl=!g' \
-e 's!^metalink!#metalink!g' \
-e 's!//download\.fedoraproject\.org/pub!//mirrors.ustc.edu.cn!g' \
-e 's!http://mirrors\.ustc!https://mirrors.ustc!g' \
-i /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel-testing.repo
同步时间
yum install -y ntpdate ntp
ntpdate 0.cn.pool.ntp.org
hwclock --systohc
cat <<EOF>> /etc/ntp.conf
driftfile /var/lib/ntp/drift
server 0.cn.pool.ntp.org
server 1.cn.pool.ntp.org
server 2.cn.pool.ntp.org
server 3.cn.pool.ntp.org
EOF
systemctl enable --now ntpd
ntpq -p
更改hostname
hostnamectl set-hostname ldap-server
主机名解析
echo '192.168.77.130 ldap-server.lework.com' >> /etc/hosts
安装和配置OpenLDAP
安装OpenLDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel openssl
systemctl enable --now slapd
开启日志记录
echo "local4.* /var/log/ldap.log" >> /etc/rsyslog.conf
cat > loglevel.ldif << EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif
systemctl restart rsyslog
systemctl restart slapd
创建LDAP自签名证书
生成ca证书
cd /etc/openldap/certs/
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -subj "/C=CN/ST=ShangHai/L=ShangHai/O=ldap/OU=lework/CN=ldap-ca" -key rootCA.key -sha256 -days 1024 -out rootCA.pem
生成ldap证书请求
openssl genrsa -out ldap.key 2048
openssl req -new -subj "/C=CN/ST=ShangHai/L=ShangHai/O=ldap/OU=lework/CN=ldap-server.lework.com" -key ldap.key -out ldap.csr
签发ldap证书
openssl x509 -req -in ldap.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ldap.crt -days 3650 -sha256
chown -R ldap:ldap /etc/openldap/certs/
创建certs.ldif文件以配置LDAP使用自签名证书进行安全通信。
cat >certs.ldif<<EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/rootCA.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
测试配置
slaptest -u
config file testing succeeded
配置OpenLDAP开启SSL
vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
重启服务
systemctl restart slapd
ss -natup | grep slapd
tcp LISTEN 0 128 *:389 *:* users:(("slapd",pid=2031,fd=8))
tcp LISTEN 0 128 *:636 *:* users:(("slapd",pid=2031,fd=10))
tcp LISTEN 0 128 :::389 :::* users:(("slapd",pid=2031,fd=9))
tcp LISTEN 0 128 :::636 :::* users:(("slapd",pid=2031,fd=11))
创建用户
cat > lework.ldif <<EOF
dn: uid=lework,ou=People,dc=lework,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: lework
uid: lework
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/lework
loginShell: /bin/bash
gecos: lework [Admin (at) Lework]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
EOF
ldapadd -x -w 123456 -D "cn=Manager,dc=lework,dc=com" -f lework.ldif -h 192.168.77.130
adding new entry "uid=lework,ou=People,dc=lework,dc=com"
设置用户密码
ldappasswd -s password123 -w 123456 -D "cn=Manager,dc=lework,dc=com" -x "uid=lework,ou=People,dc=lework,dc=com" -h 192.168.77.130
客户端使用ssl登录openldap
安装客户端
yum install -y openldap-clients nss-pam-ldapd
hosts绑定
echo '192.168.77.130 ldap-server.lework.com' >> /etc/hosts
配置ldap服务地址
authconfig --enableldap --enableldapauth --ldapserver=ldaps://ldap-server.lework.com --ldapbasedn="dc=lework,dc=com" --enablemkhomedir --disableldaptls --update
配置自签名证书 以下设置将禁用客户端完成的证书验证,因为我们使用的是自签名证书。
sed -i 's#tls_reqcert never#tls_reqcert allow#g' /etc/nslcd.conf
将CA证书放在/etc/openldap/cacerts目录中。
cd /etc/openldap/cacerts/
cp /etc/openldap/certs/rootCA.pem /etc/openldap/cacerts/
创建CA证书的c哈希
/etc/pki/tls/misc/c_hash /etc/openldap/cacerts/rootCA.pem
3e973fd6.0 => /etc/openldap/cacerts/rootCA.pem
# 现在,将rootCA.pem符号链接到显示的8位十六进制数字。
ln -s /etc/openldap/cacerts/rootCA.pem 3e973fd6.0
重启客户端服务
systemctl restart nslcd
验证LDAP登录
使用getent命令从LDAP服务器获取LDAP条目。
getent passwd lework
lework:x:9999:100:lework [Admin (at) Lework]:/home/lework:/bin/bash
使用ssh登录
ssh lework@192.168.77.130
The authenticity of host '192.168.77.130 (192.168.77.130)' can't be established.
ECDSA key fingerprint is SHA256:2lWSIJMF9r8hnfLwlKONY07eQCeZaDVZ/xWZizr9wqs.
ECDSA key fingerprint is MD5:be:82:d9:23:45:18:f2:e3:fa:32:56:65:c9:b1:4b:07.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.77.130' (ECDSA) to the list of known hosts.
lework@192.168.77.130's password:
Creating directory '/home/lework'.
[lework@node130 ~]$ id
uid=9999(lework) gid=100(users) 组=100(users)