在Debian上安装和配置带有SSL的OpenLDAP服务器
时间:2020-03-21 11:49:56 来源:igfitidea点击:
在Debian Wheezy上设置OpenLDAP服务器。
软件
本文使用的软件:
- Debian Wheezy
- OpenLDAP 2.4.31
- Gnutls-bin 3.0.22
- JXplorer 3.2.2
安装
根据提示安装slapd软件包以设置管理员用户密码:
# apt-get update && apt-get install slapd ldap-utils
ldap-utils软件包包含以下工具:
- ldapsearch-搜索并显示条目。
- ldapmodify-修改条目。
- ldapadd-添加一个新条目。
- ldapdelete-删除并输入。
- ldapmodrdn-重命名条目。
- ldappasswd-更改密码。
最新版本的slapd(在Debian上为v2.4.31)仅要求输入管理员用户密码,而没有要求提供任何配置详细信息。
要配置slapd,请执行以下操作:
# dpkg-reconfigure -p low slapd
我们的答案:
- 省略OpenLDAP服务器配置?不
- DNS域名:top
- 机构名称:top
- 管理员密码:passwd
- 确认密码:passwd
- 要使用的数据库后端:HDB
- 我们是否希望在清除slapd时删除数据库?不
- 移动旧数据库?是的
- 允许LDAPv2协议?不
打开“/etc/default/slapd”,并确保存在以下行(如果需要,可以随时收听IPv6):
SLAPD_SERVICES="ldap://0.0.0.0:389/ldaps://0.0.0.0:636/ldapi:///"
这是我们的“/etc/default/slapd”的样子:
# grep -ve "^#" -ve "^$" /etc/default/slapd SLAPD_CONF= SLAPD_USER="openldap" SLAPD_GROUP="openldap" SLAPD_PIDFILE= SLAPD_SERVICES="ldap://0.0.0.0:389/ldaps://0.0.0.0:636/ldapi:///" SLAPD_SENTINEL_FILE=/etc/ldap/noslapd SLAPD_OPTIONS=""
检查初始配置:
# slapcat dn: dc=top objectClass: top objectClass: dcObject objectClass: organization o: top dc: top structuralObjectClass: organization entryUUID: 7953d532-d04f-1033-8bc6-e18a672615bb creatorsName: cn=admin,dc=top createTimestamp: 20140914113904Z entryCSN: 20140914113904.377393Z#000000#000#000000 modifiersName: cn=admin,dc=top modifyTimestamp: 20140914113904Z dn: cn=admin,dc=top objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1AAAAAAQnZSS3JOTnVBbGpmd0VTZ0l3MjVDays= structuralObjectClass: organizationalRole entryUUID: 796778b2-d04f-1033-8bc7-e18a672615bb creatorsName: cn=admin,dc=top createTimestamp: 20140914113904Z entryCSN: 20140914113904.506110Z#000000#000#000000 modifiersName: cn=admin,dc=top modifyTimestamp: 20140914113904Z
创建一个新目录来存储定制配置文件:
# mkdir /etc/ldap/ldifconfigs # cd /etc/ldap/ldifconfigs
OpenLDAP配置
配置LDAPS
Debian Wiki建议在尝试配置LDAPS之前先备份LDAP服务器配置,因为使用“ cn = config”样式破坏配置会阻止LDAP服务器重新启动,我们只是从头开始,因此实际上没有什么可以备份的。
打开“/etc/default/slapd”并启用LDAPS(如果尚未完成):
SLAPD_SERVICES="ldap://0.0.0.0:389/ldaps://0.0.0.0:636/ldapi:///"
我们的SSL证书和权限:
# ls -ld /etc/ssl/webserver/ drwxr-x--- 2 root openldap 4096 May 24 12:20 /etc/ssl/webserver/
# ls -l /etc/ssl/webserver/* -rw-r--r-- 1 root root 1265 May 24 13:05 /etc/ssl/webserver/server-ca.crt -rw-r--r-- 1 root root 1265 May 24 13:05 /etc/ssl/webserver/server.crt -rw-r----- 1 root openldap 1675 May 24 13:05 /etc/ssl/webserver/server.key
如果使用OpenSSL生成证书,则会遇到问题。
Debian不久前转而使用gnutls,它在OpenSSL证书中的使用效果不佳。
我们可以使用certtool生成自己的自签名证书。
安装gnutls-bin软件包:
# apt-get install gnutls-bin
生成一个新的自签名密钥:
# certtool --generate-privkey --outfile server.key # certtool --generate-self-signed --load-privkey server.key --outfile server.crt
创建一个ldif文件,将证书部分添加到OpenLDAP服务器。
如果使用自签名证书,则可能要注释掉TLSCACertificateFile。
# cat > ./ldaps.ldif << EOF dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/webserver/server-ca.crt add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/webserver/server.crt add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/webserver/server.key EOF
将属性添加到“ cn = config”:
# ldapmodify -Y EXTERNAL -H ldapi:///-f ./ldaps.ldif
核实:
# ldapsearch -Y EXTERNAL -H ldapi:///-b cn=config -s base|grep TLS SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 olcTLSCACertificateFile: /etc/ssl/webserver/server-ca.crt olcTLSCertificateFile: /etc/ssl/webserver/server.crt olcTLSCertificateKeyFile: /etc/ssl/webserver/server.key
万一我们无法使用断开的OpenLDAP服务,则可能需要从头开始:
# dpkg-reconfigure slapd
停用SSLv3
创建具有以下内容的ldif:
# cat > ./nosslv3.ldif << EOF dn: cn=config add: olcTLSCipherSuite olcTLSCipherSuite: SECURE256:-VERS-SSL3.0 EOF
修改OpenLDAP配置:
# ldapmodify -Y EXTERNAL -H ldapi:///-f ./nosslv3.ldif
核实。
我们需要安装一个gnutls-bin软件包。
$gnutls-cli-debug -p 636 localhost | head Resolving 'localhost'... Connecting to '::1:636'... Checking for SSL 3.0 support... no Checking whether %COMPAT is required... no Checking for TLS 1.0 support... yes Checking for TLS 1.1 support... yes Checking fallback from TLS 1.1 to... N/A Checking for TLS 1.2 support... yes Checking whether we need to disable TLS 1.0... N/A Checking for Safe renegotiation support... yes
我们还可以使用Nmap来检查支持的密码:
$nmap -Pn -p T:636 --script ssl-enum-ciphers localhost Starting Nmap 6.00 ( http://nmap.org ) at 2014-10-18 19:41 GMT Nmap scan report for localhost (127.0.0.1) Host is up (0.00029s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.0 | Ciphers (6) | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength | TLS_RSA_WITH_RC4_128_SHA - strong | Compressors (1) | NULL | TLSv1.1 | Ciphers (6) | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength | TLS_RSA_WITH_RC4_128_SHA - strong | Compressors (1) | NULL | TLSv1.2 | Ciphers (8) | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength | TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength | TLS_RSA_WITH_RC4_128_SHA - strong | Compressors (1) | NULL |_ Least strength = unknown strength Nmap done: 1 IP address (1 host up) scanned in 2.55 seconds
将密码哈希设置为SSHA
创建具有以下内容的ldif文件:
# cat > ./passwordhash.ldif << EOL
dn: cn=config
add: olcPasswordHash
olcPasswordHash: {SSHA}
EOL
修改OpenLDAP配置:
# ldapmodify -Y EXTERNAL -H ldapi:///-f ./passwordhash.ldif
核实:
# ldapsearch -Y EXTERNAL -H ldapi:///-b cn=config|grep SSHA
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcPasswordHash: {SSHA}
olcRootPW: {SSHA}NRBAhLr9Ae0SveMOD8MdiOb1sOmEteSt
启用所有日志记录(可选)
要启用所有(详细)日志记录(这对于解决问题很有用),请创建一个具有以下内容的ldif文件:
# cat > ./logging.ldif << EOF dn: cn=config replace: olcLogLevel olcLogLevel: -1 EOF
修改OpenLDAP配置:
# ldapmodify -Y EXTERNAL -H ldapi:///-f ./logging.ldif
核实:
# ldapsearch -Y EXTERNAL -H ldapi:///-b cn=config -s base|grep -i LOG SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 olcLogLevel: -1
要禁用日志记录,请将“ olcLogLevel”值更改为“ 0”,然后再次运行ldapmodify命令:
dn: cn=config replace: olcLogLevel olcLogLevel: 0
随时检查OpenLDAP文档是否有其他可用的日志级别:http://www.openldap.org/doc/admin24/slapdconfig.html。
添加访客帐户以进行只读访问
创建一个ldif文件,以将新的来宾帐户添加到OpenLDAP服务器:
# cat > ./guest.ldif << EOF dn: cn=guest,dc=top objectClass: simpleSecurityObject objectclass: organizationalRole description: LDAP Read-only Access userPassword: EOF
查看将要执行的操作:
# ldapadd -nx -f ./guest.ldif !adding new entry "cn=guest,dc=top"
添加新的访客帐户:
# ldapadd -x -D cn=admin,dc=top -W -f ./guest.ldif
为访客帐户创建一个密码:
# ldappasswd -x -D cn=admin,dc=top -W -S cn=guest,dc=top New password: Re-enter new password: Enter LDAP Password:
添加新域
创建一个ldif文件,将新的theitroad.com域添加到OpenLDAP服务器:
# cat > ./theitroad.com.ldif << EOF dn: dc=theitroad.com,dc=top o: theitroad.com dc: theitroad.com objectClass: dcObject objectClass: organization dn: ou=Users,dc=theitroad.com,dc=top objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=theitroad.com,dc=top objectClass: organizationalUnit ou: Groups dn: cn=sysadmins,ou=Groups,dc=theitroad.com,dc=top gidNumber: 1000 objectClass: posixGroup cn: sysadmins EOF
测试以查看将要执行的操作:
# ldapadd -nx -f ./theitroad.com.ldif !adding new entry "dc=theitroad.com,dc=top" !adding new entry "ou=Users,dc=theitroad.com,dc=top" !adding new entry "ou=Groups,dc=theitroad.com,dc=top" !adding new entry "cn=sysadmins,ou=Groups,dc=theitroad.com,dc=top"
添加新域:
# ldapadd -x -D cn=admin,dc=top -W -f ./theitroad.com.ldif
将新用户添加到域
创建一个ldif文件,将新的“ alc”用户帐户添加到OpenLDAP服务器:
# cat > ./user.ldif << EOF dn: uid=alc,ou=Users,dc=theitroad.com,dc=top uid: alc uidNumber: 1000 gidNumber: 1000 cn: Alice sn: E objectClass: posixAccount objectclass: organizationalPerson loginShell: /sbin/nologin homeDirectory: /home/alc EOF
测试以查看将要执行的操作:
# ldapadd -nx -f ./user.ldif !adding new entry "uid=alc,ou=Users,dc=theitroad.com,dc=top"
将一个新用户“ alc”添加到theitroad.com域:
# ldapadd -x -D cn=admin,dc=top -W -f ./user.ldif
创建用户密码:
# ldappasswd -x -D cn=admin,dc=top -W -S uid=alc,ou=users,dc=theitroad.com,dc=top New password: Re-enter new password: Enter LDAP Password:
限制对OpenLDAP数据库的访问
第一个ACL确定谁可以针对OpenLDAP服务器进行身份验证并更改密码(shadowLastChange)。
- 管理员帐户(rootDN)具有完全访问权限。
- 来宾帐户可以是只读的。
- 为匿名用户提供了对userPassword属性的访问权,以便进行初始连接。
- 由于具有“通过自写”权限,所有用户都可以对其密码进行读取访问。
创建具有以下内容的ldif文件:
# cat > ./acl.ldif << EOL
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=top" write
by dn="cn=guest,dc=top" read
by self write
by anonymous auth
by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
by dn="cn=admin,dc=top" write
by dn="cn=guest,dc=top" read
by self write
by users read
by anonymous auth
by * none
EOL
并修改OpenLDAP配置:
# ldapadd -Y EXTERNAL -H ldapi:///-f ./acl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
核实:
# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:///-b \
> cn=config '(olcDatabase={1}hdb)' olcAccess
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=guest,dc=top" w
rite by dn="cn=guest,dc=top" read by self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=top" write by dn="cn=guest,dc=top" read
by self write by users read by anonymous auth by * none
搜索LDAP用户
$ldapsearch -D "cn=guest,dc=top" -x -W -b "uid=alc,ou=Users,dc=theitroad.com,dc=top" -P 3 -h localhost # extended LDIF ## LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL ## alc, Users, theitroad.com.top dn: uid=alc,ou=Users,dc=theitroad.com,dc=top uid: alc uidNumber: 1000 gidNumber: 1000 cn: Alice sn: E objectClass: posixAccount objectClass: organizationalPerson loginShell: /sbin/nologin homeDirectory: /home/alc userPassword:: e1NTSEF9NDg0NFhiVGZuOG[...]= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
LDAP客户端:JXplorer
JXplorer是一个开放源代码LDAP浏览器。
它应在任何支持Java的操作系统上运行。
# apt-cache depends jxplorer jxplorer |Depends: openjdk-6-jre Depends: sun-java6-jre Depends: javahelp2 Depends: junit Depends: java-wrappers
安装JXplorer:
# apt-get install jxplorer
通过SSL协议连接到OpenLDAP服务器:
我们现在显示能够看到LDAP树:
为WordPress配置简单LDAP插件
安装php5-ldap软件包:
# apt-get install php5-ldap
插件设置:
- BaseDN:ou = Users,dc = theitroad.com,dc = top
- 域控制器:本地主机
- Ldap登录属性:uid
- LDAP端口:389
- LDAP版本:3
Squid OpenLDAP身份验证
以下几行在“ /etc/squid3/squid.conf”文件中完成该工作:
# the below is one long line auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b "ou=Users,dc=theitroad.com,dc=top" -D "cn=guest,dc=top" -w passwd localhost acl ldap-auth proxy_auth REQUIRED http_access allow ldap-auth http_access deny all
