使用Ubuntu 20.04 | 18.04 | 16.04使用SSL/TLS对OpenLIDAP服务器进行安全加固
时间:2020-02-23 14:40:25 来源:igfitidea点击:
在我们之前的文章中,我们讨论了在Ubuntu上安装OpenLDAP服务器以及如何在Ubuntu上设置OpenLDAP客户端。
此简短教程将介绍使用SSL/TLS证书和键保护LDAP服务器。
我们有两个选项可以获取用于保护LDAP服务器的SSL证书。
从可信CA的Sy签名的SSL证书SSL证书的SSL证书
本教程将解释使用自签名证书。
让我们开始。
步骤1:生成自签名的SSL兼容性
登录LDAP服务器并生成要使用的SSL证书。
# cd /etc/ssl/private # openssl genrsa -aes128 -out ldap_server.key 4096 Generating RSA private key, 4096 bit long modulus …………………………………………………………………………………..++ ………………………………….++ e is 65537 (0x010001) Enter pass phrase for ldap_server.key: <Set passphrase> Verifying - Enter pass phrase for ldap_server.key: <Confirm passphrase>
从生成的私钥中删除密码:
# openssl rsa -in ldap_server.key -out ldap_server.key Enter pass phrase for ldap_server.key: <Enter passphrase> writing RSA key
生成CSR。
# openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]:KE State or Province Name (full name) [Some-State]:Nairobi Locality Name (eg, city) []:Nairobi Organization Name (eg, company) [Internet Widgits Pty Ltd]:theitroad Organizational Unit Name (eg, section) []:theitroad Common Name (e.g. server FQDN or YOUR name) []:ldap.example.com Email Address []:Hyman@theitroad Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
然后签署证书:
# openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650 Signature ok subject=C = KE, ST = Nairobi, L = Nairobi, O = theitroad, OU = theitroad, CN = ldap.example.com, emailAddress = Hyman@theitroad Getting Private key
第2步:在LDAP服务器上配置SSL
复制证书和密钥 /etc/ldap/sasl2/目录。
sudo cp /etc/ssl/private/{ldap_server.key,ldap_server.crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/
设置证书的所有权 openldap用户。
sudo chown -R openldap. /etc/ldap/sasl2
配置LDAP服务器以使用SSL证书。
为SSL创建LDAP配置文件,
# vim ldap_ssl.ldif dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key
使用以下命令应用配置。
# ldapmodify -Y EXTERNAL -H ldapi:///-f ldap_ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
第3步:配置LDAP客户端
配置LDAP客户端以确保客户端和服务器之间的连接已加密。
添加 LS_REQCERT allow线到 /etc/ldap/ldap.conf。
echo "TLS_REQCERT allow" | tee /etc/ldap/ldap.conf
现在通过取消注释文件上的行来配置OpenLDAP SSL机制 /etc/ldap.conf。
$sudo vim /etc/ldap.conf ssl start_tls ssl on
我们现在可以在LDAP客户端和服务器之间享受SSL连接。
