openldap加密傳輸 nslcd

http://www.openldap.org/faq/data/cache/185.html
https://www.ibm.com/developerworks/cn/linux/1312_zhangchao_opensslldap/
http://blog.sina.com.cn/s/blog_88cdde9f01019vdt.html
http://phorum.study-area.org/index.php?topic=68194.0
http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_設定

startTLS & LDAPS

Transport Layer Security (TLS) is the standard name for the Secure Socket Layer (SSL). The terms (unless qualified with specific version numbers) are generally interchangable.

StartTLS is the name of the standard LDAP operation for initiating TLS/SSL. TLS/SSL is initiated upon successful completion of this LDAP operation. No alternative port is necessary. It is sometimes referred to as the TLS upgrade operation, as it upgrades a normal LDAP connection to one protected by TLS/SSL.

ldaps:// and LDAPS refers to "LDAP over TLS/SSL" or "LDAP Secured". TLS/SSL is initated upon connection to an alternative port (normally 636). Though the LDAPS port (636) is registered for this use, the particulars of the TLS/SSL initiation mechanism are not standardized.

Once initiated, there is no difference between ldaps:// and StartTLS. They share the same configuration options (excepting ldaps:// requires configuration of a separate listener, see slapd(8)'s -h option) and result in like security services being established. 

服務端

復制證書

cp /etc/pki/CA/{openldap.key,openldap.crt,ca.crt} /etc/openldap/certs/

配置slapd.conf

TLSVerifyClient never # 設置是否驗證 client 的身份，其值可以是 never/allow/try/demand，
#never  不需要驗證 client 端的身份，Client 端只需要有 CA 證書就可以了
#allow  Server會要求 client 提供證書，如果 client 端沒有提供證書，會話會正常進行
#try    Client端提供了證書，但是 Server 端有可能不能校驗這個證書，這個證書會被忽略，會話正常進行
#demand Server端需要認證 client 端的身份，Client 端需要有自己的證書和私鑰

vim /etc/openldap/slapd.conf
添加以下項目 
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/openldap.crt
TLSCertificateKeyFile /etc/openldap/certs/openldap.key
TLSVerifyClient never #

啟用LDAPS

vim /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:///" -> SLAPD_URLS="ldapi:/// ldaps:///"

# 如果使用StartTLS，這個步驟不用執行

配置生效

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

服務端口

#StartTLS 繼續使用389端口
netstat -nlp -t |grep :389
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name            
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      1981/slapd                      
tcp6       0      0 :::389                  :::*                    LISTEN      1981/slapd 

#LDAPS 啟用636端口
netstat -nlp -t |grep :636
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name            
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      1981/slapd          
tcp6       0      0 :::636                  :::*                    LISTEN      1981/slapd          

測試StartTLS

ldap服務器/etc/openldap/ldap.conf
添加以下內容
TLS_REQCERT  never

執行ldapsearch -x -ZZ后，查看日志，內容有　TLS established tls_ssf=256 ssf=256, 服務端配置正常
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 ACCEPT from IP=[::1]:39720 (IP=[::]:389)
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 STARTTLS
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=0 RESULT oid= err=0 text=
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 TLS established tls_ssf=256 ssf=256
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=1 BIND dn="" method=128
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=1 RESULT tag=97 err=0 text=
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=2 SRCH base="" scope=2 deref=0 filter="(objectClass=*)"
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 op=3 UNBIND
Sep 22 15:23:23 openldap-01 slapd[1981]: conn=1003 fd=22 closed

測試LDAPS

# openssl verify -CAfile /etc/openldap/certs/ca.crt /etc/openldap/certs/openldap.crt 
/etc/openldap/certs/openldap.crt: OK

# openssl s_client -connect slave.local:636 -showcerts -state -CAfile /etc/openldap/certs/ca.crt
---
Server certificate
subject=/C=CN/ST=Beijing/O=TVM/OU=Tech Dept/CN=OPENLDAP
issuer=/C=CN/ST=Beijing/L=Beijing/O=TVM/OU=Tech Dept/CN=CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2354 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 022E6922974AD42984230001FC3CD5923A44B73FFE94CE324BA12A58B120DDBF
    Session-ID-ctx: 
    Master-Key: CCFF58FFF333BA758C31123C9DC469F4BA752B2464B6CE5C4B998012C329D319898F873617CD98F6970AEA7CE5F413D8
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1474511415
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

客戶端

使用nslcd(Naming services LDAP client daemon)

yum -y install openldap-clients nss-pam-ldapd

配置客戶端

# StartTLS
authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldap://master.local,ldap://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update

# LDAPS
authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldaps://master.local,ldaps://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update
# 注意　--ldapserver=ldaps://master.local,ldaps://slave.local

下載服務器的ca證書

wget http://master.local/ca.crt -O /etc/openldap/cacerts/ca.crt

# ls -lh /etc/openldap/cacerts
total 4.0K
lrwxrwxrwx 1 root root    6 Sep 22 12:31 100934e9.0 -> ca.crt
-rw------- 1 root root 1.3K Sep 22 12:30 ca.crt

配置/etc/openldap/ldap.conf

TLS_REQCERT [never、allow、try、demand | hard] # 設置是否在TLS會話中檢查server證書。
Never：不檢查任何證書。
Allow：檢查server證書，沒有證書或證書錯誤，都允許連接。
Try：檢查server證書，沒有證書（允許連接），證書錯誤（終止連接）。
demand | hard：檢查server證書，沒有證書或證書錯誤都將立即終止連接。

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/ca.crt
TLS_REQCERT never 

配置/etc/nslcd.conf

ssl start_tls　# StartTLS
或ssl on　# LDAPS
tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/ca.crt
tls_reqcert never

重啟nslcd服務

systemctl restart nslcd
systemctl enable nslcd

配置/etc/nsswitch.conf

變更為
passwd:     files ldap
shadow:     files ldap
group:      files ldap

測試

# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
ldap_start_tls: Operations error (1)
	additional info: TLS already started
anonymous
Result: Success (0)

# ldapsearch -x -Z -H ldaps://slave.local -b 'ou=group,dc=suntv,dc=tv'
ldap_start_tls: Operations error (1)
	additional info: TLS already started
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=suntv,dc=tv> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Group, suntv.tv
dn: ou=Group,dc=suntv,dc=tv
ou: Group
objectClass: top
objectClass: organizationalUnit

# g01, Group, suntv.tv
dn: cn=g01,ou=Group,dc=suntv,dc=tv
objectClass: posixGroup
objectClass: top
cn: g01
gidNumber: 2001

# g02, Group, suntv.tv
dn: cn=g02,ou=Group,dc=suntv,dc=tv
objectClass: posixGroup
objectClass: top
cn: g02
gidNumber: 2002

# search result
search: 3
result: 0 Success

# numResponses: 4
# numEntries: 3

帳號登錄測試

ssh u01@10.0.1.53

passwd