JavaScript must be enabled in order for you to see "WP Copy Data Protect" effect. However, it seems JavaScript is either disabled or not supported by your browser. To see full result of "WP Copy Data Protector", enable JavaScript by changing your browser options, then try again.

Setup the LDAP Server with TLS/SASL under the CentOS 6.x


Uh,又到了廢文Time,繼Last Week沒有發一篇,這禮拜來紀錄下之前架設LDAPS Server過程,由於之前有發一篇LDAP w/ CentOS 6.2文章,但並沒有針對TLS/SASL做進一步分析,因此在這邊著重於Encryption的部分,如何做呢?讓我們看下去就知道囉,如下:

1) Basic configuration setup and sign the certification of CA/LDAP server(RootCA:20 years/LDAP:10 years)
#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
#cd /etc/pki/tls
#cp openssl.cnf openssl.cnf.org
#mkdir crl newcerts
#echo "01" > serial
#touch index.txt
#openssl rand 1024 > ./private/.rand
#ls -al ./private/.rand
-rw-r--r-- 1 root root 1024 Apr 18 20:53 ./private/.rand
#chmod 600 ./private/.rand
#vi openssl.cnf
dir = /etc/pki/tls # Where everything is kept
default_days = 3650 # how long to certify for
#openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7305 -config openssl.cnf
Generating a 2048 bit RSA private key
.............................................................+++
.....................................................................................+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taoyuan
Organization Name (eg, company) [Default Company Ltd]:Labs Corp.
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:ldaps.labs.com
Email Address []:iori200098@iori.tw
#openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 3650 -config openssl.cnf
Generating a 2048 bit RSA private key
........................................+++
.................................................................................................................................................................................................................+++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taoyuan
Organization Name (eg, company) [Default Company Ltd]:Labs Corp.
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:ldaps.labs.com
Email Address []:iori200098@iori.tw
#openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem
Getting request Private Key
Generating certificate request
#openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/pki/tls/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 18 13:31:14 2015 GMT
Not After : Apr 15 13:31:14 2025 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
localityName = Taoyuan
organizationName = Labs Corp.
organizationalUnitName = MIS
commonName = ldaps.labs.com
emailAddress = iori200098@iori.tw
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:AE:42:BC:18:44:2B:1E:51:BD:6A:10:75:D3:DE:E1:2A:B9:58:C6
X509v3 Authority Key Identifier:
keyid:07:0C:64:18:BB:E8:BE:8B:AE:CA:E6:5A:53:CB:72:22:CA:F0:F0:D1
Certificate is to be certified until Apr 15 13:31:14 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
補充:PKCS#10 X.509 Certificate Signing Request(CSR)Management.
x509:X.509 Certificate Data Management.
ca:Certificate Authority (CA) Management.

2) Move the related keys and crts into the LDAP directory
#cd /etc/pki/tls
#mv cacert.pem ./certs/ca.crt
#mv mycert.pem ./certs/server.crt
#mv mykey.pem ./private/server.key
#mv ./private/cakey.pem ./private/ca.key
#rm myreq.pem tmp.pem
rm: remove regular file `myreq.pem'? y
rm: remove regular file `tmp.pem'? y
#chmod -R 400 private/
Move the relative files to the directory of LDAP
#cd /etc/openldap/certs/
#cp /etc/pki/tls/certs/*.crt .
#cp /etc/pki/tls/private/server.key .
#chmod 444 server.key

3) Setup the configuration file about slapd.conf
#vi /etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
TLSVerifyClient never
#rm -rf /etc/openldap/slapd.d/*
#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
#chown -R ldap. /etc/openldap/slapd.d/

4) Restart the service and check the related ports are listened
#service slapd restart
#netstat -tunpl | grep -i slapd
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 18386/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 18386/slapd
tcp 0 0 :::636 :::* LISTEN 18386/slapd
tcp 0 0 :::389 :::* LISTEN 18386/slapd

5) Setup the configuration file about ldap.conf on client site
#vi /etc/openldap/ldap.conf
TLS_REQCERT allow

6) Check the connection with LDAPS Server through TLS/SASL
#ldapsearch -x -ZZ -h 192.168.1.11 -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Huang')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (&(sn=Huang)(title=engineer))
# requesting: ALL
#
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan
(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
sn: Huang
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
#ldapsearch -ZZ -b "ou=unit,ou=company,dc=labs,dc=com" -s sub -D "cn=Manager,dc=labs,dc=com" -h 192.168.1.11 -w "111111" -x '(&(sn='Huang')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (&(sn=Huang)(title=engineer))
# requesting: ALL
#
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan
(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
sn: Huang
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
#ldapsearch -x -ZZ -H ldaps://192.168.1.11 -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Huang')(title='engineer'))'
ldap_start_tls: Operations error (1)
additional info: TLS already started

◎、以上就是Setup the LDAP Server with TLS/SASL under the CentOS 6.x簡易過程,至於上述的內容均參考有為青年生活札記文章,另外也有Weithenn大大文章可以做參考,如果看倌們對於在CentOS 7.x上面做Setup有興趣的話,可以自己動手玩一玩唷,先到這,收工囉!

  1. LDAP跟住在中和的珍.史密斯有什麼關係呢?

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 
This site is protected by WP-CopyRightPro