- 配置证书信息
$ cat /usr/share/openldap-servers/slapd.ldif
...
#
# TLS settings
#
#olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSCACertificateFile: /path/to/cacert.pem
olcTLSCertificateFile: /path/to/server.pem
olcTLSCertificateKeyFile: /path/to/server.key
...
使用ldif配置
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /path/to/cacert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /path/to/server.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /path/to/server.pem
EOF
需要注意的是:
- 修改用add还是replace:如果之前没有则用add,如果之前已存在则使用replace
- 所以得/path/to/server.pem文件必须是ldap执行用户可以访问的,不然会遇到莫名其妙的执行错误描述:
ldap_modify: Other (e.g., implementation specific) error (80)
- 配置监听端口
$ cat /etc/sysconfig/slapd
...
# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
# (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
...
缺省的值为:
ldapi=/var/run/ldapi, ldap=389, ldaps=636
- 重启ldap
$ sudo systemctl stop slapd
$ sudo systemctl start slapd
验证证书信息:
$ openssl s_client -connect <hostname>:636
$ openssl s_client -showcerts -CAfile /path/to/ca.pem -connect <hostname>:636
- client配置
client的缺省配置文件
$ cat /etc/openldap/ldap.conf
...
TLS_CACERT /path/to/certificate/cacert.pem
...
运行(假定SSL端口是636)
$ ldapsearch -x -b "dc=mydomain,dc=com" -H ldaps://:636
如果没有CA,也可以或略,则:
$ cat /etc/openldap/ldap.conf
...
TLS_REQCERT never
...
$
网友评论