LDAP Linux LDAP TLS

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску

LDAP Шифрование

ТУТ я просто дублирую статью со своими комментариями.


1

0010_prepere_CA.sh
mkdir /root/CA

chmod u=rwx,g=,o= /root/CA
pushd /root/CA
umask 066


mkdir certs crl newcerts private.
chmod 700 private
touch index.txt
echo 1000 > serial


# Create key pass = r00tme
openssl genrsa -aes256 -out private/rootca.key 4096
chmod 400 private/rootca.key
chattr +i private/rootca.key

popd

2

0011_rootCa_crt.sh
openssl req \
-sha256 \
-new \
-x509 \
-days 3650 \
-extensions v3_ca \
-key private/rootca.key \
-out certs/rootca.crt \
-subj /C=UA/ST=Kharkov/L=Kharkov/O=MirantisInc/OU=ServicesDepartment/CN=ca-server/emailAddress=mmaxur@mirantis.com

chmod 444 certs/rootca.crt
chattr +i certs/rootca.crt

openssl x509 -in certs/rootca.crt -noout -text

popd

3

0012_private_key_for_ldap1.sh
pushd /root/CA
openssl genrsa \
-out private/ldap1.key 4096

chmod 400 private/ldap1.key

popd

3

0013_create_cert_request_for_ldap1.sh
pushd /root/CA

openssl req \
-sha256 -new \
-key private/ldap1.key \
-out certs/ldap1.csr \
-subj /C=UA/ST=Kharkov/L=Kharkov/O=MirantisInc/OU=ServicesDepartment/CN=ldap1/emailAddress=mmaxur@mirantis.com

popd

3

0014_create_and_sign_cert_for_ldap1.sh
pushd /root/CA

openssl ca \
-extensions usr_cert \
-notext \
-md sha256 \
-keyfile private/rootca.key \
-cert certs/rootca.crt \
-in certs/ldap1.csr \
-out certs/ldap1.crt

chmod 444 certs/ldap1.crt

popd

3

0015_move_certs_to_ldap_config_dir.sh
pushd /root/CA

mkdir /etc/ldap/ssl
chown openldap:openldap /etc/ldap/ssl
chmod 0500 /etc/ldap/ssl
cp certs/ldap1.crt private/ldap1.key /etc/ldap/ssl


chown openldap:openldap /etc/ldap/ssl/{ldap1.crt,ldap1.key}
chmod 0400 /etc/ldap/ssl/{ldap1.crt,ldap1.key}

cp certs/rootca.crt /etc/ssl/certs/

chmod 0644 /etc/ssl/certs/rootca.crt

popd

3

0016_check_cert.sh
openssl verify -verbose -CAfile /etc/ssl/certs/rootca.crt  /etc/ldap/ssl/ldap1.crt

3

0201_install_tls_certs.ldif
dn: cn=config
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldap1.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap1.key
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/rootca.crt


0202_configure_ldap_to_use_tls.sh
ldapmodify -Y EXTERNAL -H ldapi:/// <0201_install_tls_certs.ldif

3

0203_check_config.sh
ldapsearch -QLLLY EXTERNAL -H ldapi:/// -b cn=config -s base | grep -i tls

3

0204_check_tls_connection.sh
gnutls-cli \
-p 636 ldap1 \
-d 1 \
--print-cert \
--x509cafile  /etc/ssl/certs/rootca.crt

3

1012_private_key_for_ldap2.sh
pushd /root/CA
openssl genrsa \
-out private/ldap2.key 4096


chmod 400 private/ldap2.key


popd

3

1013_create_cert_request_for_ldap2.sh
pushd /root/CA


openssl req \
-sha256 -new \
-key private/ldap2.key \
-out certs/ldap2.csr \
-subj /C=UA/ST=Kharkov/L=Kharkov/O=MirantisInc/OU=ServicesDepartment/CN=ldap2/emailAddress=mmaxur@mirantis.com

popd

3

1014_create_and_sign_cert_for_ldap2.sh
pushd /root/CA

openssl ca \
-extensions usr_cert \
-notext \
-md sha256 \
-keyfile private/rootca.key \
-cert certs/rootca.crt \
-in certs/ldap2.csr \
-out certs/ldap2.crt

chmod 444 certs/ldap2.crt

popd

3

2012_private_key_for_ldap.sh
pushd /root/CA
openssl genrsa \
-out private/ldap.key 4096

chmod 400 private/ldap.key

popd

3

2013_create_cert_request_for_ldap.sh
pushd /root/CA


openssl req \
-sha256 -new \
-key private/ldap.key \
-out certs/ldap.csr \
-subj /C=UA/ST=Kharkov/L=Kharkov/O=MirantisInc/OU=ServicesDepartment/CN=ldap/emailAddress=mmaxur@mirantis.com


popd

3

2014_create_and_sign_cert_for_ldap.sh
pushd /root/CA

openssl ca \
-extensions usr_cert \
-notext \
-md sha256 \
-keyfile private/rootca.key \
-cert certs/rootca.crt \
-in certs/ldap.csr \
-out certs/ldap.crt

chmod 444 certs/ldap.crt

popd

3

3201_install_tls_certs.ldif
dn: cn=config
replace: olcTLSVerifyClient
olcTLSVerifyClient: never
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/rootca.crt
3202_configure_ldap_to_u~s_one_name_on_cluster.sh
ldapmodify -Y EXTERNAL -H ldapi:/// <3201_install_tls_certs.ldif