從有為青年變成有為中年男子的生活札記

這一篇教學是延續上篇 【Linux】在 CentOS 上安裝 LDAP Server 2.4，考量到日後還要做二台 LDAP Server 資料同步

而二台彼此同步要考量到安全性的問題，所以得採加密傳輸，因此再研究了一下做法

首先要修改一下 /etc/sysconfig/ldap 這個檔案

# vi /etc/sysconfig/ldap

將差不多第 16 行的地方改成這樣

SLAPD_LDAPS=yes

接下來要來製作憑證了，原則上可以參考我以前這篇 【FreeBSD】Apache + SSL 憑證製作 來直接製作，不過 FreeBSD 和 CentOS 的路徑還是有一點點不一樣

因此我還是重新寫一個 For CentOS 的文件

1. 自己當 CA

2. 自己再簽一張 Server 的憑證，並由 CA 來簽核它

前置作業如下

# cd /etc/pki/tls
# cp openssl.cnf openssl.cnf.org
# mkdir crl newcerts
# echo "01" > serial
# touch index.txt
# openssl rand 1024 > ./private/.rand
# chmod 600 ./private/.rand

將 openssl.cnf 裡面這二行設定一下

# vi openssl.cnf
dir = /etc/pki/tls   # Where everything is kept
default_days = 3650   # how long to certify for

開始簽發一張 RootCA，CA 的期限設為 20 年

# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7305 -config openssl.cnf
Generating a 2048 bit RSA private key
...................................................................+++
.....................................................................................................+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: 請輸入公正單位密碼
Verifying - Enter PEM pass phrase: 請輸入公正單位密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taipei
Organization Name (eg, company) [Default Company Ltd]:單位名稱
Organizational Unit Name (eg, section) []:部門名稱
Common Name (eg, your name or your server's hostname) []:請輸入完整的 DomainName
Email Address []:輸入E-mail
#

CA 製作好之後，接下來要來製作自己 Server 的憑證

# openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 3650 -config openssl.cnf
Generating a 2048 bit RSA private key
........+++
.+++
writing new private key to 'mykey.pem'
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taipei
Organization Name (eg, company) [Default Company Ltd]:單位名稱
Organizational Unit Name (eg, section) []:部門名稱
Common Name (eg, your name or your server's hostname) []:請輸入完整的 DomainName
Email Address []:輸入E-mail
# openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem
Getting request Private Key
Generating certificate request
# openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/pki/tls/private/cakey.pem:請輸入公正單位密碼
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May  8 08:34:34 2013 GMT
            Not After : May  6 08:34:34 2023 GMT
        Subject:
            countryName               = TW
            stateOrProvinceName       = Taiwan
            localityName              = Taipei
            organizationName          = 單位名稱
            organizationalUnitName    = 部門名稱
            commonName                = 機器完整 DomainName
            emailAddress              = bojackhcchien@iii.org.tw
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                5D:A2:3A:E3:FE:FD:61:B8:4E:AF:4B:F4:5B:CB:A7:12:46:2A:00:BA
            X509v3 Authority Key Identifier:
                keyid:7E:2D:5B:4B:0C:7B:4E:09:62:02:8B:77:20:C1:3B:04:CB:F6:D0:70

Certificate is to be certified until May  6 08:34:34 2023 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#

這樣子製作好的憑證就由 CA 簽好了（其實也只是自己球員當裁判 :p) 

最後來幫檔案搬個家也變個名稱

# cd /etc/pki/tls
# mv cacert.pem ./certs/ca.crt
# mv mycert.pem ./certs/server.crt
# mv mykey.pem ./private/server.key
# mv ./private/cakey.pem ./private/ca.key
# rm myreq.pem tmp.pem
rm: remove regular file `myreq.pem'? y
rm: remove regular file `tmp.pem'? y
#

把製作出來的金鑰設定一下權限
# chmod -R 400 private

把相關的檔案搬到 openldap 目錄底下# cd /etc/openldap/certs/
# cp /etc/pki/tls/certs/*.crt .
# cp /etc/pki/tls/private/server.key .
# chmod 444 server.key

接下來我們要在 slapd.conf 加入有關加密部份的設定
#vi /etc/openldap/slapd.conf

TLSCACertificateFile    /etc/openldap/certs/ca.crt
TLSCertificateFile      /etc/openldap/certs/server.crt
TLSCertificateKeyFile   /etc/openldap/certs/server.key
TLSVerifyClient         never

最後我們只要重新設定 slapd.conf 就好了

# rm -rf /etc/openldap/slapd.d/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
# chown -R ldap:ldap /etc/openldap/slapd.d/
# service slapd restart
Stopping slapd:                                            [  OK  ]
Starting slapd:                                            [  OK  ]
#

至於第二台 LDAP Server 就只要把相關的 ca.crt、server.crt 及 server.key copy 到 /etc/openldap/certs 目錄底下

而 slapd.conf 也做相同的設定，再重覆和 ldap1 最後設定的步驟就好囉！

[ 補充 ]

若出現來自第二台 LDAP Server TLS negotiation failure 的錯誤，可能是 key 的權限發生問題，記得設為可讀就 OK

May 13 12:18:37 ldap1 slapd[2220]: conn=1003 fd=15 ACCEPT from IP=192.168.1.10:47757 (IP=0.0.0.0:389)
May 13 12:18:37 ldap1 slapd[2220]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
May 13 12:18:37 ldap1 slapd[2220]: conn=1003 op=0 STARTTLS
May 13 12:18:37 ldap1 slapd[2220]: conn=1003 op=0 RESULT oid= err=0 text=
May 13 12:18:37 ldap1 slapd[2220]: conn=1003 fd=15 closed (TLS negotiation failure)