==== Ativando TLS ====
Para ativarmos o suporte ao TLS precisamos gerar um par de chaves criptográficas e assiná-las.
# apt-get install openssl
# mkdir /etc/ldap/tls
# cd /etc/ldap/tls/
Criando a agência certificadora:
# /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
...............................................................+++
.....+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:**senha123**
Verifying - Enter PEM pass phrase:**senha123**
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BR
State or Province Name (full name) [Some-State]:Para
Locality Name (eg, city) []:Belem
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Laboratorio Ltda.
Organizational Unit Name (eg, section) []:TI
Common Name (e.g. server FQDN or YOUR name) []:ca.laboratorio.com.br
Email Address []:ca@laboratorio.com.br
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:**senha123**
An optional company name []:Signatures Co.
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:**senha123**
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
f8:02:63:e0:f2:d1:52:5b
Validity
Not Before: Dec 16 13:31:12 2015 GMT
Not After : Dec 15 13:31:12 2018 GMT
Subject:
countryName = BR
stateOrProvinceName = Para
organizationName = Laboratorio Ltda.
organizationalUnitName = TI
commonName = ca.laboratorio.com.br
emailAddress = ca@laboratorio.com.br
X509v3 extensions:
X509v3 Subject Key Identifier:
3D:49:61:F7:A2:7A:AB:99:5C:A5:3E:DE:3A:EE:86:EF:C8:57:37:A0
X509v3 Authority Key Identifier:
keyid:3D:49:61:F7:A2:7A:AB:99:5C:A5:3E:DE:3A:EE:86:EF:C8:57:37:A0
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Dec 15 13:31:12 2018 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
Criando o certificado para o servidor:
* Nesse passo a única pergunta que deve ser respondida de forma precisa é o nome do servidor – Common Name – que deve ser o FQDN da máquina servidora
# openssl req -new -nodes -keyout srvkey.key -out newreq.pem
Generating a 2048 bit RSA private key
...............................................+++
....+++
writing new private key to 'srvkey.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BR
State or Province Name (full name) [Some-State]:Para
Locality Name (eg, city) []:Belem
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Laboratorio Ltda
Organizational Unit Name (eg, section) []:TI
Common Name (e.g. server FQDN or YOUR name) []:ldapmaster01.laboratorio.com.br
Email Address []:webmaster@laboratorio.com.br
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:**senha123**
An optional company name []:Signatures Co.
Assinando o certificado do servidor usando a agência certificadora:
# openssl x509 -req -in newreq.pem -CAkey demoCA/private/cakey.pem -CA demoCA/cacert.pem -out srvcert.pem -CAserial demoCA/serial
Signature ok
subject=/C=BR/ST=Para/L=Belem/O=Laboratorio Ltda/OU=TI/CN=ldapmaster01.laboratorio.com.br/emailAddress=webmaster@laboratorio.com.br
Getting CA Private Key
Enter pass phrase for demoCA/private/cakey.pem:**senha123**
Vamos posicionar o certificado da agência certificadora no mesmo diretório
# cp demoCA/cacert.pem .
==== Adicionando informações de TLS a base cn=config ====
# cat tls.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/tls/cacert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/tls/srvkey.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/tls/srvcert.pem
# ldapmodify -x -D cn=admin,cn=config -w senha -f tls.ldif
modifying entry "cn=config"
==== Ativando o suporte aos clientes ====
# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE dc=laboratorio,dc=com,dc=br
URI ldap://ldapmaster01.laboratorio.com.br
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERT /etc/ldap/tls/cacert.pem
* O campo "URI"deve estar referenciando o nome (FQDN) do servidor, não o endereço IP. Isso pois o certificado foi emitido usando o nome FQDN do servidor e se essas duas informações não corresponderem o acesso via "TLS" ficará impossibilitado.
Para testar se o "TLS" está funcionando, basta substituir o parâmetro -x por -ZZ no comando ldapsearch:
# ldapsearch -ZZ -D cn=admin,dc=laboratorio,dc=com,dc=br -w senha -b dc=laboratorio,dc=com,dc=br -LLL
dn: dc=laboratorio,dc=com,dc=br
objectClass: top
objectClass: dcObject
objectClass: organization
o: laboratorio.com.br
dc: laboratorio
dn: cn=admin,dc=laboratorio,dc=com,dc=br
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9TG5kZFpxWjl2NmpmNnRiQTFBL2NkT1dwU1VEWC9HeDU=
dn: o=matriz,dc=laboratorio,dc=com,dc=br
o: matriz
objectClass: organization
objectClass: top
dn: o=filial,dc=laboratorio,dc=com,dc=br
o: filial
objectClass: organization
objectClass: top
dn: ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
dn: ou=Usuarios,o=filial,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
dn: cn=Tim Berners-Lee,ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=br
uid: timb
cn: Tim Berners-Lee
sn: timb
objectClass: inetOrgPerson
objectClass: posixAccount
loginShell: /bin/bash
uidNumber: 1021
gidNumber: 1021
homeDirectory: /home/timb
userPassword:: e1NTSEF9dzZzazM2OTBSR2JDelRXbW1yMUpwa2NZMkhRcHlzQzc=
dn: ou=Grupos,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Grupos
objectClass: organizationalUnit
objectClass: top
dn: ou=Computadores,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Computadores
objectClass: organizationalUnit
objectClass: top
dn: ou=Agendas,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Agendas
objectClass: organizationalUnit
objectClass: top
dn: ou=Grupos,o=filial,dc=laboratorio,dc=com,dc=br
ou: Grupos
objectClass: organizationalUnit
objectClass: top
dn: ou=Computadores,o=filial,dc=laboratorio,dc=com,dc=br
ou: Computadores
objectClass: organizationalUnit
objectClass: top
dn: ou=Agendas,o=filial,dc=laboratorio,dc=com,dc=br
ou: Agendas
objectClass: organizationalUnit
objectClass: top
dn: ou=restrito,ou=Agendas,o=filial,dc=laboratorio,dc=com,dc=br
ou: restrito
objectClass: organizationalUnit
objectClass: top
dn: cn=Linus Torvalds da Silva,ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=b
r
uid: linust
sn: linust
objectClass: inetOrgPerson
objectClass: posixAccount
homeDirectory: /home/linust
loginShell: /bin/bash
uidNumber: 1020
gidNumber: 1020
userPassword:: MTIzbXVkYXI=
cn: Linus Torvalds da Silva