====== OpenLDAP com TLS ======
==== Instalando os pacotes necessário ====
# yum install openldap-clients openldap-servers openldap pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-devel pwgen
==== Gerando um certificado auto-assinado e certificado do servidor ====
**Backup do diretório da base existente:**
# mv /etc/openldap/certs{,.dist}
**Criando um novo diretório para a base de dados:**
# mkdir /etc/openldap/certs
**Senha de segurança:**
# pwgen -sy 32 1 > /etc/openldap/certs/password
**Criando a nova database:**
# certutil -d /etc/openldap/certs -N -f /etc/openldap/certs/password
Senha temporária:
# head -c 1024 /dev/urandom > /tmp/noise.txt
**Criando um CA auto-assinado com validade de 10 anos:**
# certutil -S -n LDAP-CA -t "C,C,C" -x \
-f /etc/openldap/certs/password \
-d /etc/openldap/certs \
-z /tmp/noise.txt \
-s "CN=LDAP-CA,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR" \
-v 120 \
-Z SHA256 \
-g 4096
**Certificado para o servidor com validade de 3 anos:**
# certutil -S -n 'OpenLDAP Master 01' -t ",," \
-c LDAP-CA \
-f /etc/openldap/certs/password \
-d /etc/openldap/certs \
-z /tmp/noise.txt \
-s "CN=OpenLDAP Master 01,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR" \
-8 "ldap-master-01.exemplo.org" \
-v 36 \
-Z SHA256 \
-g 4096
**Assinar o certificado:**
# certutil -M -n "LDAP-CA" -t TCu,Cu,Cu -d /etc/openldap/certs
**Modificando as permissões:**
# chmod 440 /etc/openldap/certs/password
# chown ldap. /etc/openldap/certs/*
==== Verificando os certificados ====
**Listando todos os certificados:**
# certutil -L -d /etc/openldap/certs/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
LDAP-CA CTu,Cu,Cu
OpenLDAP Master 01 u,u,u
**Listando as chaves:**
# certutil -K -d /etc/openldap/certs/ -f /etc/openldap/certs/password
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa 5fecfa573c86f416efc63fb4fe81121b7589d072 NSS Certificate DB:LDAP-CA
< 1> rsa c5dbfa435d66b8f1563106b05f3bd7c5ca727b63 NSS Certificate DB:OpenLDAP Master 01
**Visualizando o certificado:**
# certutil -L -d /etc/openldap/certs/ -n LDAP-CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:a6:d0:6c:55
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=LDAP-CA,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR"
Validity:
Not Before: Thu Jun 30 18:53:40 2016
Not After : Tue Jun 30 18:53:40 2026
Subject: "CN=LDAP-CA,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c3:d4:a4:1c:0f:60:b7:2c:c8:c2:b3:92:f7:98:71:a2:
12:2a:c8:a4:e8:c6:b1:e5:66:f1:31:bf:e4:d2:99:a1:
89:b8:39:5d:4a:b8:93:0a:f6:f4:04:23:78:d3:25:56:
36:39:1e:8f:7d:fb:21:b7:96:f3:83:8f:a0:68:3c:8e:
b5:de:6c:58:5a:54:07:5a:46:09:a6:97:95:af:3c:ec:
01:80:e7:2f:4e:63:df:a1:8f:67:c6:da:95:37:c3:32:
3e:62:f6:a4:bf:f7:57:b6:7d:29:92:5e:b1:8c:d9:ba:
19:57:2e:56:a7:e2:d0:aa:19:e1:bb:d4:7c:c6:5e:93:
cb:7f:05:1e:4f:a2:7b:63:23:fd:51:e3:b0:18:c8:02:
c2:99:2a:8d:e8:0e:ea:77:9c:d0:72:92:75:08:ad:d3:
8f:45:d1:0f:02:60:0b:09:93:8a:ee:bf:c7:78:21:36:
c9:3a:dd:2b:d3:c2:02:7d:6e:94:18:41:8d:2b:34:00:
f8:5f:55:4e:32:02:5c:73:3d:e7:4b:2c:3a:d4:28:8e:
ad:b9:b3:6b:93:74:b7:db:6c:74:c5:73:0f:20:27:ff:
29:57:c1:5b:7b:73:0b:37:56:5f:47:c6:13:1b:f2:ee:
06:a1:e1:7f:42:28:a7:af:a2:0a:6c:c2:28:ef:ad:6b:
29:fa:d9:f3:7d:51:dc:18:37:44:a2:93:a8:41:d4:d8:
5b:f6:4b:84:56:21:a6:ec:9a:22:c3:d8:10:32:4b:e6:
98:85:2c:39:b3:d8:85:12:80:80:dc:2b:8d:99:d1:6c:
51:89:d1:38:7d:35:0b:64:cc:13:b5:e0:10:da:d2:7a:
0e:a6:dd:86:26:73:6d:7c:cc:73:22:19:68:63:d5:c7:
9f:d0:48:e3:5e:7b:a4:90:30:5f:b7:3c:be:10:36:e7:
1d:55:2d:aa:03:2e:69:81:98:f1:18:1d:a9:ff:02:88:
a0:1a:1c:fa:76:4e:46:71:6c:1f:04:42:db:ec:38:e4:
e9:86:97:e1:3c:a9:20:3c:15:78:91:5e:39:c5:cb:16:
26:8e:a0:77:78:16:09:4d:26:fe:57:fc:ac:ed:76:33:
30:3b:e2:c7:a9:3d:a0:7d:f4:a2:cc:7a:ca:88:73:2c:
77:b9:35:94:f2:d6:83:f3:e7:b2:e3:b9:21:52:ca:a1:
a0:a1:89:f7:62:97:25:06:6d:f1:df:81:ac:8e:7a:04:
eb:b7:24:e4:c8:a9:03:27:cf:4b:50:20:a0:bd:f6:3d:
e5:37:5e:2d:10:f5:c8:4e:82:f5:d3:34:7c:f8:f4:6b:
2a:d5:22:d4:f5:1e:06:64:a4:6c:b5:5f:84:12:02:c9
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
98:04:c3:44:68:7c:6c:fd:72:77:d0:17:45:ea:58:14:
5f:33:14:1d:4c:61:bf:52:a2:66:41:3f:b7:fd:66:8d:
df:8e:f1:86:cc:59:bb:cd:ea:19:0a:37:59:e3:15:f2:
80:d2:24:92:08:f0:8f:f4:5e:70:71:38:96:97:98:3c:
41:86:68:09:3e:9e:7b:6a:07:08:4e:be:64:ca:45:f2:
a7:1a:ac:fd:2f:cd:7d:3c:7c:fd:e5:4d:c3:f0:35:23:
b7:47:cd:1b:6b:d5:7b:3a:ff:73:c2:1e:8f:2d:2d:07:
96:52:20:90:06:22:10:12:a0:3f:8d:b5:1b:71:86:32:
95:cf:fb:7f:a1:33:5a:fc:f3:ad:17:47:ac:fb:4e:c2:
3a:24:0b:69:62:49:f0:2f:26:31:65:bc:73:91:aa:0c:
52:f3:a3:79:dc:85:20:d2:52:91:04:b3:40:23:12:c7:
ea:3a:5d:34:ac:0a:79:59:d3:b9:51:8d:5d:37:43:c0:
fa:4a:cb:1b:ad:3d:f3:90:4f:a1:92:63:4b:30:ee:5a:
89:70:bd:1e:ee:8e:4b:45:3b:16:f6:2e:29:4a:31:16:
07:3a:15:72:48:4c:96:c7:ed:02:c2:e5:19:46:32:76:
eb:e0:27:b3:8f:af:2f:44:94:71:ec:73:0f:3c:c6:18:
bb:34:6a:24:2d:51:e0:91:fb:13:14:6d:e9:7c:bd:0b:
a5:3a:83:24:6e:0f:6f:b5:c9:be:63:fd:0c:ba:db:78:
8c:1a:b8:37:40:15:c3:20:20:66:1f:d2:e4:78:7a:4a:
68:a2:63:8a:67:42:dd:ff:a2:67:59:7a:a2:21:b5:57:
d9:15:99:13:55:10:0e:c5:33:76:7e:bb:ba:27:94:69:
83:34:25:0f:e3:bd:60:ad:4d:43:07:b4:c5:a4:61:26:
08:15:a4:2f:f1:cc:57:01:51:2d:c9:39:58:3e:1a:8e:
04:6f:42:a8:ef:ca:57:0e:48:a8:0d:6d:9a:4a:aa:a9:
33:24:59:25:32:18:ab:04:13:f6:cd:d4:6e:96:dd:0d:
00:d5:e8:0a:f9:e6:d9:f6:17:47:de:46:43:c7:58:3a:
e7:0d:7a:2e:e6:81:7f:24:63:d4:17:8f:63:31:ff:cc:
06:bc:d1:44:d7:34:5e:fb:74:69:c5:ba:7b:d5:ef:8c:
d5:5b:fc:10:39:8c:b3:bf:8c:40:80:3a:15:71:90:b5:
86:2b:49:36:97:f6:42:63:15:da:8b:12:92:b4:c9:69:
88:51:93:1b:24:7c:26:ff:67:45:fa:af:6e:02:b8:e4:
4b:e9:17:70:16:4d:3a:f1:f0:a1:82:fb:c5:e1:cb:8f
Fingerprint (SHA-256):
ED:A3:41:08:82:44:56:C3:E9:6F:3E:2C:6E:96:23:C0:FA:83:D9:98:30:86:45:8A:50:DD:73:E8:B2:78:D0:FA
Fingerprint (SHA1):
B4:C1:B1:82:CA:6D:18:24:8E:70:CC:7C:8F:35:3A:D1:9B:93:CD:00
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
**Verificando o certificado do servidor:**
# certutil -V -d /etc/openldap/certs -n "OpenLDAP Master 01" -u C
certutil: certificate is valid
==== Configurando o OpenLDAP ====
**Ativando o TLS:**
# vim /etc/sysconfig/slapd
[...]
SLAPD_URLS="ldapi:/// ldaps:///"
[...]
# Any custom options
SLAPD_OPTIONS="-g ldap"
[...]
**Modificando o /etc/openldap/ldap.conf:**
# vim /etc/openldap/ldap.conf
[...]
BASE dc=exemplo,dc=org
URI ldaps://ldap-master-01.exemplo.org
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
[...]
**Usando o DB de exemplo:**
# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
**Iniciando o OpenLDAP:**
# slaptest -u
config file testing succeeded
# systemctl start slapd
# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
**Adicionando schemas:**
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
adding new entry "cn=cosine,cn=schema,cn=config"
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
adding new entry "cn=inetorgperson,cn=schema,cn=config"
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
adding new entry "cn=nis,cn=schema,cn=config"
**Gerar senha para gerenciamento do OpenLDAP:**
# slappasswd
New password:
Re-enter new password:
{SSHA}+BvO5qw9xKRPFTgC0FYOyTyVhrwrKAnU
Exportando as variáveis a serem usadas nos próximos passos:
# export MYHASH="{SSHA}+BvO5qw9xKRPFTgC0FYOyTyVhrwrKAnU"
# export MYDOMAIN=exemplo
# export MYTLD=org
# export FQDN="ldap-master-01.exemplo.org"
**Modificando o olcDatabase={0}config:**
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
**Modificando o olcDatabase={1}monitor:**
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
**Modificando o olcDatabase={2}hdb:**
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
Modificando os index:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
Modificando as ACLs:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
**Modificando o TLS:**
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
**Modificando o olcDatabase={-1}frontend:**
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
**Para aceitar apenas TLS:**
# ldapmodify -H ldaps://${FQDN} -x -D "cn=config" -W <
==== Testando a conectividade com o servidor ====
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
# openssl s_client -connect localhost:636 -showcerts -CAfile /tmp/ca.crt
CONNECTED(00000003)
depth=1 C = BR, ST = Para, L = Maraba, O = Exemplo, OU = TI, CN = LDAP-CA
verify return:1
depth=0 C = BR, ST = Para, L = Maraba, O = Exemplo, OU = TI, CN = OpenLDAP Master 01
verify return:1
---
Certificate chain
0 s:/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=OpenLDAP Master 01
i:/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=LDAP-CA
-----BEGIN CERTIFICATE-----
MIIFbzCCA1egAwIBAgIFAKbQbrowDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMC
QlIxDTALBgNVBAgTBFBhcmExDzANBgNVBAcTBk1hcmFiYTEQMA4GA1UEChMHRXhl
bXBsbzELMAkGA1UECxMCVEkxEDAOBgNVBAMTB0xEQVAtQ0EwHhcNMTYwNjMwMTg1
ODUzWhcNMTkwNjMwMTg1ODUzWjBpMQswCQYDVQQGEwJCUjENMAsGA1UECBMEUGFy
YTEPMA0GA1UEBxMGTWFyYWJhMRAwDgYDVQQKEwdFeGVtcGxvMQswCQYDVQQLEwJU
STEbMBkGA1UEAxMST3BlbkxEQVAgTWFzdGVyIDAxMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAwXQDCmaFQpLo7oGkup9rnXmZdBpxuquY7jnag8tJ1SS5
0Eql86sP0PBxILgYGXA11f0hk29vuvLbhB3uJUOLx1EP1ysIGqMHAVLCJZ/jfQVH
KkgXI99qA0sbqGRDHKTsjPJNTkjVNnxDt3p8Kffi5Ldsp7XZBOXPSGZfkt8j/ym9
C4FDZBKDr/Y/wG3D/VTgFpy3Dw98ni4KcznKRGIU3MgaH4siXWx0SA7EL1JnVJtF
dmlLgynGTQJXtvrNfVWvZihJGrh5M/s3GFXs9avQhL4GNJcPNDTTjx0dxa4xqjLk
BhWYjpYbL00XIeragjF1FTvmmJURWJs1YcNar6fQZVLP3u5pj6YoeYAlAj5mpAdi
2HbEMrecG0Bvvt3M+Iw8QvwhQeN4A9WkshIuhE+F7SDJmgxeD41pgXoruMWw1gq/
IuSKw4G5yx2LvRY9pME9aOme6xpBYfM1Bm2fF9+HBMypCwaFmnCJZ/lTmV4rucbO
en66Z+OacPS8FCTK1LmzxoYEXpUS2O6z3x/UknJQkl/E+CqOwbVbpr5TbamRENWm
h6+/A9HoUeZZC3JC0XEYxf5TWq1yAd+9/HxAq/mXUAqqmobbSU+gj4Ezhx3Ldp4k
zF+2Vwh3nBQOjLvqUyCDgH96ya0WpqbIp2KB7Tpz6SDJGJY84Pw0HQX8R+ItcU0C
AwEAAaMpMCcwJQYDVR0RBB4wHIIabGRhcC1tYXN0ZXItMDEuZXhlbXBsby5vcmcw
DQYJKoZIhvcNAQELBQADggIBADCxihV0vWrm6ElbABB6jW0WU506H6AD4cVL8YUt
TCP1D/q5qaKwEmStpi1w21BTez4K4LNhGRknuN0uFPtihDqORyv/GRBzU8X3YMkI
pJSFq9UXeT98we3C77cpDiwOAVbSYeiX4mvPTUq4PAxgleuPAvdwzOomyfstlV0b
EOwhIYQ9DSYbxT1rV3FawRZpWPUkQHBrotcC/IczvUhZO53mw2/NzzZDC89avu03
83AWWevwMct4lortlwy8D4fWn9hINW3Bq8Tp6i+FLH++xFmplaxh0LMtxJ6q507c
vaB0eOqzjVC7HhbGSNz32mjDdGL7tTRCyG+zGQwncJb9vaOeTjvwhYr5BBgsxE0P
oife18DujKwZHEAHfSlD2kvxAhdLkrDbukF2GgoODQq74kyvFRgSC1u9Q/jYL7A1
YfvRo2dgRKWlxm/w+Sx4VuN77u0Yq/QSQxX9AbCJdmKF0o6ghiV4Qq3cDpahbIoO
7A3hnrTxtO0tEifR7TTYgsCdIRdfbQoRLPeMzSVTdqYI77YR47dUnQDuy93MJ4yE
nTUsIFdqYgP2c6r0P56hOri5BwnaZY+HLKkTGBuJB66aqBn+8iElrmsnK45hl8rB
1ymoFsfFr0E4vdjloEIeYqUOTSOVvcBE5SXtZ0MfPfUIhjZHdbjSoxdtL1yu/4o5
ZIxk
-----END CERTIFICATE-----
1 s:/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=LDAP-CA
i:/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=LDAP-CA
-----BEGIN CERTIFICATE-----
MIIFOTCCAyGgAwIBAgIFAKbQbFUwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMC
QlIxDTALBgNVBAgTBFBhcmExDzANBgNVBAcTBk1hcmFiYTEQMA4GA1UEChMHRXhl
bXBsbzELMAkGA1UECxMCVEkxEDAOBgNVBAMTB0xEQVAtQ0EwHhcNMTYwNjMwMTg1
MzQwWhcNMjYwNjMwMTg1MzQwWjBeMQswCQYDVQQGEwJCUjENMAsGA1UECBMEUGFy
YTEPMA0GA1UEBxMGTWFyYWJhMRAwDgYDVQQKEwdFeGVtcGxvMQswCQYDVQQLEwJU
STEQMA4GA1UEAxMHTERBUC1DQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAMPUpBwPYLcsyMKzkveYcaISKsik6Max5WbxMb/k0pmhibg5XUq4kwr29AQj
eNMlVjY5Ho99+yG3lvODj6BoPI613mxYWlQHWkYJppeVrzzsAYDnL05j36GPZ8ba
lTfDMj5i9qS/91e2fSmSXrGM2boZVy5Wp+LQqhnhu9R8xl6Ty38FHk+ie2Mj/VHj
sBjIAsKZKo3oDup3nNByknUIrdOPRdEPAmALCZOK7r/HeCE2yTrdK9PCAn1ulBhB
jSs0APhfVU4yAlxzPedLLDrUKI6tubNrk3S322x0xXMPICf/KVfBW3tzCzdWX0fG
Exvy7gah4X9CKKevogpswijvrWsp+tnzfVHcGDdEopOoQdTYW/ZLhFYhpuyaIsPY
EDJL5piFLDmz2IUSgIDcK42Z0WxRidE4fTULZMwTteAQ2tJ6DqbdhiZzbXzMcyIZ
aGPVx5/QSONee6SQMF+3PL4QNucdVS2qAy5pgZjxGB2p/wKIoBoc+nZORnFsHwRC
2+w45OmGl+E8qSA8FXiRXjnFyxYmjqB3eBYJTSb+V/ys7XYzMDvix6k9oH30osx6
yohzLHe5NZTy1oPz57LjuSFSyqGgoYn3YpclBm3x34GsjnoE67ck5MipAyfPS1Ag
oL32PeU3Xi0Q9chOgvXTNHz49Gsq1SLU9R4GZKRstV+EEgLJAgMBAAEwDQYJKoZI
hvcNAQELBQADggIBAJgEw0RofGz9cnfQF0XqWBRfMxQdTGG/UqJmQT+3/WaN347x
hsxZu83qGQo3WeMV8oDSJJII8I/0XnBxOJaXmDxBhmgJPp57agcITr5kykXypxqs
/S/NfTx8/eVNw/A1I7dHzRtr1Xs6/3PCHo8tLQeWUiCQBiIQEqA/jbUbcYYylc/7
f6EzWvzzrRdHrPtOwjokC2liSfAvJjFlvHORqgxS86N53IUg0lKRBLNAIxLH6jpd
NKwKeVnTuVGNXTdDwPpKyxutPfOQT6GSY0sw7lqJcL0e7o5LRTsW9i4pSjEWBzoV
ckhMlsftAsLlGUYyduvgJ7OPry9ElHHscw88xhi7NGokLVHgkfsTFG3pfL0LpTqD
JG4Pb7XJvmP9DLrbeIwauDdAFcMgIGYf0uR4ekpoomOKZ0Ld/6JnWXqiIbVX2RWZ
E1UQDsUzdn67uieUaYM0JQ/jvWCtTUMHtMWkYSYIFaQv8cxXAVEtyTlYPhqOBG9C
qO/KVw5IqA1tmkqqqTMkWSUyGKsEE/bN1G6W3Q0A1egK+ebZ9hdH3kZDx1g65w16
LuaBfyRj1BePYzH/zAa80UTXNF77dGnFunvV74zVW/wQOYyzv4xAgDoVcZC1hitJ
Npf2QmMV2osSkrTJaYhRkxskfCb/Z0X6r24CuORL6RdwFk068fChgvvF4cuP
-----END CERTIFICATE-----
---
Server certificate
subject=/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=OpenLDAP Master 01
issuer=/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=LDAP-CA
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 3517 bytes and written 405 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 35A18BED4696EB468B8FADB63A761FF5113769E68A7A006191D397ED0B4370EB
Session-ID-ctx:
Master-Key: 4DE009DE034EB56B0046423543FF322A32D5E12DCD8E50D7B32E23647CA2FD1324D83AB720DB978A3329452D26169AC3
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1467315758
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
# ldapwhoami -H ldaps://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W
Enter LDAP Password:
dn:cn=Manager,dc=exemplo,dc=org
# openssl s_client -connect localhost:636 2>&1 | openssl x509 -text | grep DNS
DNS:ldap-master-01.exemplo.org
==== Estrutura ====
# ldapadd -H ldaps://${FQDN} -x -W -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" <
# ldapsearch -H ldaps://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W -LLL
Enter LDAP Password:
dn: dc=exemplo,dc=org
dc: exemplo
objectClass: top
objectClass: domain
dn: ou=Usuarios,dc=exemplo,dc=org
ou: people
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
dn: ou=Grupos,dc=exemplo,dc=org
ou: groups
ou: Grupos
objectClass: top
objectClass: organizationalUnit
**Teste de cifra:**
# nmap --script ssl-enum-ciphers -p 636 ldap-master-01.exemplo.org
Starting Nmap 6.40 ( http://nmap.org ) at 2016-06-30 16:52 BRT
Nmap scan report for ldap-master-01.exemplo.org (192.0.2.210)
Host is up (5.7s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds