==== Slave - TLS ==== ==== Certificado TLS ==== **No master - [[ldap-tls-c|OpenLDAP com TLS]]**


# certutil -S -n 'OpenLDAP Slave' -t ",," \
-c LDAP-CA \
-f /etc/openldap/certs/password \
-d /etc/openldap/certs \
-z /tmp/noise.txt \
-s "CN=OpenLDAP Slave,OU=TI,O=Exemplo,L=Maraba,ST=Mara,C=BR" \
-8 "ldap-slave.exemplo.org" \
-v 36 \
-Z SHA256 \
-g 4096

**Exportando o certificado assinado e chave:**


# pk12util -d /etc/openldap/certs -o /root/slave.p12 -n "OpenLDAP Slave" -k /etc/openldap/certs/password
Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL

**Exportando o certificado:**


# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt

==== No slave ==== **Instalando os pacotes necessário:**


# yum install openldap-clients openldap-servers openldap pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-devel pwgen

**Backup do diretório da base existente:**


# mv /etc/openldap/certs{,.dist}

**Criando um novo diretório para a base de dados:**


# mkdir /etc/openldap/certs

**Senha de segurança:**


# pwgen -sy 32 1 > /etc/openldap/certs/password

**Criando a nova database:**


# certutil -d /etc/openldap/certs -N -f /etc/openldap/certs/password

**Copiando o certificado do servidor:**


# scp ldap-master-01.exemplo.org:/tmp/ca.crt /tmp/
# scp ldap-master-01.exemplo.org:/root/slave.p12 /tmp/

**Importando o certificado:**


# pk12util -d /etc/openldap/certs -i /tmp/slave.p12 -k /etc/openldap/certs/password 
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL


# certutil -A -n "LDAP-CA" -t "TCu,Cu,Cu" -i /tmp/ca.crt -d /etc/openldap/certs
Notice: Trust flag u is set automatically if the private key is present.

**Modificando as permissões:**


# chmod 440 /etc/openldap/certs/password
# chown ldap. /etc/openldap/certs/*

==== Verificando o certificado ====


# certutil -L -d /etc/openldap/certs/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

LDAP-CA                                                      CT,C,C
OpenLDAP Slave                                               u,u,u


# certutil -K -d /etc/openldap/certs/ -f /etc/openldap/certs/password
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      71a1af1e337005f8f5d4c636e2181d1a70630f1c   OpenLDAP Slave


# certutil -L -d /etc/openldap/certs/ -n "OpenLDAP Slave"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:a6:d0:89:63
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=LDAP-CA,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR"
        Validity:
            Not Before: Thu Jun 30 19:58:30 2016
            Not After : Sun Jun 30 19:58:30 2019
        Subject: "CN=OpenLDAP Slave,OU=TI,O=Exemplo,L=Maraba,ST=Mara,C=BR"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    cd:68:ef:a4:bd:1e:a9:67:57:7f:e1:56:69:a8:3c:98:
                    64:c3:4a:3d:10:a4:cc:b9:d8:50:d5:8f:98:6c:6c:5a:
                    a2:a6:24:c8:49:14:a3:0a:d4:9b:97:52:10:bb:6c:6d:
                    6b:bc:d5:0b:ad:6e:7b:76:0d:4a:1f:58:65:77:a9:5f:
                    ad:78:3b:55:68:ba:86:cc:ef:5a:63:77:3b:ae:e2:f9:
                    77:fc:da:ba:44:0e:17:df:87:d1:d8:15:05:0c:34:3c:
                    46:b3:ef:87:c9:0f:aa:de:5d:4a:9f:eb:86:e5:81:7b:
                    10:3b:37:24:7e:d0:38:49:43:7a:ef:60:f6:36:05:23:
                    d1:29:7d:96:27:d5:61:8c:f5:52:03:2e:bb:e8:0f:1e:
                    2d:2d:d4:b7:43:e9:c0:23:c3:e8:21:b1:b8:27:bc:a7:
                    13:35:7a:5b:2f:2f:3b:c7:05:eb:ca:84:bc:02:52:3e:
                    d9:a5:84:3f:3c:25:9a:40:ee:56:ca:b6:d4:c5:47:e2:
                    0a:5b:db:2a:cf:16:e4:e9:73:c2:09:93:69:fe:91:58:
                    c6:2c:e9:37:f9:a8:b5:20:f3:4e:9a:89:be:df:e2:ff:
                    52:1a:5d:0f:d7:bd:7b:9b:17:29:d6:b5:22:1d:90:a7:
                    68:c9:6f:3e:a1:f1:43:3e:41:39:62:1a:5d:e1:2a:3a:
                    2f:11:22:3f:40:9f:6f:b9:56:5c:49:1a:33:4c:fe:70:
                    8b:1d:e4:8a:3f:31:55:c8:16:62:3e:7f:5a:c4:50:bf:
                    94:ac:a7:e8:4d:79:47:9f:2d:e1:73:ee:fa:39:01:46:
                    52:c1:f4:c2:00:d3:2a:9f:9d:c2:2f:27:c4:f4:45:6c:
                    96:d4:a5:46:36:5c:19:00:19:b0:cf:78:c5:75:28:dc:
                    0a:c2:82:3b:61:6e:fb:c8:43:e0:d8:80:5f:3b:10:3a:
                    07:1e:aa:88:6c:29:a9:a1:e9:8b:3a:59:b5:0e:c0:8c:
                    d6:6c:9b:f1:d5:f8:c6:19:29:9a:5e:b2:b8:bc:97:52:
                    07:38:9f:13:c7:e5:1e:dd:44:b7:44:24:f6:01:f2:00:
                    e7:97:9b:66:06:57:da:dd:a1:34:84:4d:d8:6b:54:7b:
                    83:4e:13:89:0b:cc:d8:8a:2b:61:3c:3b:2a:f1:4c:72:
                    a9:6e:6a:60:f2:fb:96:2b:09:89:7b:cb:3b:e6:98:0c:
                    f3:36:f5:20:15:c8:61:ba:94:a1:1d:80:6d:f5:2f:34:
                    2b:da:56:a9:8a:eb:5e:a3:8e:30:f4:34:42:7b:4d:77:
                    0c:3d:97:60:13:01:22:ec:ef:d5:17:13:d2:85:56:06:
                    36:20:b4:aa:58:68:4d:92:32:06:73:ed:64:c1:68:33
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "ldap-slave.exemplo.org"

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        68:9c:ad:95:6b:6a:51:59:4e:15:61:ca:1a:4c:0a:df:
        d6:f2:a7:cc:10:b3:6f:65:e2:84:a6:a0:b6:3d:9e:04:
        17:7b:74:f3:1c:55:9b:96:b0:ff:6f:72:51:94:ca:79:
        d8:df:38:7e:57:44:7b:32:8d:42:ba:1e:3b:73:8a:d2:
        72:a6:1e:99:08:30:96:83:55:43:0f:e2:c3:ee:9c:e7:
        80:0f:be:2a:22:a6:ba:41:f3:0c:bf:eb:10:ca:72:e3:
        d5:fe:0b:56:53:97:0c:f2:26:ca:54:d7:3b:96:f3:aa:
        11:68:be:b9:ae:f9:49:6a:f6:67:28:b4:1f:d4:11:0d:
        3d:20:fa:4e:01:13:bc:ca:f3:a8:f0:9f:05:ed:5e:df:
        1a:b9:fd:6e:fd:f8:fe:12:51:73:15:ec:7a:40:20:32:
        b9:85:a4:7b:52:97:17:5c:15:73:6e:50:d1:84:c8:29:
        33:d5:cc:bb:0b:6f:0d:06:b9:58:ac:cb:40:45:cb:05:
        89:c3:31:0d:46:f1:ed:e4:0f:e7:42:da:db:f1:a1:c2:
        29:d3:65:a7:61:79:49:67:2c:0c:49:bc:6a:18:8f:30:
        eb:3e:69:1a:f7:26:cd:57:79:2d:18:f4:4e:37:c5:76:
        29:31:d2:f8:6d:bc:60:61:b0:bf:76:ec:8f:44:c2:bf:
        d3:7f:73:85:55:9b:14:be:01:eb:26:c3:58:10:3f:ca:
        39:56:62:be:57:5b:3d:11:ad:69:0a:02:e6:ed:9e:32:
        fb:45:41:67:01:49:ed:14:15:93:ea:43:31:6f:86:3d:
        7a:76:7f:6b:19:7e:b7:30:ab:7b:b5:6d:bf:6d:69:57:
        4a:fc:d1:84:81:30:bf:dc:6f:e9:8f:d8:68:72:0b:84:
        dd:ed:96:e4:dc:68:4e:e0:86:cd:fd:44:bc:7f:de:b4:
        31:d1:a1:fb:4e:77:52:74:09:b8:ae:71:d6:08:2f:e3:
        04:07:5b:18:ea:83:07:05:0a:66:8a:dc:22:2e:27:52:
        2e:3c:4e:70:ae:65:9f:4b:9b:c5:bf:ae:a9:b6:5b:6c:
        62:63:59:6d:aa:f7:19:a7:ec:1c:4e:9d:36:d0:e5:3e:
        1f:ef:32:c4:5a:bc:98:4f:23:f5:cb:37:1a:4e:14:c9:
        d3:93:3e:f0:b4:b0:9d:27:f9:af:79:1c:78:a7:11:06:
        23:2b:dc:d4:61:00:94:bc:7e:cd:f1:0b:06:ae:e1:a5:
        d7:61:65:d0:02:07:79:d5:b3:84:15:bd:4c:14:43:4e:
        3f:80:ad:e9:6a:f1:84:70:8a:ab:22:16:28:31:5e:7a:
        6e:68:e7:a4:53:39:6a:7f:8f:82:58:08:d6:0f:ec:52
    Fingerprint (SHA-256):
        06:12:43:3F:D7:2D:26:AA:BE:71:6C:63:7D:B9:B2:D0:78:B2:62:C2:A0:4D:49:E6:79:09:B0:1D:54:2E:86:8B
    Fingerprint (SHA1):
        35:6C:A7:1D:E9:CF:03:6E:A8:36:45:4B:A4:C0:E6:1C:5B:6A:AC:EA

    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User


# certutil -V -d /etc/openldap/certs -n "OpenLDAP Slave" -u C
certutil: certificate is valid

==== Configurando o OpenLDAP ==== **Ativando o TLS:**


# vim /etc/sysconfig/slapd
[...]
SLAPD_URLS="ldapi:/// ldaps:///"
[...]
# Any custom options
SLAPD_OPTIONS="-g ldap"
[...]

**Modificando o /etc/openldap/ldap.conf:**


# vim /etc/openldap/ldap.conf
[...]
BASE    dc=exemplo,dc=org
URI     ldaps://ldap-slave.exemplo.org
TLS_CACERTDIR  /etc/openldap/certs
TLS_REQCERT demand
[...]

**Usando o DB de exemplo:**


# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

**Iniciando o OpenLDAP:**


# slaptest -u
config file testing succeeded


# systemctl start slapd
# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.

**Adicionando schemas:**


# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
adding new entry "cn=cosine,cn=schema,cn=config"


# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
adding new entry "cn=inetorgperson,cn=schema,cn=config"


# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
adding new entry "cn=nis,cn=schema,cn=config"

**Gerar senha para gerenciamento do OpenLDAP:**


# slappasswd
New password: 
Re-enter new password: 
{SSHA}4h9hUAdtsh8nfUFPHQTL9hSoK83pxkTP

**Exportando as variáveis a serem usadas nos próximos passos:**

 
# export MYHASH="{SSHA}4h9hUAdtsh8nfUFPHQTL9hSoK83pxkTP"
# export MYDOMAIN=exemplo
# export MYTLD=org
# export FQDN="ldap-slave.exemplo.org"

**Modificando o olcDatabase={0}config:**


# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <

**Modificando o olcDatabase={1}monitor:**

# ldapmodify -H ldapi:/// -x -D "cn=config" -W <

**Modificando o olcDatabase={2}hdb:**

# ldapmodify -H ldapi:/// -x -D "cn=config" -W <

Modificando os index:
 
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <

Modificando as ACLs:

# ldapmodify -H ldapi:/// -x -D "cn=config" -W <

**Modificando o TLS:**

# ldapmodify -H ldapi:/// -x -D "cn=config" -W <

**Modificando o olcDatabase={-1}frontend:**

# ldapmodify -H ldapi:/// -x -D "cn=config" -W <

**Para aceitar apenas TLS:**

# ldapmodify -H ldaps://${FQDN} -x -D "cn=config" -W <