Para ativarmos o suporte ao TLS precisamos gerar um par de chaves criptográficas e assiná-las.
# apt-get install openssl
# mkdir /etc/ldap/tls # cd /etc/ldap/tls/
Criando a agência certificadora:
# /usr/lib/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ...............................................................+++ .....+++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:**senha123** Verifying - Enter PEM pass phrase:**senha123** ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BR State or Province Name (full name) [Some-State]:Para Locality Name (eg, city) []:Belem Organization Name (eg, company) [Internet Widgits Pty Ltd]:Laboratorio Ltda. Organizational Unit Name (eg, section) []:TI Common Name (e.g. server FQDN or YOUR name) []:ca.laboratorio.com.br Email Address []:ca@laboratorio.com.br Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:**senha123** An optional company name []:Signatures Co. Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem:**senha123** Check that the request matches the signature Signature ok Certificate Details: Serial Number: f8:02:63:e0:f2:d1:52:5b Validity Not Before: Dec 16 13:31:12 2015 GMT Not After : Dec 15 13:31:12 2018 GMT Subject: countryName = BR stateOrProvinceName = Para organizationName = Laboratorio Ltda. organizationalUnitName = TI commonName = ca.laboratorio.com.br emailAddress = ca@laboratorio.com.br X509v3 extensions: X509v3 Subject Key Identifier: 3D:49:61:F7:A2:7A:AB:99:5C:A5:3E:DE:3A:EE:86:EF:C8:57:37:A0 X509v3 Authority Key Identifier: keyid:3D:49:61:F7:A2:7A:AB:99:5C:A5:3E:DE:3A:EE:86:EF:C8:57:37:A0 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Dec 15 13:31:12 2018 GMT (1095 days) Write out database with 1 new entries Data Base Updated
Criando o certificado para o servidor:
# openssl req -new -nodes -keyout srvkey.key -out newreq.pem Generating a 2048 bit RSA private key ...............................................+++ ....+++ writing new private key to 'srvkey.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BR State or Province Name (full name) [Some-State]:Para Locality Name (eg, city) []:Belem Organization Name (eg, company) [Internet Widgits Pty Ltd]:Laboratorio Ltda Organizational Unit Name (eg, section) []:TI Common Name (e.g. server FQDN or YOUR name) []:ldapmaster01.laboratorio.com.br Email Address []:webmaster@laboratorio.com.br Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:**senha123** An optional company name []:Signatures Co.
Assinando o certificado do servidor usando a agência certificadora:
# openssl x509 -req -in newreq.pem -CAkey demoCA/private/cakey.pem -CA demoCA/cacert.pem -out srvcert.pem -CAserial demoCA/serial Signature ok subject=/C=BR/ST=Para/L=Belem/O=Laboratorio Ltda/OU=TI/CN=ldapmaster01.laboratorio.com.br/emailAddress=webmaster@laboratorio.com.br Getting CA Private Key Enter pass phrase for demoCA/private/cakey.pem:**senha123**
Vamos posicionar o certificado da agência certificadora no mesmo diretório
# cp demoCA/cacert.pem .
# cat tls.ldif dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/tls/cacert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/tls/srvkey.key - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/tls/srvcert.pem
# ldapmodify -x -D cn=admin,cn=config -w senha -f tls.ldif modifying entry "cn=config"
# cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 BASE dc=laboratorio,dc=com,dc=br URI ldap://ldapmaster01.laboratorio.com.br #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) #TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_CACERT /etc/ldap/tls/cacert.pem
Para testar se o “TLS” está funcionando, basta substituir o parâmetro -x por -ZZ no comando ldapsearch:
# ldapsearch -ZZ -D cn=admin,dc=laboratorio,dc=com,dc=br -w senha -b dc=laboratorio,dc=com,dc=br -LLL dn: dc=laboratorio,dc=com,dc=br objectClass: top objectClass: dcObject objectClass: organization o: laboratorio.com.br dc: laboratorio dn: cn=admin,dc=laboratorio,dc=com,dc=br objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9TG5kZFpxWjl2NmpmNnRiQTFBL2NkT1dwU1VEWC9HeDU= dn: o=matriz,dc=laboratorio,dc=com,dc=br o: matriz objectClass: organization objectClass: top dn: o=filial,dc=laboratorio,dc=com,dc=br o: filial objectClass: organization objectClass: top dn: ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=br ou: Usuarios objectClass: organizationalUnit objectClass: top dn: ou=Usuarios,o=filial,dc=laboratorio,dc=com,dc=br ou: Usuarios objectClass: organizationalUnit objectClass: top dn: cn=Tim Berners-Lee,ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=br uid: timb cn: Tim Berners-Lee sn: timb objectClass: inetOrgPerson objectClass: posixAccount loginShell: /bin/bash uidNumber: 1021 gidNumber: 1021 homeDirectory: /home/timb userPassword:: e1NTSEF9dzZzazM2OTBSR2JDelRXbW1yMUpwa2NZMkhRcHlzQzc= dn: ou=Grupos,o=matriz,dc=laboratorio,dc=com,dc=br ou: Grupos objectClass: organizationalUnit objectClass: top dn: ou=Computadores,o=matriz,dc=laboratorio,dc=com,dc=br ou: Computadores objectClass: organizationalUnit objectClass: top dn: ou=Agendas,o=matriz,dc=laboratorio,dc=com,dc=br ou: Agendas objectClass: organizationalUnit objectClass: top dn: ou=Grupos,o=filial,dc=laboratorio,dc=com,dc=br ou: Grupos objectClass: organizationalUnit objectClass: top dn: ou=Computadores,o=filial,dc=laboratorio,dc=com,dc=br ou: Computadores objectClass: organizationalUnit objectClass: top dn: ou=Agendas,o=filial,dc=laboratorio,dc=com,dc=br ou: Agendas objectClass: organizationalUnit objectClass: top dn: ou=restrito,ou=Agendas,o=filial,dc=laboratorio,dc=com,dc=br ou: restrito objectClass: organizationalUnit objectClass: top dn: cn=Linus Torvalds da Silva,ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=b r uid: linust sn: linust objectClass: inetOrgPerson objectClass: posixAccount homeDirectory: /home/linust loginShell: /bin/bash uidNumber: 1020 gidNumber: 1020 userPassword:: MTIzbXVkYXI= cn: Linus Torvalds da Silva