# yum install openldap-clients openldap-servers openldap pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-devel pwgen
Backup do diretório da base existente:
# mv /etc/openldap/certs{,.dist}
Criando um novo diretório para a base de dados:
# mkdir /etc/openldap/certs
Senha de segurança:
# pwgen -sy 32 1 > /etc/openldap/certs/password
Criando a nova database:
# certutil -d /etc/openldap/certs -N -f /etc/openldap/certs/password
Senha temporária:
# head -c 1024 /dev/urandom > /tmp/noise.txt
Criando um CA auto-assinado com validade de 10 anos:
# certutil -S -n LDAP-CA -t "C,C,C" -x \ -f /etc/openldap/certs/password \ -d /etc/openldap/certs \ -z /tmp/noise.txt \ -s "CN=LDAP-CA,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR" \ -v 120 \ -Z SHA256 \ -g 4096
Certificado para o servidor com validade de 3 anos:
# certutil -S -n 'OpenLDAP Master 01' -t ",," \ -c LDAP-CA \ -f /etc/openldap/certs/password \ -d /etc/openldap/certs \ -z /tmp/noise.txt \ -s "CN=OpenLDAP Master 01,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR" \ -8 "ldap-master-01.exemplo.org" \ -v 36 \ -Z SHA256 \ -g 4096
Assinar o certificado:
# certutil -M -n "LDAP-CA" -t TCu,Cu,Cu -d /etc/openldap/certs
Modificando as permissões:
# chmod 440 /etc/openldap/certs/password # chown ldap. /etc/openldap/certs/*
Listando todos os certificados:
# certutil -L -d /etc/openldap/certs/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI LDAP-CA CTu,Cu,Cu OpenLDAP Master 01 u,u,u
Listando as chaves:
# certutil -K -d /etc/openldap/certs/ -f /etc/openldap/certs/password certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 5fecfa573c86f416efc63fb4fe81121b7589d072 NSS Certificate DB:LDAP-CA < 1> rsa c5dbfa435d66b8f1563106b05f3bd7c5ca727b63 NSS Certificate DB:OpenLDAP Master 01
Visualizando o certificado:
# certutil -L -d /etc/openldap/certs/ -n LDAP-CA Certificate: Data: Version: 3 (0x2) Serial Number: 00:a6:d0:6c:55 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=LDAP-CA,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR" Validity: Not Before: Thu Jun 30 18:53:40 2016 Not After : Tue Jun 30 18:53:40 2026 Subject: "CN=LDAP-CA,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c3:d4:a4:1c:0f:60:b7:2c:c8:c2:b3:92:f7:98:71:a2: 12:2a:c8:a4:e8:c6:b1:e5:66:f1:31:bf:e4:d2:99:a1: 89:b8:39:5d:4a:b8:93:0a:f6:f4:04:23:78:d3:25:56: 36:39:1e:8f:7d:fb:21:b7:96:f3:83:8f:a0:68:3c:8e: b5:de:6c:58:5a:54:07:5a:46:09:a6:97:95:af:3c:ec: 01:80:e7:2f:4e:63:df:a1:8f:67:c6:da:95:37:c3:32: 3e:62:f6:a4:bf:f7:57:b6:7d:29:92:5e:b1:8c:d9:ba: 19:57:2e:56:a7:e2:d0:aa:19:e1:bb:d4:7c:c6:5e:93: cb:7f:05:1e:4f:a2:7b:63:23:fd:51:e3:b0:18:c8:02: c2:99:2a:8d:e8:0e:ea:77:9c:d0:72:92:75:08:ad:d3: 8f:45:d1:0f:02:60:0b:09:93:8a:ee:bf:c7:78:21:36: c9:3a:dd:2b:d3:c2:02:7d:6e:94:18:41:8d:2b:34:00: f8:5f:55:4e:32:02:5c:73:3d:e7:4b:2c:3a:d4:28:8e: ad:b9:b3:6b:93:74:b7:db:6c:74:c5:73:0f:20:27:ff: 29:57:c1:5b:7b:73:0b:37:56:5f:47:c6:13:1b:f2:ee: 06:a1:e1:7f:42:28:a7:af:a2:0a:6c:c2:28:ef:ad:6b: 29:fa:d9:f3:7d:51:dc:18:37:44:a2:93:a8:41:d4:d8: 5b:f6:4b:84:56:21:a6:ec:9a:22:c3:d8:10:32:4b:e6: 98:85:2c:39:b3:d8:85:12:80:80:dc:2b:8d:99:d1:6c: 51:89:d1:38:7d:35:0b:64:cc:13:b5:e0:10:da:d2:7a: 0e:a6:dd:86:26:73:6d:7c:cc:73:22:19:68:63:d5:c7: 9f:d0:48:e3:5e:7b:a4:90:30:5f:b7:3c:be:10:36:e7: 1d:55:2d:aa:03:2e:69:81:98:f1:18:1d:a9:ff:02:88: a0:1a:1c:fa:76:4e:46:71:6c:1f:04:42:db:ec:38:e4: e9:86:97:e1:3c:a9:20:3c:15:78:91:5e:39:c5:cb:16: 26:8e:a0:77:78:16:09:4d:26:fe:57:fc:ac:ed:76:33: 30:3b:e2:c7:a9:3d:a0:7d:f4:a2:cc:7a:ca:88:73:2c: 77:b9:35:94:f2:d6:83:f3:e7:b2:e3:b9:21:52:ca:a1: a0:a1:89:f7:62:97:25:06:6d:f1:df:81:ac:8e:7a:04: eb:b7:24:e4:c8:a9:03:27:cf:4b:50:20:a0:bd:f6:3d: e5:37:5e:2d:10:f5:c8:4e:82:f5:d3:34:7c:f8:f4:6b: 2a:d5:22:d4:f5:1e:06:64:a4:6c:b5:5f:84:12:02:c9 Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 98:04:c3:44:68:7c:6c:fd:72:77:d0:17:45:ea:58:14: 5f:33:14:1d:4c:61:bf:52:a2:66:41:3f:b7:fd:66:8d: df:8e:f1:86:cc:59:bb:cd:ea:19:0a:37:59:e3:15:f2: 80:d2:24:92:08:f0:8f:f4:5e:70:71:38:96:97:98:3c: 41:86:68:09:3e:9e:7b:6a:07:08:4e:be:64:ca:45:f2: a7:1a:ac:fd:2f:cd:7d:3c:7c:fd:e5:4d:c3:f0:35:23: b7:47:cd:1b:6b:d5:7b:3a:ff:73:c2:1e:8f:2d:2d:07: 96:52:20:90:06:22:10:12:a0:3f:8d:b5:1b:71:86:32: 95:cf:fb:7f:a1:33:5a:fc:f3:ad:17:47:ac:fb:4e:c2: 3a:24:0b:69:62:49:f0:2f:26:31:65:bc:73:91:aa:0c: 52:f3:a3:79:dc:85:20:d2:52:91:04:b3:40:23:12:c7: ea:3a:5d:34:ac:0a:79:59:d3:b9:51:8d:5d:37:43:c0: fa:4a:cb:1b:ad:3d:f3:90:4f:a1:92:63:4b:30:ee:5a: 89:70:bd:1e:ee:8e:4b:45:3b:16:f6:2e:29:4a:31:16: 07:3a:15:72:48:4c:96:c7:ed:02:c2:e5:19:46:32:76: eb:e0:27:b3:8f:af:2f:44:94:71:ec:73:0f:3c:c6:18: bb:34:6a:24:2d:51:e0:91:fb:13:14:6d:e9:7c:bd:0b: a5:3a:83:24:6e:0f:6f:b5:c9:be:63:fd:0c:ba:db:78: 8c:1a:b8:37:40:15:c3:20:20:66:1f:d2:e4:78:7a:4a: 68:a2:63:8a:67:42:dd:ff:a2:67:59:7a:a2:21:b5:57: d9:15:99:13:55:10:0e:c5:33:76:7e:bb:ba:27:94:69: 83:34:25:0f:e3:bd:60:ad:4d:43:07:b4:c5:a4:61:26: 08:15:a4:2f:f1:cc:57:01:51:2d:c9:39:58:3e:1a:8e: 04:6f:42:a8:ef:ca:57:0e:48:a8:0d:6d:9a:4a:aa:a9: 33:24:59:25:32:18:ab:04:13:f6:cd:d4:6e:96:dd:0d: 00:d5:e8:0a:f9:e6:d9:f6:17:47:de:46:43:c7:58:3a: e7:0d:7a:2e:e6:81:7f:24:63:d4:17:8f:63:31:ff:cc: 06:bc:d1:44:d7:34:5e:fb:74:69:c5:ba:7b:d5:ef:8c: d5:5b:fc:10:39:8c:b3:bf:8c:40:80:3a:15:71:90:b5: 86:2b:49:36:97:f6:42:63:15:da:8b:12:92:b4:c9:69: 88:51:93:1b:24:7c:26:ff:67:45:fa:af:6e:02:b8:e4: 4b:e9:17:70:16:4d:3a:f1:f0:a1:82:fb:c5:e1:cb:8f Fingerprint (SHA-256): ED:A3:41:08:82:44:56:C3:E9:6F:3E:2C:6E:96:23:C0:FA:83:D9:98:30:86:45:8A:50:DD:73:E8:B2:78:D0:FA Fingerprint (SHA1): B4:C1:B1:82:CA:6D:18:24:8E:70:CC:7C:8F:35:3A:D1:9B:93:CD:00 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: Valid CA Trusted CA User Object Signing Flags: Valid CA Trusted CA User
Verificando o certificado do servidor:
# certutil -V -d /etc/openldap/certs -n "OpenLDAP Master 01" -u C
certutil: certificate is valid
Ativando o TLS:
# vim /etc/sysconfig/slapd [...] SLAPD_URLS="ldapi:/// ldaps:///" [...] # Any custom options SLAPD_OPTIONS="-g ldap" [...]
Modificando o /etc/openldap/ldap.conf:
# vim /etc/openldap/ldap.conf [...] BASE dc=exemplo,dc=org URI ldaps://ldap-master-01.exemplo.org TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand [...]
Usando o DB de exemplo:
# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Iniciando o OpenLDAP:
# slaptest -u config file testing succeeded
# systemctl start slapd # systemctl enable slapd Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
Adicionando schemas:
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif adding new entry "cn=cosine,cn=schema,cn=config" # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif adding new entry "cn=inetorgperson,cn=schema,cn=config" # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif adding new entry "cn=nis,cn=schema,cn=config"
Gerar senha para gerenciamento do OpenLDAP:
# slappasswd New password: Re-enter new password: {SSHA}+BvO5qw9xKRPFTgC0FYOyTyVhrwrKAnU
Exportando as variáveis a serem usadas nos próximos passos:
# export MYHASH="{SSHA}+BvO5qw9xKRPFTgC0FYOyTyVhrwrKAnU" # export MYDOMAIN=exemplo # export MYTLD=org # export FQDN="ldap-master-01.exemplo.org"
Modificando o olcDatabase={0}config:
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: ${MYHASH} - replace: olcAccess olcAccess: {0}to * by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" manage by * none EOF
Modificando o olcDatabase={1}monitor:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read by * none EOF
Modificando o olcDatabase={2}hdb:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=${MYDOMAIN},dc=${MYTLD} - replace: olcRootDN olcRootDN: cn=Manager,dc=${MYDOMAIN},dc=${MYTLD} - add: olcRootPW olcRootPW: ${MYHASH} EOF
Modificando os index:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcDbIndex olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uid,memberUid,gidNumber eq - EOF
Modificando as ACLs:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by self =xw by anonymous auth by * none olcAccess: {1}to * by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by self read by users read by * none EOF
Modificando o TLS:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: "OpenLDAP Master 01" - replace: olcTLSCipherSuite olcTLSCipherSuite: HIGH - replace: olcTLSProtocolMin olcTLSProtocolMin: 3.1 - replace: olcDisallows olcDisallows: bind_anon - replace: olcIdleTimeout olcIdleTimeout: 120 EOF
Modificando o olcDatabase={-1}frontend:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: ${MYHASH} - add: olcRequires olcRequires: LDAPv3 authc EOF
Para aceitar apenas TLS:
# ldapmodify -H ldaps://${FQDN} -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify add: olcSecurity olcSecurity: tls=1 EOF
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt # openssl s_client -connect localhost:636 -showcerts -CAfile /tmp/ca.crt CONNECTED(00000003) depth=1 C = BR, ST = Para, L = Maraba, O = Exemplo, OU = TI, CN = LDAP-CA verify return:1 depth=0 C = BR, ST = Para, L = Maraba, O = Exemplo, OU = TI, CN = OpenLDAP Master 01 verify return:1 --- Certificate chain 0 s:/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=OpenLDAP Master 01 i:/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=LDAP-CA -----BEGIN CERTIFICATE----- MIIFbzCCA1egAwIBAgIFAKbQbrowDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMC QlIxDTALBgNVBAgTBFBhcmExDzANBgNVBAcTBk1hcmFiYTEQMA4GA1UEChMHRXhl bXBsbzELMAkGA1UECxMCVEkxEDAOBgNVBAMTB0xEQVAtQ0EwHhcNMTYwNjMwMTg1 ODUzWhcNMTkwNjMwMTg1ODUzWjBpMQswCQYDVQQGEwJCUjENMAsGA1UECBMEUGFy YTEPMA0GA1UEBxMGTWFyYWJhMRAwDgYDVQQKEwdFeGVtcGxvMQswCQYDVQQLEwJU STEbMBkGA1UEAxMST3BlbkxEQVAgTWFzdGVyIDAxMIICIjANBgkqhkiG9w0BAQEF AAOCAg8AMIICCgKCAgEAwXQDCmaFQpLo7oGkup9rnXmZdBpxuquY7jnag8tJ1SS5 0Eql86sP0PBxILgYGXA11f0hk29vuvLbhB3uJUOLx1EP1ysIGqMHAVLCJZ/jfQVH KkgXI99qA0sbqGRDHKTsjPJNTkjVNnxDt3p8Kffi5Ldsp7XZBOXPSGZfkt8j/ym9 C4FDZBKDr/Y/wG3D/VTgFpy3Dw98ni4KcznKRGIU3MgaH4siXWx0SA7EL1JnVJtF dmlLgynGTQJXtvrNfVWvZihJGrh5M/s3GFXs9avQhL4GNJcPNDTTjx0dxa4xqjLk BhWYjpYbL00XIeragjF1FTvmmJURWJs1YcNar6fQZVLP3u5pj6YoeYAlAj5mpAdi 2HbEMrecG0Bvvt3M+Iw8QvwhQeN4A9WkshIuhE+F7SDJmgxeD41pgXoruMWw1gq/ IuSKw4G5yx2LvRY9pME9aOme6xpBYfM1Bm2fF9+HBMypCwaFmnCJZ/lTmV4rucbO en66Z+OacPS8FCTK1LmzxoYEXpUS2O6z3x/UknJQkl/E+CqOwbVbpr5TbamRENWm h6+/A9HoUeZZC3JC0XEYxf5TWq1yAd+9/HxAq/mXUAqqmobbSU+gj4Ezhx3Ldp4k zF+2Vwh3nBQOjLvqUyCDgH96ya0WpqbIp2KB7Tpz6SDJGJY84Pw0HQX8R+ItcU0C AwEAAaMpMCcwJQYDVR0RBB4wHIIabGRhcC1tYXN0ZXItMDEuZXhlbXBsby5vcmcw DQYJKoZIhvcNAQELBQADggIBADCxihV0vWrm6ElbABB6jW0WU506H6AD4cVL8YUt TCP1D/q5qaKwEmStpi1w21BTez4K4LNhGRknuN0uFPtihDqORyv/GRBzU8X3YMkI pJSFq9UXeT98we3C77cpDiwOAVbSYeiX4mvPTUq4PAxgleuPAvdwzOomyfstlV0b EOwhIYQ9DSYbxT1rV3FawRZpWPUkQHBrotcC/IczvUhZO53mw2/NzzZDC89avu03 83AWWevwMct4lortlwy8D4fWn9hINW3Bq8Tp6i+FLH++xFmplaxh0LMtxJ6q507c vaB0eOqzjVC7HhbGSNz32mjDdGL7tTRCyG+zGQwncJb9vaOeTjvwhYr5BBgsxE0P oife18DujKwZHEAHfSlD2kvxAhdLkrDbukF2GgoODQq74kyvFRgSC1u9Q/jYL7A1 YfvRo2dgRKWlxm/w+Sx4VuN77u0Yq/QSQxX9AbCJdmKF0o6ghiV4Qq3cDpahbIoO 7A3hnrTxtO0tEifR7TTYgsCdIRdfbQoRLPeMzSVTdqYI77YR47dUnQDuy93MJ4yE nTUsIFdqYgP2c6r0P56hOri5BwnaZY+HLKkTGBuJB66aqBn+8iElrmsnK45hl8rB 1ymoFsfFr0E4vdjloEIeYqUOTSOVvcBE5SXtZ0MfPfUIhjZHdbjSoxdtL1yu/4o5 ZIxk -----END CERTIFICATE----- 1 s:/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=LDAP-CA i:/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=LDAP-CA -----BEGIN CERTIFICATE----- MIIFOTCCAyGgAwIBAgIFAKbQbFUwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMC QlIxDTALBgNVBAgTBFBhcmExDzANBgNVBAcTBk1hcmFiYTEQMA4GA1UEChMHRXhl bXBsbzELMAkGA1UECxMCVEkxEDAOBgNVBAMTB0xEQVAtQ0EwHhcNMTYwNjMwMTg1 MzQwWhcNMjYwNjMwMTg1MzQwWjBeMQswCQYDVQQGEwJCUjENMAsGA1UECBMEUGFy YTEPMA0GA1UEBxMGTWFyYWJhMRAwDgYDVQQKEwdFeGVtcGxvMQswCQYDVQQLEwJU STEQMA4GA1UEAxMHTERBUC1DQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBAMPUpBwPYLcsyMKzkveYcaISKsik6Max5WbxMb/k0pmhibg5XUq4kwr29AQj eNMlVjY5Ho99+yG3lvODj6BoPI613mxYWlQHWkYJppeVrzzsAYDnL05j36GPZ8ba lTfDMj5i9qS/91e2fSmSXrGM2boZVy5Wp+LQqhnhu9R8xl6Ty38FHk+ie2Mj/VHj sBjIAsKZKo3oDup3nNByknUIrdOPRdEPAmALCZOK7r/HeCE2yTrdK9PCAn1ulBhB jSs0APhfVU4yAlxzPedLLDrUKI6tubNrk3S322x0xXMPICf/KVfBW3tzCzdWX0fG Exvy7gah4X9CKKevogpswijvrWsp+tnzfVHcGDdEopOoQdTYW/ZLhFYhpuyaIsPY EDJL5piFLDmz2IUSgIDcK42Z0WxRidE4fTULZMwTteAQ2tJ6DqbdhiZzbXzMcyIZ aGPVx5/QSONee6SQMF+3PL4QNucdVS2qAy5pgZjxGB2p/wKIoBoc+nZORnFsHwRC 2+w45OmGl+E8qSA8FXiRXjnFyxYmjqB3eBYJTSb+V/ys7XYzMDvix6k9oH30osx6 yohzLHe5NZTy1oPz57LjuSFSyqGgoYn3YpclBm3x34GsjnoE67ck5MipAyfPS1Ag oL32PeU3Xi0Q9chOgvXTNHz49Gsq1SLU9R4GZKRstV+EEgLJAgMBAAEwDQYJKoZI hvcNAQELBQADggIBAJgEw0RofGz9cnfQF0XqWBRfMxQdTGG/UqJmQT+3/WaN347x hsxZu83qGQo3WeMV8oDSJJII8I/0XnBxOJaXmDxBhmgJPp57agcITr5kykXypxqs /S/NfTx8/eVNw/A1I7dHzRtr1Xs6/3PCHo8tLQeWUiCQBiIQEqA/jbUbcYYylc/7 f6EzWvzzrRdHrPtOwjokC2liSfAvJjFlvHORqgxS86N53IUg0lKRBLNAIxLH6jpd NKwKeVnTuVGNXTdDwPpKyxutPfOQT6GSY0sw7lqJcL0e7o5LRTsW9i4pSjEWBzoV ckhMlsftAsLlGUYyduvgJ7OPry9ElHHscw88xhi7NGokLVHgkfsTFG3pfL0LpTqD JG4Pb7XJvmP9DLrbeIwauDdAFcMgIGYf0uR4ekpoomOKZ0Ld/6JnWXqiIbVX2RWZ E1UQDsUzdn67uieUaYM0JQ/jvWCtTUMHtMWkYSYIFaQv8cxXAVEtyTlYPhqOBG9C qO/KVw5IqA1tmkqqqTMkWSUyGKsEE/bN1G6W3Q0A1egK+ebZ9hdH3kZDx1g65w16 LuaBfyRj1BePYzH/zAa80UTXNF77dGnFunvV74zVW/wQOYyzv4xAgDoVcZC1hitJ Npf2QmMV2osSkrTJaYhRkxskfCb/Z0X6r24CuORL6RdwFk068fChgvvF4cuP -----END CERTIFICATE----- --- Server certificate subject=/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=OpenLDAP Master 01 issuer=/C=BR/ST=Para/L=Maraba/O=Exemplo/OU=TI/CN=LDAP-CA --- No client certificate CA names sent Server Temp Key: ECDH, secp384r1, 384 bits --- SSL handshake has read 3517 bytes and written 405 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 35A18BED4696EB468B8FADB63A761FF5113769E68A7A006191D397ED0B4370EB Session-ID-ctx: Master-Key: 4DE009DE034EB56B0046423543FF322A32D5E12DCD8E50D7B32E23647CA2FD1324D83AB720DB978A3329452D26169AC3 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1467315758 Timeout : 300 (sec) Verify return code: 0 (ok) ---
# ldapwhoami -H ldaps://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W Enter LDAP Password: dn:cn=Manager,dc=exemplo,dc=org
# openssl s_client -connect localhost:636 2>&1 | openssl x509 -text | grep DNS
DNS:ldap-master-01.exemplo.org
# ldapadd -H ldaps://${FQDN} -x -W -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" <<EOF dn: dc=${MYDOMAIN},dc=${MYTLD} dc: ${MYDOMAIN} objectClass: top objectClass: domain dn: ou=Usuarios,dc=${MYDOMAIN},dc=${MYTLD} ou: people objectClass: top objectClass: organizationalUnit dn: ou=Grupos,dc=${MYDOMAIN},dc=${MYTLD} ou: groups objectClass: top objectClass: organizationalUnit EOF
# ldapsearch -H ldaps://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W -LLL Enter LDAP Password: dn: dc=exemplo,dc=org dc: exemplo objectClass: top objectClass: domain dn: ou=Usuarios,dc=exemplo,dc=org ou: people ou: Usuarios objectClass: top objectClass: organizationalUnit dn: ou=Grupos,dc=exemplo,dc=org ou: groups ou: Grupos objectClass: top objectClass: organizationalUnit
Teste de cifra:
# nmap --script ssl-enum-ciphers -p 636 ldap-master-01.exemplo.org Starting Nmap 6.40 ( http://nmap.org ) at 2016-06-30 16:52 BRT Nmap scan report for ldap-master-01.exemplo.org (192.0.2.210) Host is up (5.7s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | compressors: | NULL |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds