wikiv3:slave-tls
Table of Contents
Slave - TLS
Certificado TLS
No master - OpenLDAP com TLS
# certutil -S -n 'OpenLDAP Slave' -t ",," \ -c LDAP-CA \ -f /etc/openldap/certs/password \ -d /etc/openldap/certs \ -z /tmp/noise.txt \ -s "CN=OpenLDAP Slave,OU=TI,O=Exemplo,L=Maraba,ST=Mara,C=BR" \ -8 "ldap-slave.exemplo.org" \ -v 36 \ -Z SHA256 \ -g 4096
Exportando o certificado assinado e chave:
# pk12util -d /etc/openldap/certs -o /root/slave.p12 -n "OpenLDAP Slave" -k /etc/openldap/certs/password Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL
Exportando o certificado:
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
No slave
Instalando os pacotes necessário:
# yum install openldap-clients openldap-servers openldap pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-devel pwgen
Backup do diretório da base existente:
# mv /etc/openldap/certs{,.dist}
Criando um novo diretório para a base de dados:
# mkdir /etc/openldap/certs
Senha de segurança:
# pwgen -sy 32 1 > /etc/openldap/certs/password
Criando a nova database:
# certutil -d /etc/openldap/certs -N -f /etc/openldap/certs/password
Copiando o certificado do servidor:
# scp ldap-master-01.exemplo.org:/tmp/ca.crt /tmp/ # scp ldap-master-01.exemplo.org:/root/slave.p12 /tmp/
Importando o certificado:
# pk12util -d /etc/openldap/certs -i /tmp/slave.p12 -k /etc/openldap/certs/password Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
# certutil -A -n "LDAP-CA" -t "TCu,Cu,Cu" -i /tmp/ca.crt -d /etc/openldap/certs Notice: Trust flag u is set automatically if the private key is present.
Modificando as permissões:
# chmod 440 /etc/openldap/certs/password # chown ldap. /etc/openldap/certs/*
Verificando o certificado
# certutil -L -d /etc/openldap/certs/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI LDAP-CA CT,C,C OpenLDAP Slave u,u,u
# certutil -K -d /etc/openldap/certs/ -f /etc/openldap/certs/password certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 71a1af1e337005f8f5d4c636e2181d1a70630f1c OpenLDAP Slave
# certutil -L -d /etc/openldap/certs/ -n "OpenLDAP Slave" Certificate: Data: Version: 3 (0x2) Serial Number: 00:a6:d0:89:63 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=LDAP-CA,OU=TI,O=Exemplo,L=Maraba,ST=Para,C=BR" Validity: Not Before: Thu Jun 30 19:58:30 2016 Not After : Sun Jun 30 19:58:30 2019 Subject: "CN=OpenLDAP Slave,OU=TI,O=Exemplo,L=Maraba,ST=Mara,C=BR" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: cd:68:ef:a4:bd:1e:a9:67:57:7f:e1:56:69:a8:3c:98: 64:c3:4a:3d:10:a4:cc:b9:d8:50:d5:8f:98:6c:6c:5a: a2:a6:24:c8:49:14:a3:0a:d4:9b:97:52:10:bb:6c:6d: 6b:bc:d5:0b:ad:6e:7b:76:0d:4a:1f:58:65:77:a9:5f: ad:78:3b:55:68:ba:86:cc:ef:5a:63:77:3b:ae:e2:f9: 77:fc:da:ba:44:0e:17:df:87:d1:d8:15:05:0c:34:3c: 46:b3:ef:87:c9:0f:aa:de:5d:4a:9f:eb:86:e5:81:7b: 10:3b:37:24:7e:d0:38:49:43:7a:ef:60:f6:36:05:23: d1:29:7d:96:27:d5:61:8c:f5:52:03:2e:bb:e8:0f:1e: 2d:2d:d4:b7:43:e9:c0:23:c3:e8:21:b1:b8:27:bc:a7: 13:35:7a:5b:2f:2f:3b:c7:05:eb:ca:84:bc:02:52:3e: d9:a5:84:3f:3c:25:9a:40:ee:56:ca:b6:d4:c5:47:e2: 0a:5b:db:2a:cf:16:e4:e9:73:c2:09:93:69:fe:91:58: c6:2c:e9:37:f9:a8:b5:20:f3:4e:9a:89:be:df:e2:ff: 52:1a:5d:0f:d7:bd:7b:9b:17:29:d6:b5:22:1d:90:a7: 68:c9:6f:3e:a1:f1:43:3e:41:39:62:1a:5d:e1:2a:3a: 2f:11:22:3f:40:9f:6f:b9:56:5c:49:1a:33:4c:fe:70: 8b:1d:e4:8a:3f:31:55:c8:16:62:3e:7f:5a:c4:50:bf: 94:ac:a7:e8:4d:79:47:9f:2d:e1:73:ee:fa:39:01:46: 52:c1:f4:c2:00:d3:2a:9f:9d:c2:2f:27:c4:f4:45:6c: 96:d4:a5:46:36:5c:19:00:19:b0:cf:78:c5:75:28:dc: 0a:c2:82:3b:61:6e:fb:c8:43:e0:d8:80:5f:3b:10:3a: 07:1e:aa:88:6c:29:a9:a1:e9:8b:3a:59:b5:0e:c0:8c: d6:6c:9b:f1:d5:f8:c6:19:29:9a:5e:b2:b8:bc:97:52: 07:38:9f:13:c7:e5:1e:dd:44:b7:44:24:f6:01:f2:00: e7:97:9b:66:06:57:da:dd:a1:34:84:4d:d8:6b:54:7b: 83:4e:13:89:0b:cc:d8:8a:2b:61:3c:3b:2a:f1:4c:72: a9:6e:6a:60:f2:fb:96:2b:09:89:7b:cb:3b:e6:98:0c: f3:36:f5:20:15:c8:61:ba:94:a1:1d:80:6d:f5:2f:34: 2b:da:56:a9:8a:eb:5e:a3:8e:30:f4:34:42:7b:4d:77: 0c:3d:97:60:13:01:22:ec:ef:d5:17:13:d2:85:56:06: 36:20:b4:aa:58:68:4d:92:32:06:73:ed:64:c1:68:33 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Alt Name DNS name: "ldap-slave.exemplo.org" Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 68:9c:ad:95:6b:6a:51:59:4e:15:61:ca:1a:4c:0a:df: d6:f2:a7:cc:10:b3:6f:65:e2:84:a6:a0:b6:3d:9e:04: 17:7b:74:f3:1c:55:9b:96:b0:ff:6f:72:51:94:ca:79: d8:df:38:7e:57:44:7b:32:8d:42:ba:1e:3b:73:8a:d2: 72:a6:1e:99:08:30:96:83:55:43:0f:e2:c3:ee:9c:e7: 80:0f:be:2a:22:a6:ba:41:f3:0c:bf:eb:10:ca:72:e3: d5:fe:0b:56:53:97:0c:f2:26:ca:54:d7:3b:96:f3:aa: 11:68:be:b9:ae:f9:49:6a:f6:67:28:b4:1f:d4:11:0d: 3d:20:fa:4e:01:13:bc:ca:f3:a8:f0:9f:05:ed:5e:df: 1a:b9:fd:6e:fd:f8:fe:12:51:73:15:ec:7a:40:20:32: b9:85:a4:7b:52:97:17:5c:15:73:6e:50:d1:84:c8:29: 33:d5:cc:bb:0b:6f:0d:06:b9:58:ac:cb:40:45:cb:05: 89:c3:31:0d:46:f1:ed:e4:0f:e7:42:da:db:f1:a1:c2: 29:d3:65:a7:61:79:49:67:2c:0c:49:bc:6a:18:8f:30: eb:3e:69:1a:f7:26:cd:57:79:2d:18:f4:4e:37:c5:76: 29:31:d2:f8:6d:bc:60:61:b0:bf:76:ec:8f:44:c2:bf: d3:7f:73:85:55:9b:14:be:01:eb:26:c3:58:10:3f:ca: 39:56:62:be:57:5b:3d:11:ad:69:0a:02:e6:ed:9e:32: fb:45:41:67:01:49:ed:14:15:93:ea:43:31:6f:86:3d: 7a:76:7f:6b:19:7e:b7:30:ab:7b:b5:6d:bf:6d:69:57: 4a:fc:d1:84:81:30:bf:dc:6f:e9:8f:d8:68:72:0b:84: dd:ed:96:e4:dc:68:4e:e0:86:cd:fd:44:bc:7f:de:b4: 31:d1:a1:fb:4e:77:52:74:09:b8:ae:71:d6:08:2f:e3: 04:07:5b:18:ea:83:07:05:0a:66:8a:dc:22:2e:27:52: 2e:3c:4e:70:ae:65:9f:4b:9b:c5:bf:ae:a9:b6:5b:6c: 62:63:59:6d:aa:f7:19:a7:ec:1c:4e:9d:36:d0:e5:3e: 1f:ef:32:c4:5a:bc:98:4f:23:f5:cb:37:1a:4e:14:c9: d3:93:3e:f0:b4:b0:9d:27:f9:af:79:1c:78:a7:11:06: 23:2b:dc:d4:61:00:94:bc:7e:cd:f1:0b:06:ae:e1:a5: d7:61:65:d0:02:07:79:d5:b3:84:15:bd:4c:14:43:4e: 3f:80:ad:e9:6a:f1:84:70:8a:ab:22:16:28:31:5e:7a: 6e:68:e7:a4:53:39:6a:7f:8f:82:58:08:d6:0f:ec:52 Fingerprint (SHA-256): 06:12:43:3F:D7:2D:26:AA:BE:71:6C:63:7D:B9:B2:D0:78:B2:62:C2:A0:4D:49:E6:79:09:B0:1D:54:2E:86:8B Fingerprint (SHA1): 35:6C:A7:1D:E9:CF:03:6E:A8:36:45:4B:A4:C0:E6:1C:5B:6A:AC:EA Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User
# certutil -V -d /etc/openldap/certs -n "OpenLDAP Slave" -u C
certutil: certificate is valid
Configurando o OpenLDAP
Ativando o TLS:
# vim /etc/sysconfig/slapd [...] SLAPD_URLS="ldapi:/// ldaps:///" [...] # Any custom options SLAPD_OPTIONS="-g ldap" [...]
Modificando o /etc/openldap/ldap.conf:
# vim /etc/openldap/ldap.conf [...] BASE dc=exemplo,dc=org URI ldaps://ldap-slave.exemplo.org TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand [...]
Usando o DB de exemplo:
# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Iniciando o OpenLDAP:
# slaptest -u config file testing succeeded
# systemctl start slapd # systemctl enable slapd Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
Adicionando schemas:
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif adding new entry "cn=cosine,cn=schema,cn=config"
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif adding new entry "cn=inetorgperson,cn=schema,cn=config"
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif adding new entry "cn=nis,cn=schema,cn=config"
Gerar senha para gerenciamento do OpenLDAP:
# slappasswd New password: Re-enter new password: {SSHA}4h9hUAdtsh8nfUFPHQTL9hSoK83pxkTP
Exportando as variáveis a serem usadas nos próximos passos:
# export MYHASH="{SSHA}4h9hUAdtsh8nfUFPHQTL9hSoK83pxkTP" # export MYDOMAIN=exemplo # export MYTLD=org # export FQDN="ldap-slave.exemplo.org"
Modificando o olcDatabase={0}config:
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: ${MYHASH} - replace: olcAccess olcAccess: {0}to * by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" manage by * none EOF
Modificando o olcDatabase={1}monitor:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read by * none EOF
Modificando o olcDatabase={2}hdb:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=${MYDOMAIN},dc=${MYTLD} - replace: olcRootDN olcRootDN: cn=Manager,dc=${MYDOMAIN},dc=${MYTLD} - add: olcRootPW olcRootPW: ${MYHASH} EOF
Modificando os index:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcDbIndex olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uid,memberUid,gidNumber eq - EOF
Modificando as ACLs:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by self =xw by anonymous auth by * none olcAccess: {1}to * by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by self read by users read by * none EOF
Modificando o TLS:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: "OpenLDAP Slave" - replace: olcTLSCipherSuite olcTLSCipherSuite: HIGH - replace: olcTLSProtocolMin olcTLSProtocolMin: 3.1 - replace: olcDisallows olcDisallows: bind_anon - replace: olcIdleTimeout olcIdleTimeout: 120 EOF
Modificando o olcDatabase={-1}frontend:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: ${MYHASH} - add: olcRequires olcRequires: LDAPv3 authc EOF
Para aceitar apenas TLS:
# ldapmodify -H ldaps://${FQDN} -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify add: olcSecurity olcSecurity: tls=1 EOF
wikiv3/slave-tls.txt · Last modified: by 127.0.0.1