一、准备
1. 首先需要为Open LDAP签发证书:
https://www.cnblogs.com/eagle6688/p/16974768.html
2. 将CA证书、OpenLDAP证书和OpenLDAP密钥复制到OpenLDAP目录中:
cp -v certs/openldap.crt private/openldap.key /etc/openldap/certs/ cp -v ca.cert.pem /etc/openldap/certs/
二、配置
1. 检查现有TLS配置
slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile"
2. 修改olcTLSCertificateFile和olcTLSCertificateKeyFile的值
(1) 新建tls.ldif
vi tls.ldif
(2) 初始化tls.ldif内容:
dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/openldap.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/openldap.key - add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/cacerts/ca.cert.pem
(3) 更改证书目录所有者:
chown -R openldap:openldap /etc/openldap/certs chown -R openldap:openldap /etc/openldap/cacerts
(4) 修改tls属性:
ldapmodify -Y EXTERNAL -H ldapi:// -f tls.ldif
3. 检验新值
slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile|olcTLSCACertificateFile"
4. 修改Open LDAP配置
(1) 添加ldaps协议:
sudo vi /etc/sysconfig/slapd
更新SLAPD_URLS为:
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
(2) 修改/etc/openldap/ldap.conf
sudo vi /etc/openldap/ldap.conf
更新为:
TLS_CACERTDIR /etc/openldap/certs TLS_CACERT /etc/openldap/certs/ca.cert.pem TLS_REQCERT allow
因为我们使用的是自签名的证书而非权威CA证书,我们需要设置TLS_CACERT为ca证书路径,否则在对LDAP Client进行认证的时候将会收到“TLS negotiation failure”的报错。
如果将TLS_REQCERT 设置为never,则不对证书进行校验,此时配置TLS就没有意义了。
5. 配置防火墙
firewall-cmd --permanent --zone=public --add-service=ldaps
firewall-cmd --reload
6. 重启服务
systemctl restart slapd
三、参考
https://www.golinuxcloud.com/configure-openldap-with-tls-certificates/
标签:TLS,tls,证书,openldap,---,etc,OpenLDAP,certs From: https://www.cnblogs.com/eagle6688/p/16977245.html