為了安全的因素,LDAP 可以走 TLS/SSL 加密協定。
參考網頁:
Linux . 無限: 在 CentOS7/RHEL7 上安裝設定 LDAP Server(一)
1. 安裝 openssl 套件
# yum install openssl
2. 修改 /etc/pki/tls/openssl.cnf
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.$(date +%F)
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = TW
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Yilan
localityName = Locality Name (eg, city)
localityName_default = TouCheng
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Elementary School
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = LDAP Server[@more@]
3. 製作金鑰
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 3650
Generating a 2048 bit RSA private key
………+++
……………+++
writing new private key to ‘/etc/openldap/certs/priv.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [LDAP Server]:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:
4. 改變目錄擁有者及群組和檔案權限
# chown -R ldap:ldap /etc/openldap/certs
# chmod 600 /etc/openldap/certs/priv.pem
# ls -l /etc/openldap/certs/*
-rw-r–r– 1 ldap ldap 65536 Mar 8 17:46 /etc/openldap/certs/cert8.db
-rw-r–r– 1 ldap ldap 1391 Mar 10 14:14 /etc/openldap/certs/cert.pem
-rw-r–r– 1 ldap ldap 16384 Mar 8 17:46 /etc/openldap/certs/key3.db
-r–r—– 1 ldap ldap 45 Dec 7 10:22 /etc/openldap/certs/password
-rw——- 1 ldap ldap 1704 Mar 10 14:14 /etc/openldap/certs/priv.pem
-rw-r–r– 1 ldap ldap 16384 Dec 7 10:22 /etc/openldap/certs/secmod.db
5. 建立 tlsc.ldif
# cat tlsc.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
6. 匯入
# /bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f tlsc.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”
modifying entry “cn=config”
7. 重新啟動 LDAP Server
# systemctl restart slapd.service
似乎沒有成功,嘗試其它方法!