參考網頁:
CentOS 7 : Create SSL Certificates : Server World
CentOS 7 : OpenLDAP : LDAP over TLS : Server World
1. 切換目錄
# cd /etc/pki/tls/certs
2. 建立 server.key
# make server.key
umask 77 ;
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
…………….+++
…………………………………………………………+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying – Enter pass phrase:[@more@]
3. 去除密碼從 server.key
# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
4. 建立 server.csr
# make server.csr
umask 77 ;
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [LDAP Server]:
Common Name (eg, your name or your server’s hostname) []:xxxx.tces.ilc.edu.tw
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5. 建立馮證
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=TW/ST=Yilan/L=TouCheng/O=Elementary School/OU=LDAP Server/CN=xxxx.tces.ilc.edu.tw
Getting Private key
6. 複製檔案到 /etc/openldap/certs 目錄
# cp /etc/pki/tls/certs/server.key /etc/pki/tls/certs/server.crt /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs
7. 更改檔案擁有者及群組
# chown ldap:ldap /etc/openldap/certs/server.* /etc/openldap/certs/ca-bundle.crt
8. 建立 mod_ssl.ldif
# cat mod_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
–
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
–
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
9. 匯入
# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”
10. 修改 /etc/sysconfig/slapd 加入 ldaps:///
# cp /etc/sysconfig/slapd /etc/sysconfig/slapd.$(date +%F)
# sed -i ‘/SLAPD_URLS/s@ldapi:/// ldap:///@ldapi:/// ldap:/// ldaps:///@’ /etc/sysconfig/slapd
11. 重新啟動 LDAP Server
# systemctl restart slapd.service
12. 檢查是否有正常執行
# netstat -antulp | egrep ‘389|636’
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1933/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1933/slapd
tcp6 0 0 :::636 :::* LISTEN 1933/slapd
tcp6 0 0 :::389 :::* LISTEN 1933/slapd
13. 防火牆設定
# firewall-cmd –permanent –add-service=ldap
# firewall-cmd –permanent –add-service=ldaps
# firewall-cmd –reload
或
# iptables -A INPUT -p tcp -s 192.168.1.0/24 –syn -m state –state NEW –dport 389 -j ACCEPT
# iptables -A INPUT -p tcp -s 192.168.1.0/24 –syn -m state –state NEW –dport 636 -j ACCEPT