Задача запустить LDAP с SSL.
1.Настраиваем сервер slapd.
файл /etc/openldap/slapd.conf (без SSL все работает поэтому другие настройки
пропускаем)
- skip-
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap/ldap.pem
TLSCertificateKeyFile /etc/openldap/ldap.pem
TLSCACertificateFile /etc/openldap/ldap.pem
- skip-
файл /etc/ldap.conf
# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host 192.168.1.254
# The distinguished name of the search base.
base dc=mydomain,dc=ru
- skip -------------------
- skip -------------------
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /usr/lib/ssl/misc/demoCA/cacert.pem
#tls_cacertdir /usr/lib/ssl/
# SSL cipher suite
# See man ciphers for syntax
tls_ciphers TLSv1
# Client sertificate and key
# Use these, if your server requires client authentication.
tls_cert
tls_key
3. Изготавливаем SSL сертификаты
[root@ns misc]# ./CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
............++++++
................++++++
writing new private key to './CA/private/cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) [My Region]:
Locality Name (eg, city) [My Town]:
Organization Name (eg, company) [My zavod]:
Organizational Unit Name (eg, section) [My CA]:
Common Name (eg, your name or your server's hostname) [192.168.1.254]:
Email Address [my@mydomain.ru]:
[root@ns misc]# ./CA.pl -newreq
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
............++++++
..++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) [My Region]:
Locality Name (eg, city) [My Town]:
Organization Name (eg, company) [My zavod]:
Organizational Unit Name (eg, section) [My CA]:
Common Name (eg, your name or your server's hostname) [192.168.1.254]:
Email Address [my@mydomain.ru]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
[root@ns misc]# ./CA.pl -signreq
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'RU'
stateOrProvinceName :PRINTABLE:'My Region'
localityName :PRINTABLE:'My Town'
organizationName :PRINTABLE:'My zavod'
organizationalUnitName:PRINTABLE:'My CA'
commonName :PRINTABLE:'192.168.1.254'
emailAddress :IA5STRING:'my@mydomain.ru'
Certificate is to be certified until Aug 8 06:02:38 2003 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4. Проверяем сертификат
[root@ns misc]# openssl x509 -text -in newcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
skip
-----BEGIN CERTIFICATE-----
skip
-----END CERTIFICATE-----
5. Копируем сертификат
[root@ns misc]# cat newcert.pem >/etc/openldap/ldap.pem
[root@ns openldap]# chown ldap:ldap ldap.pem
6. Запускаем slapd
[root@ns openldap]# slapd -u ldap -h ldaps://192.168.1.254
[root@ns openldap]# netstat -a | grep LISTEN
tcp 0 0 192.168.1.254:ssl-ldap *:* LISTEN
7. Пытаемся соединиться.
[root@ns openldap]# openssl s_client -connect 192.168.1.254:636 -showcerts
CONNECTED(00000004)
6042:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:455:
И так всегда. Как с этим бороться?
Пробовал делать сертификат вот так.
cd /usr/lib/ssl/certs
make ldap.pem
Результат тот же.
[root@ns certs]# openssl s_client -connect 192.168.1.254:636 -showcerts
CONNECTED(00000004)
6154:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:455:
С уважением,
tal
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on
13-Ноя-02, 13:37 (MSK)
