Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 18 17:11:48 2004 GMT
Not After : Nov 18 17:11:48 2005 GMT
Subject:
countryName = CN
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = myth.unix.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:5A:A3:89:D0:24:7F:83:70:25:E6:A6:CA:D8:35:09:5A:65:70:E3
X509v3 Authority Key Identifier:
keyid:4E:A0:2B:E4:B2:BB:01:9B:5D:12:7D:90:79:40:22:36:8B:29:28:AC
DirName:/C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=abc.cn
serial:00
Certificate is to be certified until Nov 18 17:11:48 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CN, ST=Some-State, O=Internet Widgits Pty Ltd, CN=abc.cn
Validity
Not Before: Nov 18 17:11:48 2004 GMT
Not After : Nov 18 17:11:48 2005 GMT
Subject: C=CN, ST=Some-State, O=Internet Widgits Pty Ltd, CN=myth.unix.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b7:7a:49:0f:53:53:b2:d0:c3:38:c5:fc:ba:1b:
db:69:56:a6:e2:20:e8:f9:48:77:f1:95:c9:0b:f3:
8d:0d:d6:43:7b:de:c2:82:88:58:7c:8a:0f:59:0e:
00:46:4e:b1:ff:03:e4:49:39:1a:33:6d:94:b4:e8:
36:e6:99:63:2a:16:21:7a:21:be:4e:92:08:92:35:
d6:59:cd:39:9b:bc:0d:6e:31:7a:1b:e1:50:c3:e2:
62:e0:99:1c:25:78:22:fa:e4:26:1b:b6:0c:71:0c:
52:99:64:81:03:77:56:ec:8c:7e:3d:0a:ca:4e:9c:
82:a9:55:5d:9d:75:64:f1:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:5A:A3:89:D0:24:7F:83:70:25:E6:A6:CA:D8:35:09:5A:65:70:E3
X509v3 Authority Key Identifier:
keyid:4E:A0:2B:E4:B2:BB:01:9B:5D:12:7D:90:79:40:22:36:8B:29:28:AC
DirName:/C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=abc.cn
serial:00
Signature Algorithm: md5WithRSAEncryption
67:bf:f5:2e:6b:7e:e1:53:48:56:4e:91:30:87:38:57:ff:23:
c3:b3:71:ed:fd:d7:bd:7c:22:8b:76:9a:0e:c0:e6:4d:19:91:
86:d3:af:ce:08:b2:01:ba:df:f6:d3:8c:3a:11:f6:10:f6:09:
3d:be:61:e2:39:77:5b:d2:1b:a7:bb:fb:a4:37:bf:79:54:ad:
82:9e:dc:c8:85:a6:39:4b:b9:d1:02:16:f5:4f:6f:30:4a:02:
96:8e:0b:06:85:da:5e:3b:00:af:1a:b1:fb:31:55:69:6c:21:
e3:4a:d8:17:3d:92:69:12:d6:c7:40:58:8b:8b:ba:77:73:31:
58:41
-----BEGIN CERTIFICATE-----
MIIDBDCCAm2gAwIBAgIBATANBgkqhkiG9w0BAQQFADBWMQswCQYDVQQGEwJDTjET
.......
i4u6d3MxWEE=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
4、将这些证书移动到一个指定的地方
# cp demoCA/cacert.pem /usr/local/etc/openldap/
# cp newcert.pem /usr/local/etc/openldap/servercrt.pem
# cp newreq.pem /usr/local/etc/openldap/serverkey.pem
# chmod 400 /usr/local/etc/openldap/serverkey.pem
最后一条命令是更改serverkey.pem的访问权限,因为它是做为服务器的私有密钥出现,不允许他人访问。
5、修改OpenLDAP服务器配置
# vi /usr/local/etc/openldap/slapd.conf
增加如下内容:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
TLSVerifyClient try
注意:对于TLSVerifyClient的各个选项是,如果这里设定为demand,则后面的连接会出现问题,而对于try、allow则没有问题。说不定是OpenLDAP或OpenSSL的bug,我使用的分别是:openssl-0.9.7d_1和openldap-server-2.2.15
# vi /etc/rc.conf
修改相关内容为:
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldaps://0.0.
0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
6、重启OpenLDAP服务器
# /usr/local/etc/rc.d/slapd.sh restart
# sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
ldap slapd 717 8 stream /var/run/openldap/ldapi
ldap slapd 717 9 tcp4 *:389 *:*
ldap slapd 717 10 tcp4 *:636 *:*
此时服务器应该就可以使用了。下面是对客户端的配置
(二)客户端的证书
建立客户端证书与建立服务器端的证书过程方法基本一样。再次提醒关于"Common Name",应该根据客户端的情况来填入FQDN。关于客户端的CA证书应该有很多,因为它可能要连接多个LDAP服务器,而每一个服务器都会有一个CA证书。这里就要使用先前建立的那个CA证书。
1、获得LDAP服务端的CA证书。这里直接使用了LDAP的CA证书。
2、生成客户端的CSR,得到newreq.pem
提示:这里对“Common Name”的要求不是那么,即不一定是客端的名字
# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
3、使用服务端的CA证书签署刚才的CSR,得到newcrt.pem
# /usr/local/openssl/misc/CA.sh -sign
4、复制newreq.pem和newcrt.pem到一个指定的地方
# cp newcert.pem /usr/local/etc/openldap/client.cert.pem # cp newreq.pem /usr/local/etc/openldap/client.key.pem # chmod 400 /usr/local/etc/openldap/client.key.pem
client.key.pem为客户端的私钥,所以要更读取权限。 5、修改客户端的配置
# vi /usr/local/etc/openldap/ldap.conf
修改相关内容为:
HOST localhost
PORT 636
TLS_CACERT /usr/local/etc/openldap/cacert.pem
TLS_REQCERT demand
注意:ldap.conf是用于设定客户端全局变量用的。选项TLS_REQCERT默认为demand,即要求验证服务端,如果在连接LDAP服务器时出现了什么错误,很大可能就是TLS_CACERT所指定的CA证书不对。在这里它直接指向服务端所使用的CA证书。
实际上,在这个时候就已经可以进行SSL的连接了,如果服务端的TLSVerifyClient选项不是设定为demand或hard的话。如果是设定为demand,则在客户端还要进行下面的配置。
针对特定的登录用户进行设定,利用.ldaprc文件加载公钥和私钥:
# vi ~/.ldaprc
类似TLS_CERT和TLS_KEY等user-only类型的选项,只能用于此文件中。
TLS_CERT /usr/local/etc/openldap/client.cert.pem
TLS_KEY /usr/local/etc/openldap/client.key.pem
注意:.ldaprc使用户可以根据自己的需要来设定选项的值,如果设定了全局选项的值,则它会自动重载ldap.conf里的相应选项。
(三)查询测试
1、使用openssl连接测试
注意:TLSVerifyClient选项若不为demand,则使用
# openssl s_client -connect localhost:636 -showcerts -state -CAfile /usr/local/etc/openldap/cacert.pem
若为demand,则使用
# openssl s_client -connect myserver.com:636 -state -CAfile /usr/local/etc/openldap/cacert.pem -cert /usr/local/etc/openldap/client.cert.pem -key /usr/local/etc/openldap/client.key.pem
下面的结果是第一种情况的输出。
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=abc.cn
verify return:1
depth=0 /C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=myth.unix.cn
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=myth.unix.cn
i:/C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=abc.cn
-----BEGIN CERTIFICATE-----
MIIDBDCCAm2gAwIBAgIBATANBgkqhkiG9w0BAQQFADBWMQswCQYDVQQGEwJDTjET
......
i4u6d3MxWEE=
-----END CERTIFICATE-----
1 s:/C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=abc.cn
i:/C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=abc.cn
-----BEGIN CERTIFICATE-----
MIIC0zCCAjygAwIBAgIBADANBgkqhkiG9w0BAQQFADBWMQswCQYDVQQGEwJDTjET
.....
X9KQMC6DWw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=myth.unix.cn
issuer=/C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=abc.cn
---
Acceptable client certificate CA names
/C=CN/ST=Some-State/O=Internet Widgits Pty Ltd/CN=abc.cn
---
SSL handshake has read 1767 bytes and written 352 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 74F46023120F479F44AE52D3C5E9EC45315CDB301F22A94498256862FF6BE0A1
Session-ID-ctx:
Master-Key: F419DE4C85D016B678AB535084A485B5794FF5E9E3170FD081A95167F59A4684
Key-Arg : None
Start Time: 1100800508
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
^C
许多人在粗体字那个地方出错,常见的错误我也是遇到的,主要就是TLSVerifyClient设置为了demand。
2、使用ldapsearch测试
# ldapsearch -x -b 'dc=example,dc=com' -D 'cn=zxp,dc=example,dc=com' -w secret -H ldaps://localhost/ '(objectclass=*)' -ZZ
对于OpenLDAP 2.2 来说"-ZZ"好象已不太重要。
# ldapsearch -x -b 'dc=example,dc=com' -D 'uid=abc,ou=People,dc=example,dc=com' -w abcabc -H ldaps://localhost/ '(objectclass=*)'
搜索到条目若干,成功!
总结
实际上,OpenLDAP也支持中文,甚至连象uid这样的标识的值都可以为中文,其它属性的值当然也可以为中文了。不过直接导入中文是不行的,必须将中文编码为utf-8这一类的字符集。经过实践,只认识到这么多的内容。感兴趣的朋友可以一起讨论。
发表评论 
打印本文
推荐本文
加入收藏
返回顶部
关闭窗口
