特殊:Badtitle/NS100:SecuringOpenLDAPConnections:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
| 第96行: | 第96行: | ||
* [http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate#secure_openldap] - the article by 'dvogels' on which this article is based | * [http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate#secure_openldap] - the article by 'dvogels' on which this article is based | ||
* [http://www.openldap.org/doc/admin24/] - OpenLDAP Software 2.4 Administrator's Guide | * [http://www.openldap.org/doc/admin24/] - OpenLDAP Software 2.4 Administrator's Guide | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2009年11月17日 (二) 20:34的最新版本
 |
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/SecuringOpenLDAPConnections }} |
|
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/af | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|Afrikaans| [[::SecuringOpenLDAPConnections/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/ar | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|العربية| [[::SecuringOpenLDAPConnections/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/az | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|azərbaycanca| [[::SecuringOpenLDAPConnections/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/bcc | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|جهلسری بلوچی| [[::SecuringOpenLDAPConnections/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/bg | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|български| [[::SecuringOpenLDAPConnections/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/br | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|brezhoneg| [[::SecuringOpenLDAPConnections/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/ca | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|català| [[::SecuringOpenLDAPConnections/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/cs | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|čeština| [[::SecuringOpenLDAPConnections/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/de | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|Deutsch| [[::SecuringOpenLDAPConnections/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/el | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|Ελληνικά| [[::SecuringOpenLDAPConnections/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/es | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|español| [[::SecuringOpenLDAPConnections/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/fa | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|فارسی| [[::SecuringOpenLDAPConnections/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/fi | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|suomi| [[::SecuringOpenLDAPConnections/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/fr | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|français| [[::SecuringOpenLDAPConnections/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/gu | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|ગુજરાતી| [[::SecuringOpenLDAPConnections/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/he | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|עברית| [[::SecuringOpenLDAPConnections/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/hu | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|magyar| [[::SecuringOpenLDAPConnections/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/id | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|Bahasa Indonesia| [[::SecuringOpenLDAPConnections/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/it | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|italiano| [[::SecuringOpenLDAPConnections/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/ja | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|日本語| [[::SecuringOpenLDAPConnections/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/ko | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|한국어| [[::SecuringOpenLDAPConnections/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/ksh | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|Ripoarisch| [[::SecuringOpenLDAPConnections/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/mr | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|मराठी| [[::SecuringOpenLDAPConnections/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/ms | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|Bahasa Melayu| [[::SecuringOpenLDAPConnections/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/nl | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|Nederlands| [[::SecuringOpenLDAPConnections/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/no | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|norsk| [[::SecuringOpenLDAPConnections/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/oc | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|occitan| [[::SecuringOpenLDAPConnections/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/pl | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|polski| [[::SecuringOpenLDAPConnections/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/pt | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|português| [[::SecuringOpenLDAPConnections/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/ro | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|română| [[::SecuringOpenLDAPConnections/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/ru | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|русский| [[::SecuringOpenLDAPConnections/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/si | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|සිංහල| [[::SecuringOpenLDAPConnections/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/sq | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|shqip| [[::SecuringOpenLDAPConnections/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/sr | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|српски / srpski| [[::SecuringOpenLDAPConnections/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/sv | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|svenska| [[::SecuringOpenLDAPConnections/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/th | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|ไทย| [[::SecuringOpenLDAPConnections/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/tr | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|Türkçe| [[::SecuringOpenLDAPConnections/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/vi | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|Tiếng Việt| [[::SecuringOpenLDAPConnections/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/yue | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|粵語| [[::SecuringOpenLDAPConnections/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/zh | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|中文| [[::SecuringOpenLDAPConnections/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/zh-hans | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|中文(简体)| [[::SecuringOpenLDAPConnections/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SecuringOpenLDAPConnections | UbuntuHelp:SecuringOpenLDAPConnections | {{#if: | :}}SecuringOpenLDAPConnections}}/zh-hant | • {{#if: UbuntuHelp:SecuringOpenLDAPConnections|中文(繁體)| [[::SecuringOpenLDAPConnections/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:SecuringOpenLDAPConnections|:SecuringOpenLDAPConnections|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :SecuringOpenLDAPConnections/zh | | {{#ifexist: SecuringOpenLDAPConnections/zh | | {{#ifeq: {{#titleparts:SecuringOpenLDAPConnections|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:SecuringOpenLDAPConnections|1|-1|}} | zh | | }}
Introduction
This article documents how to secure OpenLDAP connections with SSL using a self-signed certificate. Why do LDAP connections need to be made 'secure'? With a basic LDAP connection (ie. ldap://server) passwords and other LDAP information are sent across the network as clear text. This may not be a problem in a home network or a small one-office business, but beyond that is is good practice to encrypt the LDAP information going over the network. This article shows one of the simplest ways to encrypt OpenLDAP connections and is based on [1] although a couple of changes were required to get a working system in Hardy.
Tested Systems
This has been tested on Hardy Xubuntu 8.04 with all related software installed from the standard repositories. The server has Samba and Smbldap-tools installed in addition to Open LDAP. Please add other tested systems in this section.
Configure OpenLDAP Server
Installation
sudo apt-get install openssh-server
Create Certificate
Create a PKCS#10 self-signed certificate. You will be asked several questions - most are unimportant. For Common Name, enter the fully-qualified domain name of your LDAP server (eg. server.mybusiness.com), if it has one - else enter the short name (eg. server).
sudo mkdir -v /etc/ldap/ssl pushd /etc/ldap/ssl sudo openssl req -newkey rsa:1024 -x509 -nodes \ -out slapd.pem -keyout slapd.pem -days 3650 # Make this readable to openldap only .. sudo chown -v openldap:openldap /etc/ldap/ssl/slapd.pem sudo chmod -v 400 /etc/ldap/ssl/slapd.pem popd
Modify Config Files
Put these lines in /etc/ldap/slapd.conf in the global directives section. In Ubuntu 8.04, there is a condition that prevents the slapd service from starting if the shown 'TLSCipherSuite' line is included - so I have commented this out. See [2] for information on this condition.
#TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /etc/ldap/ssl/slapd.pem TLSCertificateFile /etc/ldap/ssl/slapd.pem TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem
In /etc/default/slapd, set the OpenLDAP server to offer an secure SSL connection. Do not include the server name in this line.
SLAPD_SERVICES="ldap:/// ldaps:///"
Restart the OpenLDAP server.
sudo /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd.
Test SSL Connection
openssl s_client -connect localhost:636 -showcerts
CONNECTED(00000003)
depth=0 /C=AU/ST=NSW/O=Collins/CN=server.mybusiness.com
verify error:num=18:self signed certificate
: : :
: : :
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: A0EF768030C8CDE2F1CA00A15B4A7638DA135524395731937577EEAC14329C99
: : :
Configure LDAP Client
Installation
sudo apt-get install openssh-client ldap-utils
Modify Config File
In /etc/ldap.conf, set your client machine to use SSL to connect to LDAP and also allow the self-signed certificate.
URI ldaps://server.mybusiness.com/ TLS_REQCERT allow
Test SSL Connection
Test your LDAP lookup.
ldapsearch -xLLL
Test SSH connection using openssl command.
openssl s_client -connect server.mybusiness.com:636 -showcerts
In one terminal, start a session using su with an account that is in the LDAP database.
su fred password:
In a 2nd terminal, check that connections are ldaps - not ldap ..
netstat | grep "ESTAB" tcp 0 0 dali.local:42946 server.mybusiness.com:ldaps ESTABLISHED tcp 0 0 dali.local:42948 server.mybusiness.com:ldaps ESTABLISHED
See Also
- OpenLDAP-SambaPDC-OrgInfo-Posix - how to set up Open LDAP for multiple purposes - the article you are reading follows on from this.
- the man pages on the configuration files are often quite useful to understanding how things are set up. Although the information in them is sparse, it will ordinarily be up-to-date and accurate. Run man slapd.conf and man ldap.conf.
