LoginSignup
12
10

More than 1 year has passed since last update.

@T_Tsan(Takashi Tomokuni)

CentOS 6.5 で OpenLDAP(7)OpenLDAPをSSL対応にする

Last updated at Posted at 2014-04-21

前提条件

CentOS 6.5 OpenSSLでオレオレ認証局 - Qiita
上記にて、CA認証局と署名済みのサーバー証明書を作成しておくこと

本来であれば、OpenLDAPはSSL通信のみの許可にすべきであるが、なぜかOpenLDAPサーバー上のクライアントからはSSLで通信できなかった
そのため、SSL無しの通信も許可し、ローカルのみSSL無し、ローカル以外はSSL通信のみ、というような iptables を設定することにする

サーバー側処理

証明書のコピー

mkdir -p /etc/openldap/ssl
cp -a /etc/pki/CA/cacert.pem /etc/openldap/ssl/.
cp -a /etc/pki/ssl/server.key /etc/openldap/ssl/.
cp -a /etc/pki/ssl/server.crt /etc/openldap/ssl/.
chown root:ldap /etc/openldap/ssl/server.key
chmod 440 /etc/openldap/ssl/server.key

OpenLDAP設定変更

TLSCACertificatePath TLSCertificateFile TLSCertificateKeyFile の設定を行う

/etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/openssh.schema
include /etc/openldap/schema/sudo.schema

# 接続プロトコル
allow bind_v2

# 管理ファイル
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# TLS設定
TLSCACertificatePath  /etc/openldap/ssl/cacert.pem
TLSCertificateFile    /etc/openldap/ssl/server.crt
TLSCertificateKeyFile /etc/openldap/ssl/server.key

# userPasswordに関するアクセス権
access to attrs=userPassword
    by self write
    by dn="cn=Manager,dc=example,dc=com" write
    by anonymous auth
    by * none

# その他の属性に対するアクセス権
access to *
    by self write
    by dn="cn=Manager,dc=example,dc=com" write
    by * read

# monitorデータベースに対するアクセス権
database monitor
access to *
    by dn.exact="cn=Manager,dc=example,dc=com" read
    by * none

# データベース設定
database    bdb
suffix      "dc=example,dc=com"
checkpoint  1024 15
rootdn      "cn=Manager,dc=example,dc=com"
rootpw      {SSHA}fCkF7qPmO1cnQsPun1fixcrhCNP+Kerd
directory   /var/lib/ldap

# indexの設定
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

OpenLDAPのSSL有効化

SLAPD_LDAPSyes にする

/etc/sysconfig/ldap
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=

# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
#   yes/no, default: yes
SLAPD_LDAP=yes

# Run slapd with -h "... ldapi:/// ..."
#   yes/no, default: yes
SLAPD_LDAPI=yes

# Run slapd with -h "... ldaps:/// ..."
#   yes/no, default: no
SLAPD_LDAPS=yes

# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""

# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3

# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""

OpenLDAPサーバー再起動

/etc/init.d/slapd stop
rm -rf /etc/openldap/slapd.d/*
sudo -u ldap slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
/etc/init.d/slapd start

クライアント側処理

LDAP通信のSSL化

authconfig --ldapserver="ldaps://192.168.0.10/" --update

/etc/openldap/ldap.conf 編集

/etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

URI ldaps://192.168.0.10/
BASE dc=example,dc=com

/etc/nslcd.conf 編集

/etc/nslcd.conf
uid nslcd
gid ldap
uri ldaps://192.168.0.10/
base dc=example,dc=com
ssl yes
tls_cacertdir /etc/openldap/cacerts
tls_reqcert allow

/etc/ssh/ldap.conf 編集

/etc/ssh/ldap.conf
uri ldaps://192.168.0.10/
base dc=example,dc=com
host 192.168.0.10
ssl yes
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer yes
tls_reqcert allow

/etc/pam_ldap.conf 編集

/etc/pam_ldap.conf
uri ldaps://192.168.0.10/
base dc=example,dc=com
host 192.168.0-.10
ssl yes
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer yes
tls_reqcert allow

/etc/sudo-ldap.conf 編集

/etc/sudo-ldap.conf
uri ldaps://192.168.0.10/
sudoers_base ou=SUDOers,dc=example,dc=com
bind_timelimit 120
base dc=example,dc=com
host 192.168.0-.10
ssl yes
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer yes
tls_reqcert allow

再起動

reboot

確認

SSH確認

クライアントへと鍵認証で接続できるか、確認する
同時に、sudo にてrootになれるかも確認する

12
10
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
12
10