TLS与ldaps简介
LDAP同时支持TLS和ldaps两种通信方式来确保通信安全,但两者各有特点且无法同时使用:
(1) TLS
TLS又称StartTLS,LDAP连接通常仍然使用LDAP的默认端口389,在建立连接后,客户端会指示服务器切换到TLS模式进行加密通信。这种方式要求客户端将自己的证书放在服务端,链接建立时客户端向服务端发送自己的证书,服务端进行校验。如果校验失败,链接可能(根据配置)退回到普通链接的状态。TLS在技术上更灵活,可以在任意端口上进行连接。
(2) ldaps
ldaps是secure ldap协议的简称,它使用独立的636端口进行链接,但是该协议有一个致命的缺点,由于缺乏CA,客户端无法校验服务端的真实性,这就有可能导致中间人攻击问题,所以推荐使用TLS。但由于其简单性和易用性,在某些环境中仍然被广泛使用。
TLS通信配置
环境和步骤总结
| 主机 | 角色 | 系统 |
|---|---|---|
| k8s-master01(192.168.126.21) | openldap-server | centos7 |
| k8s-worker01 (192.168.126.22) | CA server/openldap-clients | centos7 |
| 操作 | 命令 | 解释 |
|---|---|---|
| 1.生成CA服务器私钥 | [root@k8s-worker01 CA]# (umask 077;openssl genrsa -out private/CA.key) | CA.key |
| 2.生成CA服务器公钥 | [root@k8s-worker01 CA]# openssl req -new -x509 -key private/CA.key >CA.crt | CA.crt |
| 3.生成LDAP服务器私钥 | [root@k8s-master01 ~]# openssl genrsa -out ldapsrv02.key | ldapsrv02.key |
| 4.生成LDAP服务器申请证书 | [root@k8s-master01 ~]# openssl req -new -key ldapsrv02.key -out ldapsrv02.csr | ldapsrv02.csr |
| 5.CA服务器为证书签名 | [root@k8s-worker01 CA]# openssl ca -in /root/ldapsrv02.csr -out /root/ldapsrv02.crt | ldapsrv02.crt |
| 6.服务器获取证书 | [root@k8s-worker01 CA]# scp /root/ldapsrv02.crt root@192.168.126.21:/root [root@k8s-worker01 CA]# scp CA.crt root@192.168.126.21:/etc/openldap/certs/ |
CA.crt ldapsrv02.crt |
| 7.服务器配置TLS | sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif | tls.ldif |
| 8.服务器重启 | [root@k8s-master01 ldap]# sudo systemctl restart slapd | |
| 9.客户端配置证书 | [root@k8s-worker01 CA]#vim /etc/openldap/ldap.conf 添加两行 TLS_REQCERT allow TLS_CACERT /etc/openldap/certs/CA.crt |
/etc/openldap/ldap.conf |
客户端CA证书配置
客户端安装必备软件openldap-clients和openssl
yum install -y openldap-clients
yum install -y openssl
修改openssl配置文件几处地方并进行备份
[root@k8s-worker01 CA]# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.bak$(date +%F)
[root@k8s-worker01 CA]# vim /etc/pki/tls/openssl.cnf
修改如下配置
certificate = $dir/CA.crt # The CA certificate
private_key = $dir/private/CA.key # The private key
countryName_default = CN
stateOrProvinceName_default = Shanghai
localityName_default = Shanghai
生成CA私钥和CA证书
[root@k8s-worker01 CA]# cd /etc/pki/CA/
[root@k8s-worker01 CA]# touch index.txt
[root@k8s-worker01 CA]# echo 01 >serial
[root@k8s-worker01 CA]# (umask 077;openssl genrsa -out private/CA.key)
Generating RSA private key, 2048 bit long modulus
............+++
................................+++
e is 65537 (0x10001)
[root@k8s-worker01 CA]# ls private/
CA.key
[root@k8s-worker01 CA]# openssl req -new -x509 -key private/CA.key >CA.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Shanghai]:
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:IT
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:192.168.126.22
Email Address []:
生产服务器端私钥和和SSL申请证书,并把申请证书发送到CA服务器进行签名
[root@k8s-master01 ~]# openssl genrsa -out ldapsrv02.key
[root@k8s-master01 ~]# openssl req -new -key ldapsrv02.key -out ldapsrv02.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:192.168.126.21
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@k8s-master01 ~]# scp ldapsrv02.csr root@192.168.126.22:/root
ldapsrv02.csr
CA服务器进行证书签名
[root@k8s-worker01 CA]# openssl ca -in /root/ldapsrv02.csr -out /root/ldapsrv02.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 9 09:00:10 2024 GMT
Not After : Jun 9 09:00:10 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = IT
organizationalUnitName = IT
commonName = 192.168.126.21
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E5:32:68:5E:12:AB:D8:10:F1:70:FF:ED:25:D4:45:54:A1:0B:2C:25
X509v3 Authority Key Identifier:
keyid:70:2D:CD:81:CF:74:EB:A5:A6:BF:EF:EA:C4:61:64:F7:BD:FC:D6:60
Certificate is to be certified until Jun 9 09:00:10 2025 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
注意:
在OpenLDAP服务器向CA申请证书签署请求,时候。除了Common Name、Email Address 以外,以上所有值必须和CA证书所填写的信息保持一致,否则无法得到验证。
将签名好的证书和CA根证书一起发给服务器
[root@k8s-worker01 CA]# scp /root/ldapsrv02.crt root@192.168.126.21:/root
root@192.168.126.21's password:
ldapsrv02.crt
[root@k8s-worker01 CA]# scp CA.crt root@192.168.126.21:/etc/openldap/certs/
root@192.168.126.21's password:
CA.crt
[root@k8s-worker01 CA]# cp CA.crt /etc/openldap/certs/
服务器启用TLS配置,指定TLS证书路径
[root@k8s-master01 ~]# mv ldapsrv02.crt /etc/openldap/certs/
[root@k8s-master01 ~]# mv ldapsrv02.key /etc/openldap/certs/
[root@k8s-master01 ~]# sudo chown -R ldap:ldap /etc/openldap/certs
查看TLS配置
[root@k8s-master01 ~]# slapcat -b "cn=config" | egrep "olcTLSCACertificateFile|olcTLSCertificateFile|olcTLSCertificateKeyFile"
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
新建tls启用文件,启用TLS配置
cat > tls.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/CA.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapsrv02.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapsrv02.crt
EOF
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
查看配置
[root@k8s-master01 ldap]# sudo slapcat -b "cn=config" | egrep "olcTLSCACertificateFile|olcTLSCertificateFile|olcTLSCertificateKeyFile"
olcTLSCACertificateFile: /etc/openldap/certs/CA.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapsrv02.key
olcTLSCertificateFile: /etc/openldap/certs/ldapsrv02.crt
[root@k8s-master01 ldap]# sudo systemctl restart slapd
[root@k8s-worker01 CA]#vim /etc/openldap/ldap.conf
添加两行
TLS_REQCERT allow
TLS_CACERT /etc/openldap/certs/CA.crt
普通方式查询
[root@k8s-worker01 CA]# ldapsearch -x -D "cn=admin,dc=shadow,dc=com" -H ldap://192.168.126.21 -w 123456 -b "dc=shadow,dc=com"
TLS方式查询加-ZZ
-ZZ参数的意思是证书校验失败后将不走普通链接,如果指定-Z参数则表明如果证书校验失败则改为普通链接。
[root@k8s-worker01 CA]# ldapsearch -ZZ -x -D "cn=admin,dc=shadow,dc=com" -H ldaps://192.168.126.21 -w 123456 -b "dc=shadow,dc=com"
ldaps配置
(1) 打开slapd文件
sudo vi /etc/sysconfig/slapd
(2) 添加ldaps到SLAPD_URLS
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
(3)使用ldaps://127.0.0.1进行测试
ldapsearch -x -H ldaps://127.0.0.1 -b "dc=shadow,dc=com" -D "cn=admin,dc=shadow,dc=com" -w 123456
ldaps和TLS不可同时使用