centos:ldap:ldaps

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Nächste Überarbeitung		 Vorhergehende Überarbeitung
centos:ldap:ldaps [10.11.2011 20:38. ] – angelegt djangocentos:ldap:ldaps [20.04.2018 10:49. ] (aktuell) – Externe Bearbeitung 127.0.0.1
Zeile 1: Zeile 1:
 +====== Absicherung des OpenLDAP-Servers - LDAPS-Konfiguration ======
 +{{:centos:ldap-logo.png?nolink&167 |OpenLDAP Logo}}
 +
 +
 +Damit unser [[http://www.openldap.org|OpenLDAP-Server]] auch via **ldaps** erreichbar ist, werden wir in diesem Kapitel die Erstellung und Integration eines Server-Zertifikates sowie die nötigen Konfigurationsschritte näher betrachten.
 +
 +===== Zertifikatserstellung =====
 +Für unseren OpenLDAP-Server werden wir ein Zertifikat von der freien Community-Zertifizierungsstelle [[http://cacert.org|CAcert]]. Selbstverständlich kann man sich auch selbst eine CA erstellen und ein selfsigned Zertifikat generieren.
 +Die grundlegende Herangehensweise ist dabei die gleiche; wir werden uns bei der weiteren Betrachtung daher auf die CAcert-Variante beziehen.
 +
 +==== privaten Schlüssel generieren ====
 +Als erstes generieren wir uns einen privaten Schlüssel. 
 +   # openssl genrsa -out /etc/pki/tls/private/private.key 2048
 +
 +   Generating RSA private key, 2048 bit long modulus
 +   ................................................................................+++
 +   ..+++
 +   e is 65537 (0x10001)
 +
 +Über die Dateiberechtigung schützen wir die Datei vor fremden Blicken. 
 +   # chmod 400 /etc/pki/tls/private/private.key
 +
 +Bei Bedarf kann man mit **openssl rsa -in <keyfile> -noout -text** die Schlüsseldatei öffnen und ausgeben lassen. 
 +   # openssl rsa -in /etc/pki/tls/private/private.key -noout -text
 +
 +
 +==== Zertifikatsregistrierungsanforderung ====
 +Damit von [[https://www.cacert.org/|CAcert]] unser digitales Zertifikat erstellt werden kann, benötigen wir ein CSR((**C**ertificate **S**igning **R**equest)), eine Textzeichenfolge, die wir mit Hilfe der SSL-Software **openssl** auf unserem zu zertifizierenden Servers erzeugen. Mit Eingabe eines Punktes **.** erzeugen wir dabei ein leeres Feld.
 +   # openssl req -new -key /etc/pki/tls/private/private.key -out /etc/pki/tls/misc/ldap.dmz.nausch.org.csr
 +<code bash>You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '.', the field will be left blank.
 +-----
 +Country Name (2 letter code) [XX]:DE
 +State or Province Name (full name) []:Bayern
 +Locality Name (eg, city) [Default City]:Pliening
 +Organization Name (eg, company) [Default Company Ltd]:Nausch
 +Organizational Unit Name (eg, section) []:.
 +Common Name (eg, your name or your server's hostname) []:ldap.dmz.nausch.org
 +Email Address []:michael@nausch.org
 +
 +Please enter the following 'extra' attributes
 +to be sent with your certificate request
 +A challenge password []:
 +An optional company name []:
 +</code>
 +Auch hier passen wir die Dateiberechtigung des gerade erstellten CSR((**C**ertificate **S**igning **R**equest)) an. 
 +   # chmod 400 /etc/pki/tls/misc/ldap.dmz.nausch.org.csr
 +
 +Den Inhalt unseres CSR, der gerade erstellten Datei, geben wir dann auf der Seite von [[https://www.cacert.org|CAcert]] im  im Browserfenster bei der Bestellung ein. 
 +
 +Bei Bedarf können wir uns den Inhalt unseres **CSR** in lesbarer Form ausgeben lassen.
 +   # openssl req -noout -text -in /etc/pki/tls/misc/ldap.dmz.nausch.org.csr
 +
 +==== CAcert Server-Zertifikat ====
 +Von [[https://www.cacert.org|CAcert]] erhalten wir dann unser Zertifikat, welches wir in einer einfachen Textdatei auf unserem Server ablegen. 
 +   # vim /etc/pki/tls/certs/ldap.dmz.nausch.org.crt
 +
 +Anschließend passen wir auch hier die Dateiberechtigungen an.
 +   # chmod 400 /etc/pki/tls/certs/ldap.dmz.nausch.org.crt
 +
 +Den Inhalt unseres CAcert-Zertifikates können wir mit folgenden Befehlsaufrufes lesbar ausgeben lassen.
 +   # openssl req -noout -text -in /etc/pki/tls/misc/ldap.dmz.nausch.org.csr
 +
 +==== CAcert Root-Zertifikat ====
 +Von [[https://www.cacert.org|CAcert]] laden wir uns das [[https://www.cacert.org/certs/root.crt|Class 1 Root-Zertifikat]] auf unseren Server.
 +   # wget http://www.cacert.org/certs/root.crt
 +
 +Anschließend überprüfen wir den Fingerprint des heruntergeladenen Root-Zertifikates.
 +   # openssl x509 -noout -fingerprint -in /etc/pki/tls/certs/root.crt 
 +
 +   SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
 +
 +Diesen vergleichen wir mit den Angaben auf der Webseite von [[https://www.cacert.org/index.php?id=3|CAcert]].
 +
 +===== Konfiguration =====
 +==== Schlüsseldateien ablegen ====
 +Für unsere OpenLDAP-Installation legen wir uns am besten einen eigenen Unterordner unter **/etc/pki** an.
 +   # mkdir -p /etc/pki/ldap/certs
 +
 +   # mkdir -p /etc/pki/ldap/private
 +   
 +Anschließend legen wir dort die drei benötigten Dateien ab:
 +  - unseren //Serverzertifikat// : **servercert.pem** <code># cp /etc/pki/tls/certs/ldap.dmz.nausch.org.crt /etc/pki/ldap/certs/servercert.pem</code>
 +  - unseren //Serverschlüssel// : **serverkey.pem** und <code># cp /etc/pki/tls/private/private.key /etc/pki/ldap/PRIVATE/serverkey.pem</code>
 +  - das //CA-Zertifikat// : **cacert.pem** <code># cp /etc/pki/tls/certs/root.crt /etc/pki/ldap/certs/cacert.pem</code>
 +
 +Abschließend passen wir noch die Datei- und Nutzerberechtigungen an.
 +  - <code> # chown root:ldap /etc/pki/openldap/certs/*</code><code> # chmod 640 /etc/pki/openldap/certs*</code>
 +  - <code> # chown root:ldap /etc/pki/openldap/private/*</code><code> # chmod 640 /etc/pki/openldap/private*</code>
 +
 +
 +==== Anpassen der /etc/sysconfig/ldap (Server) ====
 +Damit unser OpenLDAP-Server zukünftig LDAPS auf Port **636** unter **IPv4** zur verfügung stellen kann, bearbeiten wir nun die systemweite Konfigurationsdatei.
 +   # vim /etc/sysconfig/ldap
 +<file bash /etc/sysconfig/ldap>
 +# Options of slapd (see man slapd)
 +#SLAPD_OPTIONS=
 +# Django : 2011-11-11 LDAPs - Konfiguration
 +# default : SLAPD_OPTIONS=
 +# Nur IPv4 Unterstützung aktiviert
 +SLAPD_OPTIONS="-4"
 +
 +# options of slurpd (see man slurpd)
 +#   
 +#SLURPD_OPTIONS=
 +
 +# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
 +#
 +# Run slapd with -h "... ldap:/// ..."
 +#   yes/no, default: yes
 +#SLAPD_LDAP=yes
 +
 +# Run slapd with -h "... ldapi:/// ..."
 +#   yes/no, default: no
 +#SLAPD_LDAPI=no
 +
 +# Run slapd with -h "... ldaps:/// ..."
 +#   yes/no, default: no
 +#SLAPD_LDAPS=no
 +# Django : 2011-11-11 LDAPs - Konfiguration
 +# default : SLAPD_LDAPS=no
 +SLAPD_LDAPS=yes
 +
 +# Run slapd with -h "... $SLAPD_URLS ..."
 +# This option could be used instead of previous three ones, but:
 +# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
 +# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
 +# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
 +# default: empty
 +#SLAPD_URLS=""
 +
 +# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
 +#SLAPD_SHUTDOWN_TIMEOUT=3
 +
 +# Parameters to ulimit called right before starting slapd
 +# - use this to change system limits for slapd
 +#SLAPD_ULIMIT_SETTINGS=""
 +   
 +</file>
 +Nähere Informationen zu den möglichen Parametern entnehmen wir der zugehörigen Manpage.
 +   # man slapd
 +
 +==== LDAPS Konfiguration .LDIF ====
 +Da wir unsere Konfiguration des OpenLDAP-Servers mit Hilfe von **.LDIF**-Datreien realisiert haben, werden wir nun eine passende **.LDIF**-Datei erstellen und diese anschließend in das System importieren.
 +   # vim /etc/openldap/ldif/TLS.ldif
 +<file bash /etc/openldap/ldif/TLS.ldif>
 +dn: cn=config
 +changetype: modify
 +add: olcTLSCipherSuite
 +olcTLSCipherSuite: HIGH
 +-
 +add: olcTLSCertificateFile
 +olcTLSCertificateFile: /etc/pki/openldap/certs/servercert.pem
 +-
 +add: olcTLSCertificateKeyFile
 +olcTLSCertificateKeyFile: /etc/pki/openldap/private/serverkey.pem
 +-
 +add: olcTLSCACertificateFile
 +olcTLSCACertificateFile: /etc/pki/openldap/certs/cacert.pem
 +</file>
 +
 +Anschließend importieren wir unsere **LDIF**-Konfigurationsdatei in den laufenden OpenLDAP-Server
 +   # ldapmodify -W -x -D cn=config -f /etc/openldap/ldif/TLS.ldif
 +
 +   Enter LDAP Password: 
 +   modifying entry "cn=config"
 +
 +Mit einer LDAP-Suche im OpenLDAP-Server mit dem //CommonNAme// **config** können wir uns davon überzeugen, dass der Import entsprechend geklappt hat.
 +   # ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"
 +<code bash>
 +Enter LDAP Password: 
 +# extended LDIF
 +#
 +# LDAPv3
 +# base <cn=config> with scope subtree
 +# filter: (objectclass=olcGlobal)
 +# requesting: ALL
 +#
 +
 +# config
 +dn: cn=config
 +objectClass: olcGlobal
 +cn: config
 +olcConfigFile: /etc/openldap/slapd.conf
 +olcConfigDir: /etc/openldap/slapd.d
 +olcAllows: bind_v2
 +olcArgsFile: /var/run/openldap/slapd.args
 +olcAttributeOptions: lang-
 +olcAuthzPolicy: none
 +olcConcurrency: 0
 +olcConnMaxPending: 100
 +olcConnMaxPendingAuth: 1000
 +olcDisallows: bind_anon
 +olcGentleHUP: FALSE
 +olcIdleTimeout: 15
 +olcIndexSubstrIfMaxLen: 4
 +olcIndexSubstrIfMinLen: 2
 +olcIndexSubstrAnyLen: 4
 +olcIndexSubstrAnyStep: 2
 +olcIndexIntLen: 4
 +olcLocalSSF: 71
 +olcLogLevel: Stats
 +olcPidFile: /var/run/openldap/slapd.pid
 +olcReadOnly: FALSE
 +olcReferral: ldap://ldap.dmz.nausch.org
 +olcRequires: authc
 +olcReverseLookup: FALSE
 +olcSaslSecProps: noplain,noanonymous
 +olcSockbufMaxIncoming: 262143
 +olcSockbufMaxIncomingAuth: 16777215
 +olcThreads: 16
 +olcTLSCRLCheck: none
 +olcTLSVerifyClient: never
 +olcToolThreads: 1
 +olcWriteTimeout: 0
 +olcTLSCipherSuite: HIGH
 +olcTLSCertificateFile: /etc/pki/openldap/certs/servercert.pem
 +olcTLSCertificateKeyFile: /etc/pki/openldap/private/serverkey.pem
 +olcTLSCACertificateFile: /etc/pki/openldap/certs/cacert.pem
 +
 +# search result
 +search: 2
 +result: 0 Success
 +
 +# numResponses: 2
 +# numEntries: 1
 +</code>
 +
 +==== Aktivierung der OpenLDAP-Konfiguration ====
 +Damit nun unser OpenLDAP-server auch wirklich LDAPS sprechen kann müssen wir diesen nun einmal durchstarten.
 +   # service slapd restart
 +
 +   Stopping slapd:                                            [  OK  ]
 +   Starting slapd:                                            [  OK  ]
 +
 +Ob nun der OpenLDAP-Server auch auf den beiden Ports **389** und **636** lauscht überprüfen wir mit Hilfe des Programmes **netstat**.
 +   # netstat -tulpen | grep slapd
 +
 +   tcp        0      0 0.0.0.0:636                 0.0.0.0:                  LISTEN      0          65657      27311/slapd         
 +   tcp        0      0 0.0.0.0:389                 0.0.0.0:                  LISTEN      0          65655      27311/slapd
 +
 +Unser verwendetes [[https://www.cacert.org|CAcert Serverzertifikat]] können wir mit Hilfe von **openssl** überprüfen.
 +   # openssl s_client -connect ldap.dmz.nausch.org:636 -showcerts -state -CAfile /etc/pki/openldap/certs/cacert.pem -cert /etc/pki/openldap/certs/servercert.pem -key /etc/pki/openldap/private/serverkey.pem
 +<code bash>
 +CONNECTED(00000003)
 +SSL_connect:before/connect initialization
 +SSL_connect:SSLv2/v3 write client hello A
 +SSL_connect:SSLv3 read server hello A
 +depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org
 +verify return:1
 +depth=0 CN = ldap.dmz.nausch.org
 +verify return:1
 +SSL_connect:SSLv3 read server certificate A
 +SSL_connect:SSLv3 read server done A
 +SSL_connect:SSLv3 write client key exchange A
 +SSL_connect:SSLv3 write change cipher spec A
 +SSL_connect:SSLv3 write finished A
 +SSL_connect:SSLv3 flush data
 +SSL_connect:SSLv3 read server session ticket A
 +SSL_connect:SSLv3 read finished A
 +---
 +Certificate chain
 + 0 s:/CN=ldap.dmz.nausch.org
 +   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
 +-----BEGIN CERTIFICATE-----
 +MIIE4TCCAsmgAwIBAgIDCvFhMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
 +b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
 +Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
 +dEBjYWNlcnQub3JnMB4XDTExMTExMDIxMTMyMFoXDTEzMTEwOTIxMTMyMFowHjEc
 +MBoGA1UEAxMTbGRhcC5kbXoubmF1c2NoLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD
 +ggEPADCCAQoCggEBAMm8BoT246isZpY6mz+VU6WQS75NHJBSuYQcrh1O8JuheAq3
 +2XpVRqO4uIEhAcyrqMjR2Sjg4XqOlx39mAtbnvN1Era7Cb2geTNRQsagmINA2LOu
 +7zt4CsKE92KdQhgohnS/Tm6K4I5ssXMFK1UhtCD9uu2eBFNYNgWHf0B7AVRVh3yX
 +o+bUbTL0Lt2CSpA0dnNauT+rPpC3gOjaEXEtOFOIMOtIz+UkCxLsXh1baG3Hjgio
 +hq8EfN9yrlg7wpNo2b1IUWaqIYEkcl0l+f9+eCPIkMgw2PhR4e4Xlw8h2ffd/Cfw
 +TFeNYH37bJ8JvSd2PWzpcZsosMCqblOdjkz1XE8CAwEAAaOBzDCByTAMBgNVHRMB
 +Af8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQB
 +BgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAzBggrBgEFBQcBAQQnMCUwIwYIKwYB
 +BQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMEEGA1UdEQQ6MDiCE2xkYXAu
 +ZG16Lm5hdXNjaC5vcmegIQYIKwYBBQUHCAWgFQwTbGRhcC5kbXoubmF1c2NoLm9y
 +ZzANBgkqhkiG9w0BAQUFAAOCAgEAk4eKyTcz/uoK4cXvG6GaZzfBp+iohwE/KeLs
 +mLI1LN0XUfouIOhfV6vNnRoH+Odus+wy25FRbnYAYKJNPCyIY9iH5iKH988rx2oQ
 ++XtVUHuD0dOOuDi4fIhXyXjfPGYJ3hI5TYTH7eU2bv+2egNr0dnrgOZPgN9ql1yP
 +H7moM+8I7zMYrISUzjGdvJNpXIXQlvu/jLRCtJRUoDfa5CYK5XjxGrCdWFupMUYu
 +jcKNvnhOPLtcy5C7L0HfYfjNvYMDGFhBgho74mX5Z7qkQw6chQwdSoDENsHxdQOa
 +AkGjubQ6wEaI36BN4IG7zu4nSI1sn0r76JBOeeAglLJnGT7+y0CPnExuo/Pa8hzd
 +N4S6BlSKHU0vvfk3FxEQZ3osV0aIzr+8qPTK7CmsDLplZfvvUiWJ8XduutiBvmSe
 +AWX0dufY8AtlyoGTZRSGo3dvLK1rxvElxRQrFP2y7HN7NhMl2MjyHRW92nJoet4H
 +RnL+mEZW0FmLYPD/FzD1axYf5bwcgz8fQuJSD3dXPpSWhsqVODFfGhQPQwPLaKTl
 +Pj32C6BqHcWBpUWddyF3hAzLolNmgWYZnCXru0GDJ/qrm/z7NFQWTSLpeU4SW4au
 +T1CdPEwqXapAvRxcerm6xUHomoBrm5Rp+yTnbOoL4CPhuT8bNJimazTFTaNZRfP4
 +g5lnaak=
 +-----END CERTIFICATE-----
 + 1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
 +   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
 +-----BEGIN CERTIFICATE-----
 +MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
 +IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
 +IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
 +Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
 +BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
 +MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
 +ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
 +CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
 +8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
 +zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
 +fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
 +w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
 +G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
 +epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
 +laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
 +QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
 +fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
 +YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
 +ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
 +gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
 +MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
 +IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
 +dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
 +czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
 +dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
 +aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
 +AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
 +b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
 +ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
 +nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
 +18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
 +gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
 +Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
 +sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
 +SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
 +CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
 +GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
 +zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
 +omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
 +-----END CERTIFICATE-----
 +---
 +Server certificate
 +subject=/CN=ldap.dmz.nausch.org
 +issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
 +---
 +No client certificate CA names sent
 +---
 +SSL handshake has read 3445 bytes and written 439 bytes
 +---
 +New, TLSv1/SSLv3, Cipher is AES256-SHA
 +Server public key is 2048 bit
 +Secure Renegotiation IS supported
 +Compression: zlib compression
 +Expansion: zlib compression
 +SSL-Session:
 +    Protocol  : TLSv1
 +    Cipher    : AES256-SHA
 +    Session-ID: 9501557C4CDF9E555B52430A74226B9E2C8F28C4DCC81786E8BC092BB4694CD7
 +    Session-ID-ctx: 
 +    Master-Key: C17E92622EF087873AB9D3D13AAE9DB96D41491C2D97CBA0B95F0FF16A219FE51AF3A559E7AE1666FAD5B54602EE4778
 +    Key-Arg   : None
 +    Krb5 Principal: None
 +    PSK identity: None
 +    PSK identity hint: None
 +    TLS session ticket:
 +    0000 - 89 36 bc f1 45 7d 8b de-23 88 7b 01 2e ba e6 8b   .6..E}..#.{.....
 +    0010 - 38 72 be ca c8 37 cf e0-56 16 eb 8f be 54 f3 91   8r...7..V....T..
 +    0020 - 7e c6 f6 eb 1a 82 b8 87-8b 5c 10 ef 2c 4a 8b ef   ~........\..,J..
 +    0030 - cc 55 03 dd 6b 25 77 7e-81 68 c7 f2 01 fc 23 e2   .U..k%w~.h....#.
 +    0040 - 98 88 8b a7 69 e6 79 6b-ae ae 77 54 f2 7e ab 54   ....i.yk..wT.~.T
 +    0050 - 70 e1 5a 31 98 b9 dd 42-4a 64 cd 2f e6 d5 2f 77   p.Z1...BJd./../w
 +    0060 - 0d 6d 5f 44 c0 bc fa 85-9b 38 ba 53 68 06 4c fe   .m_D.....8.Sh.L.
 +    0070 - 41 93 80 28 af 56 0a ed-47 2b 89 32 b9 65 34 0c   A..(.V..G+.2.e4.
 +    0080 - d8 00 a4 86 b8 db d3 40-33 0e 3c db 97 ed 01 2b   .......@3.<....+
 +    0090 - f1 92 fe ea a0 d2 03 4d-11 b8 90 fb a7 be c6 5a   .......M.......Z
 +    00a0 - 3a aa b7 54 f8 fd 70 18-df 1e 36 40 4e 97 02 12   :..T..p...6@N...
 +
 +    Compression: 1 (zlib compression)
 +    Start Time: 1321002877
 +    Timeout   : 300 (sec)
 +    Verify return code: 0 (ok)
 +---
 +SSL3 alert read:warning:close notify
 +closed
 +SSL3 alert write:warning:close notify
 +</code>
 +==== Anpassen der /etc/openldap/ldap.conf (Client) ====
 +Für die Konfiguration des LADP-Clients auf dem Server, erweitern wir die betreffende Konfigurationsdatei im Verzeichnis //**/etc/openladp/**//.
 +   # vim /etc/openldap/ldap.conf
 +<file bash /etc/openldap/ldap.conf>
 +#
 +# LDAP Defaults
 +#
 +
 +# See ldap.conf(5) for details
 +# This file should be world readable but not world writable.
 +
 +#BASE   dc=example, dc=com
 +#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 +
 +# Django: 2011-10-26
 +BASE    dc=nausch, dc=org               # Definition des standardmäßig abgefragten Teilbaums / Searchbase
 +                                        # Anfragen werden unterhalb von dc=nausch, dc=org ausgeführt.
 +URI     ldap://ldap.dmz.nausch.org      # Definition des LDAP-Servers 
 +
 +# Django: 2011-11-11 LDAPs Konfigiuration
 +#  TLS_REQCERT allow
 +#              Specifies what checks to perform on server certificates in a TLS session, if any.
 +#              The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad
 +#              certificate is provided, it will be ignored and the session proceeds normally.
 +
 +TLS_REQCERT allow
 +
 +#SIZELIMIT      12
 +#TIMELIMIT      15
 +#DEREF          never
 +</file>
 +
 +===== Konfigurationstest =====
 +Nun ist es an der Zeit unsere erste Suchanfrage über unseren neu geschaffenen verschlüsselten Weg an unseren OpenLDAP-Server zu richten:
 +   # ldapsearch -x -LLL -H ldaps://ldap.dmz.nausch.org -b "dc=nausch,dc=org" "uid=django" -W -D "cn=Technischeruser,dc=nausch,dc=org"
 +<code bash>Enter LDAP Password: 
 +dn: uid=django,ou=People,dc=nausch,dc=org
 +uid: django
 +cn: Django
 +objectClass: account
 +objectClass: posixAccount
 +objectClass: top
 +objectClass: shadowAccount
 +userPassword:: e2NyeXB0fSQ2JENna3VQVFplJDRiT2wvR2dSMUg4OWlxQjRtaU4yYVN5VndHUWE
 + 2SVlubW40eGlGdzJkVjRsbWNKakRoYzlxd2tFYWJQdTZUL1BITWNXcWFLbW9KUnd6NlhwVTd3Vm0x
 +shadowLastChange: 15272
 +shadowMin: 0
 +shadowMax: 99999
 +shadowWarning: 7
 +loginShell: /bin/bash
 +uidNumber: 500
 +gidNumber: 500
 +homeDirectory: /home/django
 +gecos: Django
 +</code>
 +
 +Im LDAP-Log wird unsere erfolgreiche //**verschlüsselte Abfrage**// über Port **636** entsprechend dokumentiert.
 +   # tail -f /var/log/ldap.log
 +<code bash>
 +Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 fd=16 ACCEPT from IP=10.0.0.30:60097 (IP=0.0.0.0:636)
 +Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 fd=16 TLS established tls_ssf=256 ssf=256
 +Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=0 BIND dn="cn=Technischeruser,dc=nausch,dc=org" method=128
 +Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=0 BIND dn="cn=Technischeruser,dc=nausch,dc=org" mech=SIMPLE ssf=0
 +Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=0 RESULT tag=97 err=0 text=
 +Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=1 SRCH base="dc=nausch,dc=org" scope=2 deref=0 filter="(uid=django)"
 +Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
 +Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=2 UNBIND
 +Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 fd=16 closed
 +</code>
 +===== Clientkonfiguration (LDAPS Auth mit techn. User) =====
 +Bei der Absicherung unserer Clientabfragen mittels TLS setzen wir auf unsere bereits [[centos:ldap:tecbind|vorhanden Grundinstallation mit einem technischen User]] auf.
 +
 +Die abschließende Konfiguration nehmen wir mit Hilfe vom **system-config-authentication** vor.
 +   # system-config-authentication
 +
 +In dem folgendem Fenster aktivieren wir erst einmal die notwendige TLS-Verschlüsselung, in dem wir die **[Auswahlbox]]** bei **Use __T__LS to mencrypt connections** anwählen.
 +
 +{{ :centos:ldap:ldap_auth_tls_1.png?300 |Bildschirmhardcopy: Definition des Nutzer-Authentifizierung}}
 +
 +Als nächstes müssen wir noch das Rootzertifikat der //CA// herunterladen, damit der Client später seine Anfragen mit Hilfe dieses Zertifikates verschlüsseln und an den OpenLDAP-Server übertragen kann. Wir wählen hier zu den Menüpunkt **__D__ownload CA Certificate...** aus.
 +
 +{{ :centos:ldap:ldap_auth_tls_2.png?300 |Bildschirmhardcopy: Definition des Nutzer-Authentifizierung}}
 +
 +Dort tragen wir die URL des [[http://www.cacert.org/certs/root.crt|Class 1 PKI Keys]] **http://www.cacert.org/certs/root.crt** ein.
 +
 +{{ :centos:ldap:ldap_auth_tls_3.png?350 |Bildschirmhardcopy: Definition des Nutzer-Authentifizierung}}
 +
 +Abschließend verlassen wir das Konfigurationsfenster in dem wir die Schaltfläche **__A__pply** anwählen.
 +
 +Mit Hilfe eines geschickten Find-Befehles ermitteln wir nun, welche Konfigurationsdateien durch die vorangegangene Konfiguration in der GUI von **system-config-authentication** angetastet wurden.
 +
 +   # find -type f -printf '%TY.%Tm.%Td %p\n' | sort -nr | more
 +<code bash>
 +2011.11.11 ./pam_ldap.conf
 +2011.11.11 ./pam.d/system-auth-ac
 +2011.11.11 ./pam.d/smartcard-auth-ac
 +2011.11.11 ./pam.d/password-auth-ac
 +2011.11.11 ./pam.d/fingerprint-auth-ac
 +2011.11.11 ./openldap/ldap.conf
 +2011.11.11 ./openldap/cacerts/authconfig_downloaded.pem
 +2011.11.10 ./sysconfig/authconfig
 +2011.11.10 ./nsswitch.conf
 +</code>
 +
 +==== pam_ldap.conf ====
 +In der Konfigurationsdatei //**/etc/pam_ldap.conf**// tragen wir folgende Daten nach:
 +  * **binddn dc=nausch,dc=org**
 +  * **bindpw Klaus-ist-der-groesste!**
 +  * **uri ldap://ldap.dmz.nausch.org**
 +  * **ssl start_tls**
 +  * **tls_cacertdir /etc/openldap/cacerts**
 +  * **pam_password sha512**
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/pam_ldap.conf
 +<file bash /etc/pam_ldap.conf>
 +# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
 +#
 +# This is the configuration file for the LDAP nameservice
 +# switch library and the LDAP PAM module.
 +#
 +# The man page for this file is pam_ldap(5)
 +#
 +# PADL Software
 +# http://www.padl.com
 +#
 +
 +# Your LDAP server. Must be resolvable without using LDAP.
 +# Multiple hosts may be specified, each separated by a 
 +# space. How long nss_ldap takes to failover depends on
 +# whether your LDAP client library supports configurable
 +# network or connect timeouts (see bind_timelimit).
 +
 +# Django : 2011-10-28 LDAP Client-Authentication
 +# default : host 127.0.0.1
 +
 +# The distinguished name of the search base.
 +# Django : 2011-11-10 LDAP Client-Authentication
 +# base dc=example,dc=com
 +binddn dc=nausch,dc=org
 +
 +# Another way to specify your LDAP server is to provide an
 +# uri with the server name. This allows to use
 +# Unix Domain Sockets to connect to a local LDAP Server.
 +#uri ldap://127.0.0.1/
 +#uri ldaps://127.0.0.1/   
 +#uri ldapi://%2fvar%2frun%2fldapi_sock/
 +# Note: %2f encodes the '/' used as directory separator
 +
 +# The LDAP version to use (defaults to 3
 +# if supported by client library)
 +#ldap_version 3
 +
 +# The distinguished name to bind to the server with.
 +# Optional: default is to bind anonymously.
 +#binddn cn=proxyuser,dc=example,dc=com
 +
 +# The credentials to bind with. 
 +# Optional: default is no credential.
 +#bindpw secret
 +# Django : 2011-11-10 LDAP Client-Authentication
 +bindpw Klaus-ist-der-groesste!
 +
 +# The distinguished name to bind to the server with
 +# if the effective user ID is root. Password is
 +# stored in /etc/ldap.secret (mode 600)
 +#rootbinddn cn=manager,dc=example,dc=com
 +
 +# The port.
 +# Optional: default is 389.
 +#port 389
 +
 +# The search scope.
 +#scope sub
 +#scope one
 +#scope base
 +
 +# Search timelimit
 +#timelimit 30
 +
 +# Bind/connect timelimit
 +#bind_timelimit 30
 +
 +# Reconnect policy: hard (default) will retry connecting to
 +# the software with exponential backoff, soft will fail
 +# immediately.
 +#bind_policy hard
 +
 +# Idle timelimit; client will close connections
 +# (nss_ldap only) if the server has not been contacted
 +# for the number of seconds specified below.
 +#idle_timelimit 3600
 +
 +# Filter to AND with uid=%s
 +#pam_filter objectclass=account
 +
 +# The user ID attribute (defaults to uid)
 +#pam_login_attribute uid
 +
 +# Search the root DSE for the password policy (works
 +# with Netscape Directory Server)
 +#pam_lookup_policy yes
 +
 +# Check the 'host' attribute for access control
 +# Default is no; if set to yes, and user has no
 +# value for the host attribute, and pam_ldap is
 +# configured for account management (authorization)
 +# then the user will not be allowed to login.
 +#pam_check_host_attr yes
 +
 +# Check the 'authorizedService' attribute for access
 +# control
 +# Default is no; if set to yes, and the user has no
 +# value for the authorizedService attribute, and
 +# pam_ldap is configured for account management
 +# (authorization) then the user will not be allowed
 +# to login.
 +#pam_check_service_attr yes
 +
 +# Group to enforce membership of
 +#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
 +
 +# Group member attribute
 +#pam_member_attribute uniquemember
 +
 +# Specify a minium or maximum UID number allowed
 +#pam_min_uid 0
 +#pam_max_uid 0
 +
 +# Template login attribute, default template user
 +# (can be overriden by value of former attribute
 +# in user's entry)
 +#pam_login_attribute userPrincipalName
 +#pam_template_login_attribute uid
 +#pam_template_login nobody
 +
 +# HEADS UP: the pam_crypt, pam_nds_passwd,
 +# and pam_ad_passwd options are no
 +# longer supported.
 +#
 +# Do not hash the password at all; presume
 +# the directory server will do it, if
 +# necessary. This is the default.
 +#pam_password clear
 +
 +# Hash password locally; required for University of
 +# Michigan LDAP server, and works with Netscape
 +# Directory Server if you're using the UNIX-Crypt
 +# hash mechanism and not using the NT Synchronization
 +# service. 
 +#pam_password crypt
 +
 +# Remove old password first, then update in
 +# cleartext. Necessary for use with Novell
 +# Directory Services (NDS)
 +#pam_password clear_remove_old
 +#pam_password nds
 +
 +# RACF is an alias for the above. For use with
 +# IBM RACF
 +#pam_password racf
 +
 +# Update Active Directory password, by
 +# creating Unicode password and updating
 +# unicodePwd attribute.
 +#pam_password ad
 +
 +# Use the OpenLDAP password change
 +# extended operation to update the password.
 +#pam_password exop
 +
 +# Redirect users to a URL or somesuch on password
 +# changes.
 +#pam_password_prohibit_message Please visit http://internal to change your password.
 +
 +# RFC2307bis naming contexts
 +# Syntax:
 +# nss_base_XXX          base?scope?filter
 +# where scope is {base,one,sub}
 +# and filter is a filter to be &'d with the
 +# default filter.
 +# You can omit the suffix eg:
 +# nss_base_passwd       ou=People,
 +# to append the default base DN but this
 +# may incur a small performance impact.
 +#nss_base_passwd        ou=People,dc=example,dc=com?one
 +#nss_base_shadow        ou=People,dc=example,dc=com?one
 +#nss_base_group         ou=Group,dc=example,dc=com?one
 +#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
 +#nss_base_services      ou=Services,dc=example,dc=com?one
 +#nss_base_networks      ou=Networks,dc=example,dc=com?one
 +#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
 +#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
 +#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
 +#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
 +#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
 +#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
 +#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
 +
 +# attribute/objectclass mapping
 +# Syntax:
 +#nss_map_attribute      rfc2307attribute        mapped_attribute
 +#nss_map_objectclass    rfc2307objectclass      mapped_objectclass
 +
 +# configure --enable-nds is no longer supported.
 +# NDS mappings
 +#nss_map_attribute uniqueMember member
 +
 +# Services for UNIX 3.5 mappings
 +#nss_map_objectclass posixAccount User
 +#nss_map_objectclass shadowAccount User
 +#nss_map_attribute uid msSFU30Name
 +#nss_map_attribute uniqueMember msSFU30PosixMember
 +#nss_map_attribute userPassword msSFU30Password
 +#nss_map_attribute homeDirectory msSFU30HomeDirectory
 +#nss_map_attribute homeDirectory msSFUHomeDirectory
 +#nss_map_objectclass posixGroup Group
 +#pam_login_attribute msSFU30Name
 +#pam_filter objectclass=User
 +#pam_password ad
 +
 +# configure --enable-mssfu-schema is no longer supported.
 +# Services for UNIX 2.0 mappings
 +#nss_map_objectclass posixAccount User
 +#nss_map_objectclass shadowAccount user
 +#nss_map_attribute uid msSFUName
 +#nss_map_attribute uniqueMember posixMember
 +#nss_map_attribute userPassword msSFUPassword
 +#nss_map_attribute homeDirectory msSFUHomeDirectory
 +#nss_map_attribute shadowLastChange pwdLastSet
 +#nss_map_objectclass posixGroup Group
 +#nss_map_attribute cn msSFUName
 +#pam_login_attribute msSFUName
 +#pam_filter objectclass=User
 +#pam_password ad
 +
 +# RFC 2307 (AD) mappings
 +#nss_map_objectclass posixAccount user
 +#nss_map_objectclass shadowAccount user
 +#nss_map_attribute uid sAMAccountName
 +#nss_map_attribute homeDirectory unixHomeDirectory
 +#nss_map_attribute shadowLastChange pwdLastSet
 +#nss_map_objectclass posixGroup group
 +#nss_map_attribute uniqueMember member
 +#pam_login_attribute sAMAccountName
 +#pam_filter objectclass=User
 +#pam_password ad
 +
 +# configure --enable-authpassword is no longer supported
 +# AuthPassword mappings
 +#nss_map_attribute userPassword authPassword
 +
 +# AIX SecureWay mappings
 +#nss_map_objectclass posixAccount aixAccount
 +#nss_base_passwd ou=aixaccount,?one
 +#nss_map_attribute uid userName
 +#nss_map_attribute gidNumber gid
 +#nss_map_attribute uidNumber uid
 +#nss_map_attribute userPassword passwordChar
 +#nss_map_objectclass posixGroup aixAccessGroup
 +#nss_base_group ou=aixgroup,?one
 +#nss_map_attribute cn groupName
 +#nss_map_attribute uniqueMember member
 +#pam_login_attribute userName
 +#pam_filter objectclass=aixAccount
 +#pam_password clear
 +
 +# Netscape SDK LDAPS
 +#ssl on
 +
 +# Netscape SDK SSL options
 +#sslpath /etc/ssl/certs
 +
 +# OpenLDAP SSL mechanism
 +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
 +#ssl start_tls
 +#ssl on
 +
 +# OpenLDAP SSL options
 +# Require and verify server certificate (yes/no)
 +# Default is to use libldap's default behavior, which can be configured in
 +# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
 +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
 +#tls_checkpeer yes
 +
 +# CA certificates for server certificate verification
 +# At least one of these are required if tls_checkpeer is "yes"
 +#tls_cacertfile /etc/ssl/ca.cert
 +#tls_cacertdir /etc/ssl/certs
 +
 +# Seed the PRNG if /dev/urandom is not provided
 +#tls_randfile /var/run/egd-pool
 +
 +# SSL cipher suite
 +# See man ciphers for syntax
 +#tls_ciphers TLSv1
 +
 +# Client certificate and key
 +# Use these, if your server requires client authentication.
 +#tls_cert
 +#tls_key
 +
 +# Disable SASL security layers. This is needed for AD.
 +#sasl_secprops maxssf=0
 +
 +# Override the default Kerberos ticket cache location.
 +#krb5_ccname FILE:/etc/.ldapcache
 +
 +# SASL mechanism for PAM authentication - use is experimental
 +# at present and does not support password policy control
 +#pam_sasl_mech DIGEST-MD5
 +
 +# Django : 2011-10-28 LDAP Client-Authentication, automatisch eingetragen mit Hilfe von authconfig
 +uri ldap://ldap.dmz.nausch.org
 +ssl start_tls
 +tls_cacertdir /etc/openldap/cacerts
 +pam_password sha256
 +
 +</file>
 +
 +
 +==== system-auth ====
 +Es wurden auch folgenden **pam.d**-Konfigurationsdateien angepasst:
 +
 +  * **/etc/pam.d/fingerprint-auth**
 +  * **/etc/pam.d/password-auth**
 +  * **/etc/pam.d/smartcard-auth**
 +  * **/etc/pam.d/smtp**
 +  * **/etc/pam.d/system-auth**
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/pam.d/fingerprint-auth
 +<file bash /etc/pam.d/fingerprint-auth>
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required      pam_env.so
 +auth        sufficient    pam_fprintd.so
 +auth        required      pam_deny.so
 +
 +account     required      pam_unix.so broken_shadow
 +account     sufficient    pam_localuser.so
 +account     sufficient    pam_succeed_if.so uid < 500 quiet
 +account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 +account     required      pam_permit.so
 +
 +password    required      pam_deny.so
 +
 +session     optional      pam_keyinit.so revoke
 +session     required      pam_limits.so
 +session     optional      pam_oddjob_mkhomedir.so
 +session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session     required      pam_unix.so
 +session     optional      pam_ldap.so
 +</file>
 +
 +   # vim /etc/pam.d/password-auth
 +<file bash /etc/pam.d/password-auth>
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required      pam_env.so
 +auth        sufficient    pam_unix.so nullok try_first_pass
 +auth        requisite     pam_succeed_if.so uid >= 500 quiet
 +auth        sufficient    pam_ldap.so use_first_pass
 +auth        required      pam_deny.so
 +
 +account     required      pam_unix.so broken_shadow
 +account     sufficient    pam_localuser.so
 +account     sufficient    pam_succeed_if.so uid < 500 quiet
 +account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 +account     required      pam_permit.so
 +
 +password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 +password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
 +password    sufficient    pam_ldap.so use_authtok
 +password    required      pam_deny.so
 +
 +session     optional      pam_keyinit.so revoke
 +session     required      pam_limits.so
 +session     optional      pam_oddjob_mkhomedir.so
 +session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session     required      pam_unix.so
 +session     optional      pam_ldap.so
 +</file>
 +
 +   # vim /etc/pam.d/smartcard-auth
 +<file bash /etc/pam.d/smartcard-auth>
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required      pam_env.so
 +auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
 +auth        required      pam_deny.so
 +
 +account     required      pam_unix.so broken_shadow
 +account     sufficient    pam_localuser.so
 +account     sufficient    pam_succeed_if.so uid < 500 quiet
 +account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 +account     required      pam_permit.so
 +
 +password    required      pam_pkcs11.so
 +
 +session     optional      pam_keyinit.so revoke
 +session     required      pam_limits.so
 +session     optional      pam_oddjob_mkhomedir.so
 +session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session     required      pam_unix.so
 +session     optional      pam_ldap.so
 +</file>
 +
 +   # vim /etc/pam.d/smtp
 +<file bash /etc/pam.d/smtp>
 +#%PAM-1.0
 +auth       include      password-auth
 +account    include      password-auth
 +</file>
 +
 +   # vim /etc/pam.d/system-auth
 +<file bash /etc/pam.d/system-auth>
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required      pam_env.so
 +auth        sufficient    pam_fprintd.so
 +auth        sufficient    pam_unix.so nullok try_first_pass
 +auth        requisite     pam_succeed_if.so uid >= 500 quiet
 +auth        sufficient    pam_ldap.so use_first_pass
 +auth        required      pam_deny.so
 +
 +account     required      pam_unix.so broken_shadow
 +account     sufficient    pam_localuser.so
 +account     sufficient    pam_succeed_if.so uid < 500 quiet
 +account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 +account     required      pam_permit.so
 +
 +password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 +password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
 +password    sufficient    pam_ldap.so use_authtok
 +password    required      pam_deny.so
 +
 +session     optional      pam_keyinit.so revoke
 +session     required      pam_limits.so
 +session     optional      pam_oddjob_mkhomedir.so
 +session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session     required      pam_unix.so
 +session     optional      pam_ldap.so
 +</file>
 +
 +==== ldap.conf ====
 +In der Konfigurationsdatei //**/etc/openldap/ldap.conf**// tragen wir folgende Daten nach:
 +  * **BASE    dc=nausch, dc=org**
 +  * **URI     ldap://ldap.dmz.nausch.org**
 +  * **TLS_CACERTDIR /etc/openldap/cacerts**
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/openldap/ldap.conf
 +<file bash /etc/openldap/ldap.conf>
 +#
 +# LDAP Defaults
 +#
 +
 +# See ldap.conf(5) for details
 +# This file should be world readable but not world writable.
 +
 +#BASE   dc=example, dc=com
 +#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 +
 +#SIZELIMIT      12
 +#TIMELIMIT      15
 +#DEREF          never
 +
 +# Django : 2011-10-28 LDAP Client Authentication
 +BASE    dc=nausch, dc=org
 +URI     ldap://ldap.dmz.nausch.org
 +TLS_CACERTDIR /etc/openldap/cacerts
 +</file>
 +
 +==== authconfig ====
 +In der Konfigurationsdatei //**/etc/sysconfig/authconfig**// setzen wir die beiden folgenden Werte von **no** auf **yes**:
 +  * **USELDAP=yes** //(LDAP-Authentifizierung aktivieren.)//
 +  * **FORCELEGACY=no** //(Da wir nun TLS bei der LDAP-Authentifizierung unter CentOS 6 nutzen wollen, setzen wir diem Option **FORCELEGACY** wieder auf **no** zurück.//
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/sysconfig/authconfig
 +<file bash /etc/sysconfig/authconfig>
 +USEMKHOMEDIR=no
 +USEPAMACCESS=no
 +CACHECREDENTIALS=yes
 +USESSSDAUTH=no
 +USESHADOW=yes
 +USEWINBIND=no
 +USEDB=no
 +FORCELEGACY=no
 +USEFPRINTD=yes
 +FORCESMARTCARD=no
 +PASSWDALGORITHM=sha512
 +USELDAPAUTH=no
 +USEPASSWDQC=no
 +USELOCAUTHORIZE=yes
 +USECRACKLIB=yes
 +USEWINBINDAUTH=no
 +USESMARTCARD=no
 +USELDAP=yes
 +USENIS=no
 +USEKERBEROS=no
 +USESYSNETAUTH=no
 +USESMBAUTH=no
 +USESSSD=no
 +USEHESIOD=no
 +</file>
 +
 +==== nsswitch.conf ====
 +In der Konfigurationsdatei //**/etc/pam.d/system-auth**// tragen wir folgende Daten nach:
 +  * **passwd:     files ldap**
 +  * **shadow:     files ldap**
 +  * **group:      files ldap**
 +
 +  * **netgroup:   ldap**
 +
 +  * **automount:  files ldap**
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/nsswitch.conf
 +<file bash /etc/nsswitch.conf>
 +#
 +# /etc/nsswitch.conf
 +#
 +# An example Name Service Switch config file. This file should be
 +# sorted with the most-used services at the beginning.
 +#
 +# The entry '[NOTFOUND=return]' means that the search for an
 +# entry should stop if the search in the previous entry turned
 +# up nothing. Note that if the search failed due to some other reason
 +# (like no NIS server responding) then the search continues with the
 +# next entry.
 +#
 +# Valid entries include:
 +#
 +#       nisplus                 Use NIS+ (NIS version 3)
 +#       nis                     Use NIS (NIS version 2), also called YP
 +#       dns                     Use DNS (Domain Name Service)
 +#       files                   Use the local files
 +#       db                      Use the local database (.db) files
 +#       compat                  Use NIS on compat mode
 +#       hesiod                  Use Hesiod for user lookups
 +#       [NOTFOUND=return]       Stop searching if not found so far
 +#
 +
 +# To use db, put the "db" in front of "files" for entries you want to be
 +# looked up first in the databases
 +#
 +# Example:
 +#passwd:    db files nisplus nis
 +#shadow:    db files nisplus nis
 +#group:     db files nisplus nis
 +
 +# Django : 2011-10-28 LDAP Client Authentication
 +# default
 +# passwd:     files
 +# shadow:     files
 +# group:      files
 +passwd:     files ldap
 +shadow:     files ldap
 +group:      files ldap
 +
 +#hosts:     db files nisplus nis dns
 +hosts:      files dns
 +
 +# Example - obey only what nisplus tells us...
 +#services:   nisplus [NOTFOUND=return] files
 +#networks:   nisplus [NOTFOUND=return] files
 +#protocols:  nisplus [NOTFOUND=return] files
 +#rpc:        nisplus [NOTFOUND=return] files
 +#ethers:     nisplus [NOTFOUND=return] files
 +#netmasks:   nisplus [NOTFOUND=return] files     
 +
 +bootparams: nisplus [NOTFOUND=return] files
 +
 +ethers:     files
 +netmasks:   files
 +networks:   files
 +protocols:  files
 +rpc:        files
 +services:   files
 +
 +# Django : 2011-10-28 LDAP Client Authentication
 +# default
 +# netgroup:   nisplus
 +netgroup:   ldap
 +
 +publickey:  nisplus
 +
 +# Django : 2011-10-28 LDAP Client Authentication
 +# default
 +# automount:  files nisplus
 +automount:  files ldap
 +aliases:    files nisplus
 +</file>
 +===== Clienttest =====
 +Zum Testen unserer Konfiguration starten wir einfach unseren CentOS-6 Host und melden uns an.
 +
 +{{ :centos:ldap:gdm_ldap_auth_tls.png?650 |Bildschirmhardcopy GDM Anmeldebildschirm}}
 +
 +Bei Bedarf beobachten wir das LDAP-Logfile auf dem OpenLDAP-Server.
 +   # tail -f /var/log/ldap-log
 +====== Links ======
 +  * **[[centos:ldap:start|Zurück zum Kapitel >>OpenLDAP Server unter CentOS 6.x<<]]**
 +  * **[[wiki:start|Zurück zu >>Projekte und Themenkapitel<<]]**
 +  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
 +