Inhaltsverzeichnis

Absicherung des OpenLDAP-Servers - LDAPS-Konfiguration

OpenLDAP Logo

Damit unser OpenLDAP-Server auch via ldaps erreichbar ist, werden wir in diesem Kapitel die Erstellung und Integration eines Server-Zertifikates sowie die nötigen Konfigurationsschritte näher betrachten.

Zertifikatserstellung

Für unseren OpenLDAP-Server werden wir ein Zertifikat von der freien Community-Zertifizierungsstelle CAcert. Selbstverständlich kann man sich auch selbst eine CA erstellen und ein selfsigned Zertifikat generieren. Die grundlegende Herangehensweise ist dabei die gleiche; wir werden uns bei der weiteren Betrachtung daher auf die CAcert-Variante beziehen.

privaten Schlüssel generieren

Als erstes generieren wir uns einen privaten Schlüssel.

 # openssl genrsa -out /etc/pki/tls/private/private.key 2048
 Generating RSA private key, 2048 bit long modulus
 ................................................................................+++
 ..+++
 e is 65537 (0x10001)

Über die Dateiberechtigung schützen wir die Datei vor fremden Blicken.

 # chmod 400 /etc/pki/tls/private/private.key

Bei Bedarf kann man mit openssl rsa -in <keyfile> -noout -text die Schlüsseldatei öffnen und ausgeben lassen.

 # openssl rsa -in /etc/pki/tls/private/private.key -noout -text

Zertifikatsregistrierungsanforderung

Damit von CAcert unser digitales Zertifikat erstellt werden kann, benötigen wir ein CSR1), eine Textzeichenfolge, die wir mit Hilfe der SSL-Software openssl auf unserem zu zertifizierenden Servers erzeugen. Mit Eingabe eines Punktes . erzeugen wir dabei ein leeres Feld.

 # openssl req -new -key /etc/pki/tls/private/private.key -out /etc/pki/tls/misc/ldap.dmz.nausch.org.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:Bayern
Locality Name (eg, city) [Default City]:Pliening
Organization Name (eg, company) [Default Company Ltd]:Nausch
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:ldap.dmz.nausch.org
Email Address []:michael@nausch.org
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Auch hier passen wir die Dateiberechtigung des gerade erstellten CSR2) an.

 # chmod 400 /etc/pki/tls/misc/ldap.dmz.nausch.org.csr

Den Inhalt unseres CSR, der gerade erstellten Datei, geben wir dann auf der Seite von CAcert im im Browserfenster bei der Bestellung ein.

Bei Bedarf können wir uns den Inhalt unseres CSR in lesbarer Form ausgeben lassen.

 # openssl req -noout -text -in /etc/pki/tls/misc/ldap.dmz.nausch.org.csr

CAcert Server-Zertifikat

Von CAcert erhalten wir dann unser Zertifikat, welches wir in einer einfachen Textdatei auf unserem Server ablegen.

 # vim /etc/pki/tls/certs/ldap.dmz.nausch.org.crt

Anschließend passen wir auch hier die Dateiberechtigungen an.

 # chmod 400 /etc/pki/tls/certs/ldap.dmz.nausch.org.crt

Den Inhalt unseres CAcert-Zertifikates können wir mit folgenden Befehlsaufrufes lesbar ausgeben lassen.

 # openssl req -noout -text -in /etc/pki/tls/misc/ldap.dmz.nausch.org.csr

CAcert Root-Zertifikat

Von CAcert laden wir uns das Class 1 Root-Zertifikat auf unseren Server.

 # wget http://www.cacert.org/certs/root.crt

Anschließend überprüfen wir den Fingerprint des heruntergeladenen Root-Zertifikates.

 # openssl x509 -noout -fingerprint -in /etc/pki/tls/certs/root.crt 
 SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33

Diesen vergleichen wir mit den Angaben auf der Webseite von CAcert.

Konfiguration

Schlüsseldateien ablegen

Für unsere OpenLDAP-Installation legen wir uns am besten einen eigenen Unterordner unter /etc/pki an.

 # mkdir -p /etc/pki/ldap/certs
 # mkdir -p /etc/pki/ldap/private
 

Anschließend legen wir dort die drei benötigten Dateien ab:

  1. unseren Serverzertifikat : servercert.pem
    # cp /etc/pki/tls/certs/ldap.dmz.nausch.org.crt /etc/pki/ldap/certs/servercert.pem
  2. unseren Serverschlüssel : serverkey.pem und
    # cp /etc/pki/tls/private/private.key /etc/pki/ldap/PRIVATE/serverkey.pem
  3. das CA-Zertifikat : cacert.pem
    # cp /etc/pki/tls/certs/root.crt /etc/pki/ldap/certs/cacert.pem

Abschließend passen wir noch die Datei- und Nutzerberechtigungen an.

  1.  # chown root:ldap /etc/pki/openldap/certs/*
     # chmod 640 /etc/pki/openldap/certs*
  2.  # chown root:ldap /etc/pki/openldap/private/*
     # chmod 640 /etc/pki/openldap/private*

Anpassen der /etc/sysconfig/ldap (Server)

Damit unser OpenLDAP-Server zukünftig LDAPS auf Port 636 unter IPv4 zur verfügung stellen kann, bearbeiten wir nun die systemweite Konfigurationsdatei.

 # vim /etc/sysconfig/ldap
/etc/sysconfig/ldap
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=
# Django : 2011-11-11 LDAPs - Konfiguration
# default : SLAPD_OPTIONS=
# Nur IPv4 Unterstützung aktiviert
SLAPD_OPTIONS="-4"
 
# options of slurpd (see man slurpd)
#   
#SLURPD_OPTIONS=
 
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
#   yes/no, default: yes
#SLAPD_LDAP=yes
 
# Run slapd with -h "... ldapi:/// ..."
#   yes/no, default: no
#SLAPD_LDAPI=no
 
# Run slapd with -h "... ldaps:/// ..."
#   yes/no, default: no
#SLAPD_LDAPS=no
# Django : 2011-11-11 LDAPs - Konfiguration
# default : SLAPD_LDAPS=no
SLAPD_LDAPS=yes
 
# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""
 
# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3
 
# Parameters to ulimit called right before starting slapd
# - use this to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""
 

Nähere Informationen zu den möglichen Parametern entnehmen wir der zugehörigen Manpage.

 # man slapd

LDAPS Konfiguration .LDIF

Da wir unsere Konfiguration des OpenLDAP-Servers mit Hilfe von .LDIF-Datreien realisiert haben, werden wir nun eine passende .LDIF-Datei erstellen und diese anschließend in das System importieren.

 # vim /etc/openldap/ldif/TLS.ldif
/etc/openldap/ldif/TLS.ldif
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/openldap/certs/servercert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/openldap/private/serverkey.pem
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/openldap/certs/cacert.pem

Anschließend importieren wir unsere LDIF-Konfigurationsdatei in den laufenden OpenLDAP-Server

 # ldapmodify -W -x -D cn=config -f /etc/openldap/ldif/TLS.ldif
 Enter LDAP Password: 
 modifying entry "cn=config"

Mit einer LDAP-Suche im OpenLDAP-Server mit dem CommonNAme config können wir uns davon überzeugen, dass der Import entsprechend geklappt hat.

 # ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=olcGlobal)
# requesting: ALL
#
 
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcDisallows: bind_anon
olcGentleHUP: FALSE
olcIdleTimeout: 15
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcLogLevel: Stats
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReferral: ldap://ldap.dmz.nausch.org
olcRequires: authc
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCRLCheck: none
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
olcTLSCipherSuite: HIGH
olcTLSCertificateFile: /etc/pki/openldap/certs/servercert.pem
olcTLSCertificateKeyFile: /etc/pki/openldap/private/serverkey.pem
olcTLSCACertificateFile: /etc/pki/openldap/certs/cacert.pem
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1

Aktivierung der OpenLDAP-Konfiguration

Damit nun unser OpenLDAP-server auch wirklich LDAPS sprechen kann müssen wir diesen nun einmal durchstarten.

 # service slapd restart
 Stopping slapd:                                            [  OK  ]
 Starting slapd:                                            [  OK  ]

Ob nun der OpenLDAP-Server auch auf den beiden Ports 389 und 636 lauscht überprüfen wir mit Hilfe des Programmes netstat.

 # netstat -tulpen | grep slapd
 tcp        0      0 0.0.0.0:636                 0.0.0.0:*                   LISTEN      0          65657      27311/slapd         
 tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      0          65655      27311/slapd

Unser verwendetes CAcert Serverzertifikat können wir mit Hilfe von openssl überprüfen.

 # openssl s_client -connect ldap.dmz.nausch.org:636 -showcerts -state -CAfile /etc/pki/openldap/certs/cacert.pem -cert /etc/pki/openldap/certs/servercert.pem -key /etc/pki/openldap/private/serverkey.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org
verify return:1
depth=0 CN = ldap.dmz.nausch.org
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/CN=ldap.dmz.nausch.org
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-----BEGIN CERTIFICATE-----
MIIE4TCCAsmgAwIBAgIDCvFhMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTExMTExMDIxMTMyMFoXDTEzMTEwOTIxMTMyMFowHjEc
MBoGA1UEAxMTbGRhcC5kbXoubmF1c2NoLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMm8BoT246isZpY6mz+VU6WQS75NHJBSuYQcrh1O8JuheAq3
2XpVRqO4uIEhAcyrqMjR2Sjg4XqOlx39mAtbnvN1Era7Cb2geTNRQsagmINA2LOu
7zt4CsKE92KdQhgohnS/Tm6K4I5ssXMFK1UhtCD9uu2eBFNYNgWHf0B7AVRVh3yX
o+bUbTL0Lt2CSpA0dnNauT+rPpC3gOjaEXEtOFOIMOtIz+UkCxLsXh1baG3Hjgio
hq8EfN9yrlg7wpNo2b1IUWaqIYEkcl0l+f9+eCPIkMgw2PhR4e4Xlw8h2ffd/Cfw
TFeNYH37bJ8JvSd2PWzpcZsosMCqblOdjkz1XE8CAwEAAaOBzDCByTAMBgNVHRMB
Af8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQB
BgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAzBggrBgEFBQcBAQQnMCUwIwYIKwYB
BQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMEEGA1UdEQQ6MDiCE2xkYXAu
ZG16Lm5hdXNjaC5vcmegIQYIKwYBBQUHCAWgFQwTbGRhcC5kbXoubmF1c2NoLm9y
ZzANBgkqhkiG9w0BAQUFAAOCAgEAk4eKyTcz/uoK4cXvG6GaZzfBp+iohwE/KeLs
mLI1LN0XUfouIOhfV6vNnRoH+Odus+wy25FRbnYAYKJNPCyIY9iH5iKH988rx2oQ
+XtVUHuD0dOOuDi4fIhXyXjfPGYJ3hI5TYTH7eU2bv+2egNr0dnrgOZPgN9ql1yP
H7moM+8I7zMYrISUzjGdvJNpXIXQlvu/jLRCtJRUoDfa5CYK5XjxGrCdWFupMUYu
jcKNvnhOPLtcy5C7L0HfYfjNvYMDGFhBgho74mX5Z7qkQw6chQwdSoDENsHxdQOa
AkGjubQ6wEaI36BN4IG7zu4nSI1sn0r76JBOeeAglLJnGT7+y0CPnExuo/Pa8hzd
N4S6BlSKHU0vvfk3FxEQZ3osV0aIzr+8qPTK7CmsDLplZfvvUiWJ8XduutiBvmSe
AWX0dufY8AtlyoGTZRSGo3dvLK1rxvElxRQrFP2y7HN7NhMl2MjyHRW92nJoet4H
RnL+mEZW0FmLYPD/FzD1axYf5bwcgz8fQuJSD3dXPpSWhsqVODFfGhQPQwPLaKTl
Pj32C6BqHcWBpUWddyF3hAzLolNmgWYZnCXru0GDJ/qrm/z7NFQWTSLpeU4SW4au
T1CdPEwqXapAvRxcerm6xUHomoBrm5Rp+yTnbOoL4CPhuT8bNJimazTFTaNZRfP4
g5lnaak=
-----END CERTIFICATE-----
 1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-----BEGIN CERTIFICATE-----
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ldap.dmz.nausch.org
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 3445 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 9501557C4CDF9E555B52430A74226B9E2C8F28C4DCC81786E8BC092BB4694CD7
    Session-ID-ctx: 
    Master-Key: C17E92622EF087873AB9D3D13AAE9DB96D41491C2D97CBA0B95F0FF16A219FE51AF3A559E7AE1666FAD5B54602EE4778
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 89 36 bc f1 45 7d 8b de-23 88 7b 01 2e ba e6 8b   .6..E}..#.{.....
    0010 - 38 72 be ca c8 37 cf e0-56 16 eb 8f be 54 f3 91   8r...7..V....T..
    0020 - 7e c6 f6 eb 1a 82 b8 87-8b 5c 10 ef 2c 4a 8b ef   ~........\..,J..
    0030 - cc 55 03 dd 6b 25 77 7e-81 68 c7 f2 01 fc 23 e2   .U..k%w~.h....#.
    0040 - 98 88 8b a7 69 e6 79 6b-ae ae 77 54 f2 7e ab 54   ....i.yk..wT.~.T
    0050 - 70 e1 5a 31 98 b9 dd 42-4a 64 cd 2f e6 d5 2f 77   p.Z1...BJd./../w
    0060 - 0d 6d 5f 44 c0 bc fa 85-9b 38 ba 53 68 06 4c fe   .m_D.....8.Sh.L.
    0070 - 41 93 80 28 af 56 0a ed-47 2b 89 32 b9 65 34 0c   A..(.V..G+.2.e4.
    0080 - d8 00 a4 86 b8 db d3 40-33 0e 3c db 97 ed 01 2b   .......@3.<....+
    0090 - f1 92 fe ea a0 d2 03 4d-11 b8 90 fb a7 be c6 5a   .......M.......Z
    00a0 - 3a aa b7 54 f8 fd 70 18-df 1e 36 40 4e 97 02 12   :..T..p...6@N...
 
    Compression: 1 (zlib compression)
    Start Time: 1321002877
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify

Anpassen der /etc/openldap/ldap.conf (Client)

Für die Konfiguration des LADP-Clients auf dem Server, erweitern wir die betreffende Konfigurationsdatei im Verzeichnis /etc/openladp/.

 # vim /etc/openldap/ldap.conf
/etc/openldap/ldap.conf
#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 
# Django: 2011-10-26
BASE    dc=nausch, dc=org               # Definition des standardmäßig abgefragten Teilbaums / Searchbase
                                        # Anfragen werden unterhalb von dc=nausch, dc=org ausgeführt.
URI     ldap://ldap.dmz.nausch.org      # Definition des LDAP-Servers 
 
# Django: 2011-11-11 LDAPs Konfigiuration
#  TLS_REQCERT allow
#              Specifies what checks to perform on server certificates in a TLS session, if any.
#              The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad
#              certificate is provided, it will be ignored and the session proceeds normally.
 
TLS_REQCERT allow
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

Konfigurationstest

Nun ist es an der Zeit unsere erste Suchanfrage über unseren neu geschaffenen verschlüsselten Weg an unseren OpenLDAP-Server zu richten:

 # ldapsearch -x -LLL -H ldaps://ldap.dmz.nausch.org -b "dc=nausch,dc=org" "uid=django" -W -D "cn=Technischeruser,dc=nausch,dc=org"
Enter LDAP Password: 
dn: uid=django,ou=People,dc=nausch,dc=org
uid: django
cn: Django
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JENna3VQVFplJDRiT2wvR2dSMUg4OWlxQjRtaU4yYVN5VndHUWE
 2SVlubW40eGlGdzJkVjRsbWNKakRoYzlxd2tFYWJQdTZUL1BITWNXcWFLbW9KUnd6NlhwVTd3Vm0x
shadowLastChange: 15272
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/django
gecos: Django

Im LDAP-Log wird unsere erfolgreiche verschlüsselte Abfrage über Port 636 entsprechend dokumentiert.

 # tail -f /var/log/ldap.log
Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 fd=16 ACCEPT from IP=10.0.0.30:60097 (IP=0.0.0.0:636)
Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 fd=16 TLS established tls_ssf=256 ssf=256
Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=0 BIND dn="cn=Technischeruser,dc=nausch,dc=org" method=128
Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=0 BIND dn="cn=Technischeruser,dc=nausch,dc=org" mech=SIMPLE ssf=0
Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=0 RESULT tag=97 err=0 text=
Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=1 SRCH base="dc=nausch,dc=org" scope=2 deref=0 filter="(uid=django)"
Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 op=2 UNBIND
Nov 11 10:21:12 vml000030 slapd[27311]: conn=12 fd=16 closed

Clientkonfiguration (LDAPS Auth mit techn. User)

Bei der Absicherung unserer Clientabfragen mittels TLS setzen wir auf unsere bereits vorhanden Grundinstallation mit einem technischen User auf.

Die abschließende Konfiguration nehmen wir mit Hilfe vom system-config-authentication vor.

 # system-config-authentication

In dem folgendem Fenster aktivieren wir erst einmal die notwendige TLS-Verschlüsselung, in dem wir die [Auswahlbox]] bei Use TLS to mencrypt connections anwählen.

Bildschirmhardcopy: Definition des Nutzer-Authentifizierung

Als nächstes müssen wir noch das Rootzertifikat der CA herunterladen, damit der Client später seine Anfragen mit Hilfe dieses Zertifikates verschlüsseln und an den OpenLDAP-Server übertragen kann. Wir wählen hier zu den Menüpunkt Download CA Certificate… aus.

Bildschirmhardcopy: Definition des Nutzer-Authentifizierung

Dort tragen wir die URL des Class 1 PKI Keys http://www.cacert.org/certs/root.crt ein.

Bildschirmhardcopy: Definition des Nutzer-Authentifizierung

Abschließend verlassen wir das Konfigurationsfenster in dem wir die Schaltfläche Apply anwählen.

Mit Hilfe eines geschickten Find-Befehles ermitteln wir nun, welche Konfigurationsdateien durch die vorangegangene Konfiguration in der GUI von system-config-authentication angetastet wurden.

 # find -type f -printf '%TY.%Tm.%Td %p\n' | sort -nr | more
2011.11.11 ./pam_ldap.conf
2011.11.11 ./pam.d/system-auth-ac
2011.11.11 ./pam.d/smartcard-auth-ac
2011.11.11 ./pam.d/password-auth-ac
2011.11.11 ./pam.d/fingerprint-auth-ac
2011.11.11 ./openldap/ldap.conf
2011.11.11 ./openldap/cacerts/authconfig_downloaded.pem
2011.11.10 ./sysconfig/authconfig
2011.11.10 ./nsswitch.conf

pam_ldap.conf

In der Konfigurationsdatei /etc/pam_ldap.conf tragen wir folgende Daten nach:

Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl vim.

 # vim /etc/pam_ldap.conf
/etc/pam_ldap.conf
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# The man page for this file is pam_ldap(5)
#
# PADL Software
# http://www.padl.com
#
 
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a 
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
 
# Django : 2011-10-28 LDAP Client-Authentication
# default : host 127.0.0.1
 
# The distinguished name of the search base.
# Django : 2011-11-10 LDAP Client-Authentication
# base dc=example,dc=com
binddn dc=nausch,dc=org
 
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
 
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
 
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
 
# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret
# Django : 2011-11-10 LDAP Client-Authentication
bindpw Klaus-ist-der-groesste!
 
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com
 
# The port.
# Optional: default is 389.
#port 389
 
# The search scope.
#scope sub
#scope one
#scope base
 
# Search timelimit
#timelimit 30
 
# Bind/connect timelimit
#bind_timelimit 30
 
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
 
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
 
# Filter to AND with uid=%s
#pam_filter objectclass=account
 
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
 
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
 
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
 
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
 
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
 
# Group member attribute
#pam_member_attribute uniquemember
 
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
 
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
 
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
 
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
#pam_password crypt
 
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds
 
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
 
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
 
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
 
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
 
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd        ou=People,dc=example,dc=com?one
#nss_base_shadow        ou=People,dc=example,dc=com?one
#nss_base_group         ou=Group,dc=example,dc=com?one
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
#nss_base_services      ou=Services,dc=example,dc=com?one
#nss_base_networks      ou=Networks,dc=example,dc=com?one
#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
 
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute      rfc2307attribute        mapped_attribute
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass
 
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
 
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
 
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
 
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
 
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
 
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
 
# Netscape SDK LDAPS
#ssl on
 
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
 
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
 
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
 
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
 
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
 
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
 
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
 
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
 
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
 
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
 
# Django : 2011-10-28 LDAP Client-Authentication, automatisch eingetragen mit Hilfe von authconfig
uri ldap://ldap.dmz.nausch.org
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password sha256

system-auth

Es wurden auch folgenden pam.d-Konfigurationsdateien angepasst:

Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl vim.

 # vim /etc/pam.d/fingerprint-auth
/etc/pam.d/fingerprint-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
 # vim /etc/pam.d/password-auth
/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
 # vim /etc/pam.d/smartcard-auth
/etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    required      pam_pkcs11.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
 # vim /etc/pam.d/smtp
/etc/pam.d/smtp
#%PAM-1.0
auth       include      password-auth
account    include      password-auth
 # vim /etc/pam.d/system-auth
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

ldap.conf

In der Konfigurationsdatei /etc/openldap/ldap.conf tragen wir folgende Daten nach:

Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl vim.

 # vim /etc/openldap/ldap.conf
/etc/openldap/ldap.conf
#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
 
# Django : 2011-10-28 LDAP Client Authentication
BASE    dc=nausch, dc=org
URI     ldap://ldap.dmz.nausch.org
TLS_CACERTDIR /etc/openldap/cacerts

authconfig

In der Konfigurationsdatei /etc/sysconfig/authconfig setzen wir die beiden folgenden Werte von no auf yes:

Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl vim.

 # vim /etc/sysconfig/authconfig
/etc/sysconfig/authconfig
USEMKHOMEDIR=no
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
FORCELEGACY=no
USEFPRINTD=yes
FORCESMARTCARD=no
PASSWDALGORITHM=sha512
USELDAPAUTH=no
USEPASSWDQC=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESMBAUTH=no
USESSSD=no
USEHESIOD=no

nsswitch.conf

In der Konfigurationsdatei /etc/pam.d/system-auth tragen wir folgende Daten nach:

Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl vim.

 # vim /etc/nsswitch.conf
/etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#
 
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis
 
# Django : 2011-10-28 LDAP Client Authentication
# default
# passwd:     files
# shadow:     files
# group:      files
passwd:     files ldap
shadow:     files ldap
group:      files ldap
 
#hosts:     db files nisplus nis dns
hosts:      files dns
 
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     
 
bootparams: nisplus [NOTFOUND=return] files
 
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
 
# Django : 2011-10-28 LDAP Client Authentication
# default
# netgroup:   nisplus
netgroup:   ldap
 
publickey:  nisplus
 
# Django : 2011-10-28 LDAP Client Authentication
# default
# automount:  files nisplus
automount:  files ldap
aliases:    files nisplus

Clienttest

Zum Testen unserer Konfiguration starten wir einfach unseren CentOS-6 Host und melden uns an.

Bildschirmhardcopy GDM Anmeldebildschirm

Bei Bedarf beobachten wir das LDAP-Logfile auf dem OpenLDAP-Server.

 # tail -f /var/log/ldap-log

Links

1) , 2)
Certificate Signing Request