Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung Nächste ÜberarbeitungBeide Seiten der Revision | ||
centos:ldap_c7:ldaps [16.07.2015 12:46. ] – [ldap.conf] django | centos:ldap_c7:ldaps [16.07.2015 14:06. ] – [ldap.conf] django | ||
---|---|---|---|
Zeile 1615: | Zeile 1615: | ||
Wollen wir von unserem Server aus, mittels **ldapsearch** muss natürlich der Client auch wissen, wie er das bzw. die Zertifikate auf das Vertrauen hin prüfen soll. | Wollen wir von unserem Server aus, mittels **ldapsearch** muss natürlich der Client auch wissen, wie er das bzw. die Zertifikate auf das Vertrauen hin prüfen soll. | ||
- | Wir werden daher in der Konfigurationsdate | + | Wir werden daher in der Konfigurationsdatei |
# vim / | # vim / | ||
Zeile 1891: | Zeile 1891: | ||
# less / | # less / | ||
- | FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME | + | < |
+ | Jul 16 14:43:38 vml000037 slapd[5002]: | ||
+ | Jul 16 14:43:38 vml000037 slapd[5002]: | ||
+ | Jul 16 14:43:38 vml000037 slapd[5002]: | ||
+ | Jul 16 14:43:39 vml000037 slapd[7344]: | ||
+ | mockbuild@worker1.bsys.centos.org:/ | ||
+ | Jul 16 14:43:39 vml000037 slapd[7346]: | ||
Nun müssen wir nur noch über die Directive **olcTLSDHParamFile** unserem OpenLDAP-Server beibringen, die Parameterdatei auch zu verwenden. | Nun müssen wir nur noch über die Directive **olcTLSDHParamFile** unserem OpenLDAP-Server beibringen, die Parameterdatei auch zu verwenden. | ||
Zeile 1953: | Zeile 1958: | ||
# numEntries: 1 | # numEntries: 1 | ||
</ | </ | ||
+ | |||
+ | ===== LDAPs Verbindungstests ===== | ||
+ | |||
+ | ==== openssl ==== | ||
+ | Beim ersten Test bauen wir eine Verbindung mit Hilfe des Befehls **openssl** auf und prüfen, ob auch wirklich das angegebene Protokoll verwendet wurde und welcher **Cipher** zum Einsatz kam. | ||
+ | # openssl s_client -connect openldap.dmz.nausch.org: | ||
+ | |||
+ | < | ||
+ | depth=2 O = Root CA, OU = http:// | ||
+ | verify return: | ||
+ | depth=1 O = CAcert Inc., OU = http:// | ||
+ | verify return: | ||
+ | depth=0 CN = openldap.dmz.nausch.org | ||
+ | verify return: | ||
+ | --- | ||
+ | Certificate chain | ||
+ | 0 s:/ | ||
+ | | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIGBzCCA++gAwIBAgIDAm8BMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB | ||
+ | Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV | ||
+ | BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTUwNzE1MTgzOTUxWhcNMTcwNzE0 | ||
+ | MTgzOTUxWjAiMSAwHgYDVQQDExdvcGVubGRhcC5kbXoubmF1c2NoLm9yZzCCAiIw | ||
+ | DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMUdsfKPIpr3Ma0gpTJdIdKFJ9Wj | ||
+ | oc7tRO5D67WgXm4Txwd17wK51BkCsXPc7tNHHTTfEJ17UPfqge4bH5kH+Vfg4dAb | ||
+ | DG0xDtcJibQ0k4dbZEidTET41Iqd2m6xgGOAfEOpZmSUA2Awn4GBKFHjg3RzZ6YG | ||
+ | n6CTCTaCGiRsRWiGq0KBk4lXmvfAy+/ | ||
+ | yMuqMWOO+e3YcUauZVhqhKlcH2AWi8+V6j4wp2G72fuuxOpZkU2vJcNKH3sHYj9G | ||
+ | p+Z7VHmzgDlz7Y00f93M6VVnC91RhDBwgQzGDMNRTSLyEnOFw7rtHgB/ | ||
+ | 9kley/ | ||
+ | sPvsPt/ | ||
+ | GW0uJtWpNcvfx0FIPyFfDUAcCLiBnXym+4E4ekXEHH9aZxLgNhX81dw9lBzAmv1I | ||
+ | AAt2TMbwk74WedYVPN0nToGkTJu3iv1Y6sKQrbClpp4xl43bl11WFHFvJI0o7CC8 | ||
+ | 265NiAYfXztTXqxlJEOoltTaAXh9Zo8qNagrzlGOM/ | ||
+ | +Z3YzIuTtz6gCHwPAgMBAAGjggESMIIBDjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB | ||
+ | / | ||
+ | AQYKKwYBBAGCNwoDAzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6 | ||
+ | Ly9vY3NwLmNhY2VydC5vcmcvMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwu | ||
+ | Y2FjZXJ0Lm9yZy9jbGFzczMtcmV2b2tlLmNybDBJBgNVHREEQjBAghdvcGVubGRh | ||
+ | cC5kbXoubmF1c2NoLm9yZ6AlBggrBgEFBQcIBaAZDBdvcGVubGRhcC5kbXoubmF1 | ||
+ | c2NoLm9yZzANBgkqhkiG9w0BAQ0FAAOCAgEAQpFKrP2/ | ||
+ | qoWhRMZM/ | ||
+ | dVJysG+VbCh9YD5poHRVPMC5zAHWQ13m4BhaOcSXu1Vvh7lb/ | ||
+ | eyY28nTD1fLjTMfp6PbYFTK+asxq0TPqrP9j0qSy1M+0SQnLvlLkr1/ | ||
+ | L5c7FlTQAYE0q6sTdpAPNX2icGHECtylCohlnpNoLCchboH9y9s7FtPzMbDENWvA | ||
+ | FM1gooanqbo66adN7psnw2gXJbDLShaIwgjRzM8+82I4nXVO5CcD3FWqQIPwYpec | ||
+ | Rqk/ | ||
+ | LBvmGZedITZ3+NqmJTbSp3R4bEYESmznNUdD8BnBvg3alkzjb6Cinnb30TJtehbQ | ||
+ | yBaEhzq8KsOZpzcLT7ldN3Y6dxu8qj+p67nGD+A8brrII1s4TIcnEvnPBCWuku/ | ||
+ | a5iSsSt3US1dOocFJM3CJyuaNfWIqDbutE702fREPriNPxqRSdTkH5Ub4Rb4CiRW | ||
+ | bHHSqh0QekUMpNi6n7+thG46EKJk1WgeNhhsqRKqy5MDLth7iN5gHE2CCbSIe4qW | ||
+ | g2KkrggW2eBNzv4= | ||
+ | -----END CERTIFICATE----- | ||
+ | 1 s:/O=CAcert Inc./ | ||
+ | | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv | ||
+ | b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ | ||
+ | Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y | ||
+ | dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU | ||
+ | MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 | ||
+ | Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN | ||
+ | AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a | ||
+ | iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/ | ||
+ | aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C | ||
+ | jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/ | ||
+ | pNkVGJGmhZJHsK5I6223IeyFGmhyNav/ | ||
+ | FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt | ||
+ | XapI19V91Cp7XPpGBFDkzA5CW4zt2/ | ||
+ | oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 | ||
+ | R9Wb7yQocDggL9V/ | ||
+ | rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/ | ||
+ | LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/ | ||
+ | BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/ | ||
+ | gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV | ||
+ | BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG | ||
+ | A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS | ||
+ | c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/ | ||
+ | AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr | ||
+ | BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB | ||
+ | MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y | ||
+ | Zy9pbmRleC5waHA/ | ||
+ | ZXJ0Lm9yZy9pbmRleC5waHA/ | ||
+ | b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D | ||
+ | QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/ | ||
+ | 7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH | ||
+ | Va9Y/ | ||
+ | D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 | ||
+ | VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a | ||
+ | lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW | ||
+ | Q7fDCo1y/ | ||
+ | hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/ | ||
+ | 0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn | ||
+ | ebJSoMbxhbQljPI/ | ||
+ | d+pLncdBu8fA46A/ | ||
+ | 4GGSt/ | ||
+ | -----END CERTIFICATE----- | ||
+ | 2 s:/O=Root CA/ | ||
+ | | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 | ||
+ | IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB | ||
+ | IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA | ||
+ | Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO | ||
+ | BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi | ||
+ | MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ | ||
+ | ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC | ||
+ | CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ | ||
+ | 8BLPRoZzYLdufujAWGSuzbCtRRcMY/ | ||
+ | zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y | ||
+ | fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 | ||
+ | w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc | ||
+ | G8Y0f3/ | ||
+ | epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/ | ||
+ | laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/ | ||
+ | QUxPKZgh/ | ||
+ | fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 | ||
+ | YreQQejdIOQpvGQpQsgi3Hia/ | ||
+ | ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY | ||
+ | gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe | ||
+ | MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 | ||
+ | IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy | ||
+ | dC5vcmeCAQAwDwYDVR0TAQH/ | ||
+ | czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 | ||
+ | dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl | ||
+ | aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC | ||
+ | AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg | ||
+ | b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB | ||
+ | ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc | ||
+ | nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg | ||
+ | 18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/ | ||
+ | gr/ | ||
+ | Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY | ||
+ | sONvRUgzEv/ | ||
+ | SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/ | ||
+ | CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/ | ||
+ | GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk | ||
+ | zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/ | ||
+ | omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD | ||
+ | -----END CERTIFICATE----- | ||
+ | --- | ||
+ | Server certificate | ||
+ | subject=/ | ||
+ | issuer=/ | ||
+ | --- | ||
+ | No client certificate CA names sent | ||
+ | Server Temp Key: ECDH, prime256v1, 256 bits | ||
+ | --- | ||
+ | SSL handshake has read 6065 bytes and written 399 bytes | ||
+ | --- | ||
+ | New, TLSv1/ | ||
+ | Server public key is 4096 bit | ||
+ | Secure Renegotiation IS supported | ||
+ | Compression: | ||
+ | Expansion: NONE | ||
+ | SSL-Session: | ||
+ | Protocol | ||
+ | Cipher | ||
+ | Session-ID: 1CB2A6EEF8A21B2239B011CFA0FF156F76A477FE8F883550762FDB0B2DACDBEC | ||
+ | Session-ID-ctx: | ||
+ | Master-Key: FFA99DDC9829B6171367B7428647D13F6D7BFA65582810158A10CEDF8B38C2295A4E6C3F8B3212672EC1974DCD1DDAB3 | ||
+ | Key-Arg | ||
+ | Krb5 Principal: None | ||
+ | PSK identity: None | ||
+ | PSK identity hint: None | ||
+ | Start Time: 1437051157 | ||
+ | Timeout | ||
+ | Verify return code: 0 (ok) | ||
+ | ---</ | ||
+ | |||
+ | Mit der Tastenkombination **Strg + c** beenden wir die Verbindung. | ||
+ | |||
+ | Im obigen Beispiel sehen wir, dass: | ||
+ | * **Protokoll**: | ||
+ | * **Cipher** | ||
+ | und als temporärer Server-Key **ECDH, prime256v1, 256 bits** verwendet wurden. | ||
+ | |||
+ | In der Logdatei unseres OpenLDAP-Servers wird der Connect entsprechend vermerkt. | ||
+ | # less / | ||
+ | |||
+ | Jul 16 14:53:37 vml000037 slapd[7346]: | ||
+ | Jul 16 14:53:37 vml000037 slapd[7346]: | ||
+ | Jul 16 14:53:45 vml000037 slapd[7346]: | ||
+ | |||
+ | ==== ldapsearch ==== | ||
+ | Beim nächsten Test verwenden wir den Befehl **ldapsearch** und richten über eine geschützte TLS-Verbindung eine Anfrage an unseren OpenLDAP-Verzeichnisdienst. | ||
+ | # ldapsearch -W -x -D cn=config -b cn=config " | ||
+ | |||
+ | Enter LDAP Password: | ||
+ | |||
+ | < | ||
+ | objectClass: | ||
+ | cn: config | ||
+ | olcArgsFile: | ||
+ | olcIdleTimeout: | ||
+ | olcPidFile: / | ||
+ | olcReferral: | ||
+ | olcTimeLimit: | ||
+ | olcTLSCACertificateFile: | ||
+ | olcTLSCACertificatePath: | ||
+ | olcTLSCertificateFile: | ||
+ | olcTLSCertificateKeyFile: | ||
+ | olcTLSCipherSuite: | ||
+ | olcTLSDHParamFile: | ||
+ | olcTLSProtocolMin: | ||
+ | </ | ||
+ | |||
+ | Der Verbindungsauf- wie auch -abbau und natürlich auch die Abfrage an sich, wird im LDAP-Log // | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Jul 16 15:49:32 vml000037 slapd[11436]: | ||
+ | Jul 16 15:49:32 vml000037 slapd[11436]: | ||
+ | Jul 16 15:49:32 vml000037 slapd[11436]: | ||
+ | Jul 16 15:49:32 vml000037 slapd[11436]: | ||
+ | Jul 16 15:49:32 vml000037 slapd[11436]: | ||
+ | Jul 16 15:49:32 vml000037 slapd[11436]: | ||
+ | Jul 16 15:49:32 vml000037 slapd[11436]: | ||
+ | Jul 16 15:49:32 vml000037 slapd[11436]: | ||
+ | |||