TLS の設定
設定自体は簡単ですが,すぐに忘れるので書いておきます.
TLS 用の証明書の作成
CA 証明書とサーバ証明書を適当に作ります.
$ ./publish_certiticate.rb Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=ca.example.com Validity Not Before: Jan 30 15:00:00 2012 GMT Not After : Jan 30 15:00:00 2014 GMT Subject: CN=ca.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b6:de:f7:87:72:36:95:49:28:30:52:a3:9f:e4: 1f:36:1d:96:a7:70:62:a6:72:43:6a:05:43:1c:dd: bb:93:83:6e:6e:29:a8:c0:f4:8f:fa:ad:4b:89:e7: f0:80:c6:fc:6c:b8:b1:a1:03:93:8b:03:a6:d6:2b: e4:16:e3:c4:29:db:8c:dc:d2:ed:e4:17:08:22:36: 26:39:75:06:36:1e:d1:7e:c5:db:de:7b:b0:82:9e: 88:38:ca:d3:18:1e:91:2a:47:4c:31:6e:43:08:78: 6a:27:36:67:d8:9b:cc:0f:7c:93:05:d3:8c:a2:0d: e6:20:04:20:ef:0b:4d:58:22:00:12:81:97:da:22: 12:d2:d2:fa:64:75:7e:51:67:df:fb:40:59:76:75: 15:05:e1:73:1c:59:ef:02:f9:00:bf:d8:5d:92:b4: f9:a5:34:1e:82:cf:d7:a0:51:4f:f8:71:90:af:e3: 9c:0f:53:bd:68:5d:db:dd:c5:6b:15:a4:36:f4:a1: 8f:38:1c:42:1d:77:b5:aa:f3:fb:db:64:e8:18:d3: 35:6d:2f:ad:3a:9a:d3:17:4d:e1:00:6a:bf:f6:c0: 34:d3:0b:d0:01:83:72:f7:84:6d:45:06:13:eb:85: fc:a4:7b:52:0a:c6:07:22:99:34:0d:65:f8:a2:86: 1d:2b Exponent: 65567 (0x1001f) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption 11:fa:48:22:1a:13:64:a9:0b:a4:10:82:2e:e8:e3:f0:a4:37: ba:14:bd:ba:4a:6c:e3:16:ed:12:94:c0:37:f1:57:eb:1a:fe: ea:8f:6a:ec:ed:5c:0d:30:6f:8c:e8:85:8b:d4:be:81:70:bf: e2:87:b9:e8:e2:2c:59:ef:d3:87:e8:dd:77:c6:38:a9:cb:dd: 1d:e4:cf:08:1b:df:1c:0f:a9:4a:e0:0a:fc:c9:0d:b2:a3:f8: 46:c1:cd:7e:bc:1b:da:67:09:9a:30:7c:fa:c5:08:39:23:49: e6:78:b3:75:12:9f:94:ab:82:a0:2f:66:6d:d8:0f:77:f5:b8: 6d:5f:3f:4a:f0:f8:0c:cb:dc:f5:2d:da:d5:19:80:82:7b:42: 66:c5:01:4a:0f:41:06:3d:6b:24:79:c1:c1:66:09:89:c8:eb: 46:e2:a1:f0:2e:4e:99:cd:17:e4:70:fe:69:eb:bc:77:be:e7: d0:8e:53:93:ca:04:11:63:c7:6f:55:4f:60:75:5c:e1:72:53: fd:24:46:0f:af:bb:5d:68:dd:fb:13:69:91:32:41:c9:f1:71: c9:82:48:1d:9d:dd:5b:16:7f:4a:39:f0:a2:db:0a:dd:8f:01: c6:ae:89:c7:b4:c9:28:5f:48:5f:b1:f4:cc:d9:0d:97:2d:3f: 92:27:7e:6e Certificate Request: Data: Version: 1 (0x1) Subject: CN=ldap.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9f:16:fc:a5:82:82:9f:5f:92:f7:66:f8:60:16: d6:a2:11:ae:02:8a:27:b7:0c:58:9a:4a:1d:fb:7e: 8b:21:20:88:55:7a:33:57:da:24:ef:88:10:36:f8: 12:46:0d:26:85:be:e1:5f:ff:39:28:b7:91:24:4b: f4:bf:51:ff:82:f0:5a:49:5a:3c:d1:ec:bc:ef:82: 00:1b:48:8a:41:93:d6:6e:00:ed:f9:c5:4d:8f:1c: fe:2c:09:a7:d4:8b:8c:f6:b9:61:6d:1e:64:69:5b: 0c:f0:00:69:02:30:19:09:62:78:cc:62:aa:0d:ba: d5:15:0f:62:01:f7:1e:12:3a:78:aa:a7:96:3a:9b: 3f:cc:8a:f0:49:d5:08:d7:04:ce:49:81:6d:f9:c1: 96:9a:0f:25:40:b2:f8:b6:61:59:a5:f1:6e:3f:6a: 26:82:b8:fd:e3:e0:1e:ba:3a:ab:bd:a7:56:e5:af: f5:f7:ad:6b:30:aa:9c:40:b4:7a:56:b6:99:2a:0e: 48:b0:c5:da:42:fc:d1:e6:6d:28:a8:63:02:81:1e: f3:0e:07:88:fc:6d:d6:fd:2a:14:ea:2a:3e:52:6a: 7a:19:e4:29:71:02:d9:12:dc:0f:d6:60:ef:00:be: a1:9a:8b:3e:f7:7b:1a:eb:a8:d9:d8:81:99:ac:86: bb:2b Exponent: 65567 (0x1001f) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 91:82:3a:8e:12:c0:b4:51:6c:85:f3:cc:73:a1:40:8b:e4:27: 96:8b:e4:9d:73:e0:a8:e1:a8:85:25:72:90:37:43:67:13:62: 94:ca:99:4d:ee:9e:f0:18:0e:34:b9:32:a2:93:10:15:50:62: 3e:3a:92:52:c2:be:30:c4:50:88:2a:32:38:67:f2:90:d2:d2: 73:fa:4c:95:16:e7:38:47:7d:ee:40:99:84:a3:df:a6:b1:8f: ac:5a:c7:ad:81:c3:c5:0b:86:e7:47:d5:eb:fa:cf:8b:b0:2f: 58:fa:44:7f:e3:38:1b:7f:01:e7:f6:e2:7c:28:01:d3:50:d2: 4a:00:4e:39:f6:7f:2f:e6:c2:e9:9c:de:87:30:b5:97:ca:80: b9:a3:c2:89:05:77:5e:77:1f:47:05:d3:26:90:9a:e7:df:f4: 46:1b:78:1f:ee:d5:da:07:ce:d3:0d:0b:33:f4:70:45:9d:34: b8:bc:e1:95:c8:c6:19:46:eb:5f:6d:85:f6:59:fb:ef:51:ba: a8:ed:f6:5d:b6:94:ad:11:71:ff:ff:1e:f8:60:44:71:9b:a3: 63:9d:e7:86:30:07:6e:10:e5:ab:0d:50:70:d1:4a:82:0e:54: b3:f0:4b:b4:49:2b:32:2c:ac:39:c2:8b:b1:3d:02:0f:43:be: d1:c6:61:f5 Certificate: Data: Version: 3 (0x2) Serial Number: 05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=ca.example.com Validity Not Before: Jan 30 15:00:00 2012 GMT Not After : Jan 30 15:00:00 2013 GMT Subject: CN=ldap.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9f:16:fc:a5:82:82:9f:5f:92:f7:66:f8:60:16: d6:a2:11:ae:02:8a:27:b7:0c:58:9a:4a:1d:fb:7e: 8b:21:20:88:55:7a:33:57:da:24:ef:88:10:36:f8: 12:46:0d:26:85:be:e1:5f:ff:39:28:b7:91:24:4b: f4:bf:51:ff:82:f0:5a:49:5a:3c:d1:ec:bc:ef:82: 00:1b:48:8a:41:93:d6:6e:00:ed:f9:c5:4d:8f:1c: fe:2c:09:a7:d4:8b:8c:f6:b9:61:6d:1e:64:69:5b: 0c:f0:00:69:02:30:19:09:62:78:cc:62:aa:0d:ba: d5:15:0f:62:01:f7:1e:12:3a:78:aa:a7:96:3a:9b: 3f:cc:8a:f0:49:d5:08:d7:04:ce:49:81:6d:f9:c1: 96:9a:0f:25:40:b2:f8:b6:61:59:a5:f1:6e:3f:6a: 26:82:b8:fd:e3:e0:1e:ba:3a:ab:bd:a7:56:e5:af: f5:f7:ad:6b:30:aa:9c:40:b4:7a:56:b6:99:2a:0e: 48:b0:c5:da:42:fc:d1:e6:6d:28:a8:63:02:81:1e: f3:0e:07:88:fc:6d:d6:fd:2a:14:ea:2a:3e:52:6a: 7a:19:e4:29:71:02:d9:12:dc:0f:d6:60:ef:00:be: a1:9a:8b:3e:f7:7b:1a:eb:a8:d9:d8:81:99:ac:86: bb:2b Exponent: 65567 (0x1001f) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:5B:E8:5E:3F:23:05:33:C1:E9:9F:F4:88:8B:DD:C5:B3:83:5F:3E:29 X509v3 Subject Key Identifier: B2:96:4C:07:DE:EC:12:63:2B:46:E4:69:2D:70:B2:83:DE:C5:DB:F2 X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://ca.example.com/crl/example.crl Signature Algorithm: sha1WithRSAEncryption 30:64:a7:72:14:e8:57:db:5b:b6:77:04:03:71:cf:85:af:75: 15:65:49:5c:6c:e8:c0:e4:1f:02:f2:3b:c4:d6:6e:de:f2:be: 71:5e:e1:b7:12:31:21:a3:54:b2:17:f6:37:ff:1b:7b:f1:d5: 19:e7:ff:e2:a7:61:b6:79:d9:2a:fd:29:21:45:16:d3:6e:49: 41:17:e0:86:65:23:f0:bc:6d:22:02:58:ed:39:51:92:c1:61: d5:06:98:04:bf:28:a7:2a:9f:fe:e0:82:bf:73:a6:c4:50:4d: eb:8d:53:3c:6b:d4:a5:b5:4f:32:c2:51:38:bd:4f:ef:60:01: 99:2a:52:85:f6:bb:0e:4c:b2:21:2d:56:cc:9b:50:56:c7:41: 3f:db:b9:b6:54:3e:3c:8a:d1:48:42:2e:fd:8c:74:7a:c9:4c: 6c:37:98:db:29:3f:81:3a:66:44:83:e5:8e:81:ce:b8:70:fb: fd:f0:3d:99:e5:3d:ec:ff:28:fa:53:ac:eb:66:80:60:b2:dd: 4e:e9:62:bd:8c:0f:68:30:8f:65:8d:63:f5:9e:97:0a:03:b1: 6b:f6:3a:1b:6b:34:96:3b:9d:d8:57:73:01:8d:04:fd:6f:74: e0:34:31:87:5b:15:46:ea:37:2f:f2:b2:fa:01:b8:2c:36:c9: b9:27:18:cd
確認していないですが,TLS Web Server Authentication は必要だと思います.
サーバ側の設定
suffix や rootdn 等は前回のと同じ設定にします.
sldap.conf
下記を設定します.
TLSCACertificateFile /etc/openldap/certs/ca.pem TLSCertificateFile /etc/openldap/certs/server.pem TLSCertificateKeyFile /etc/openldap/certs/key.pem
TLSCACertificateFile は何に使用しているか分からないです …
起動
slapd をたちあげます.
# service slapd start
クライアント側の設定
/etc/openldap/ldap.conf
TLS_CACERT を追記します.
TLS_CACERT サーバ証明書を検証する CA 証明書を指定します.
(たぶんサーバ証明書の verify 用かな)
TLS_CACERT /etc/openldap/certs/ca.pem
実行
上記までで,設定は完了です.
netstat で LISTEN を確認してみます.
# netstat -a | grep ldaps tcp 0 0 *:ldaps *:* LISTEN tcp 0 0 *:ldaps *:* LISTEN
(ldaps のポート番号は 636 です)
動いているようなので,試しに ldapsearch を実行してみます.
ldapsearch
ldap:// のときとの違いは,コマンドに指定する URI のスキームを ldap から ldaps に変更することだけです.
# ldapsearch -x -H ldaps://ldap.example.com -D 'cn=Manager,dc=ldap,dc=example,dc=com' -W -b 'dc=ldap,dc=example,dc=com' '(objectClass=*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=ldap,dc=example,dc=com> with scope subtree # filter: (objectClass=*) # requesting: ALL # # ldap.example.com dn: dc=ldap,dc=example,dc=com objectClass: dcObject objectClass: organization o: organization dc: ldap # person, ldap.example.com dn: ou=person,dc=ldap,dc=example,dc=com objectClass: organizationalUnit ou: person # hexa, person, ldap.example.com dn: cn=hexa,ou=person,dc=ldap,dc=example,dc=com objectClass: person cn: hexa sn: blog userPassword:: e1NTSEF9Tm9rQnBiYXc2MXpwRTRBUVRuQXo1cmxRM0lIT2hvbXE= # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3