티스토리 뷰

KR/CentOS 7

CentOS 7 OpenLLDAP LDAP over TLS

식빵TV 2016.10.10 10:35

OpenLLDAP LDAP over TLS

 

LDAP over TLS를 설정하고 LDAP 서버와 클라이언트 간의 통신을보다 안전합니다.


1. 우선은 SSL 인증서를 생성 해 둡니다.(블로그 참조)



2. LDAP 서버의 설정입니다.


[root@dlp ~]# cp /etc/pki/tls/certs/server.key \

/etc/pki/tls/certs/server.crt \

/etc/pki/tls/certs/ca-bundle.crt \

/etc/openldap/certs/ 

[root@dlp ~]# chown ldap. /etc/openldap/certs/server.key \

/etc/openldap/certs/server.crt \

/etc/openldap/certs/ca-bundle.crt


[root@dlp ~]# vi mod_ssl.ldif

# 새로 만들기

 dn: cn=config

changetype: modify

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt

-

replace: olcTLSCertificateFile

olcTLSCertificateFile: /etc/openldap/certs/server.crt

-

replace: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/openldap/certs/server.key


[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"


[root@dlp ~]# vi /etc/sysconfig/slapd

# 9 번째 줄 : 추기

SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

[root@dlp ~]# systemctl restart slapd 




3. LDAP 클라이언트의 설정입니다.


[root@www ~]# echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf 


[root@www ~]# echo "tls_reqcert allow" >> /etc/nslcd.conf 


[root@www ~]# authconfig --enableldaptls --update 

getsebool: SELinux is disabled


[root@www ~]# exit 

logout

CentOS Linux 7 (Core)

Kernel 3.10.0-123.20.1.el7.x86_64 on an x86_64

www login: redhat 

Password:

Last login: Tue Aug 19 19:55:52 on ttyS0


[redhat@www ~]$ # 로그인 한



※ download & Next Menu



저작자 표시 비영리 변경 금지
신고
댓글