======LDAP Server with TLS======
在LDAP Server與LDAP Client兩者之間通訊過程中資料通常是無加密的。需透過[[wp>TLS|TLS]]或[[wp>SSL|SSL]]方式來達成秘密通訊。
  * 可以利用tcpdump指令測試Ldap Client端抓取LDAP Server端的封包為何(本測試實作承接上一篇)?
先開啟兩個終端繫面,一個用做抓取封包資料,另外一個做與LDAP SERVER之間通訊<code 1>$tcpdump -i eth0 -nn -X 'tcp port ldap'|grep -i guest8</code><code 1>$getent passwd</code><code 1>
結果
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
	0x0040:  2375 6964 3d67 7565 7374 382c 6f75 3d50  #uid=guest8,ou=P
	0x00b0:  6775 6573 7438 300e 0402 636e 3108 0406  guest80...cn1...
	0x00c0:  6775 6573 7438 3012 0409 7569 644e 756d  guest80...uidNum
	0x0130:  0c2f 686f 6d65 2f67 7565 7374 3830 3804  ./home/guest808.
	0x0040:  2375 6964 3d67 7565 7374 382c 6f75 3d50  #uid=guest8,ou=P
	0x00b0:  6775 6573 7438 300e 0402 636e 3108 0406  guest80...cn1...
	0x00c0:  6775 6573 7438 3012 0409 7569 644e 756d  guest80...uidNum
	0x0130:  0c2f 686f 6d65 2f67 7565 7374 3830 3804  ./home/guest808.
</code>
=====LDAP Server with TLS 設定檔配置=====
  - 先建立SSL憑證。可以參考此篇[[linux:Encrypt:openssl|Openssl製作簽發憑證]]
  - 將前述所建立的SSL憑證(server.key及server.crt)複製到這個目錄**/etc/openldap/cacerts/**<code>#cp -p /etc/pki/tls/certs/{server.key,server.crt} /etc/openldap/cacerts/</code>
  - 修改主要配置檔<code 1>#vim /etc/openldap/slapd.conf
~略~
moduleload smbk5pwd.la
moduleload translucent.la
moduleload unique.la
moduleload valsort.la
~略~
#大約第54列左右,增加下面兩行
TLSCertificateFile /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server.key
</code>
  - 重新啟動<code 1>#/etc/init.d/ldap restart</code>
=====Ldap Client 加入 Ldap server網域=====
本實驗Client端以Centos6.0_x86_32為版本，先安裝ldap在Client所需的套件,再利用setup、system-config-authentication(GUI介面)或自行手動修改。比較推薦setup、system-config-authentication(GUI介面)等方式
  * 安裝ldap(for client)<code 1>#yum install openldap nss-pam-ldapd openldap-clients pam_ldap</code>
  * 手動設定的話需要修改幾個設定檔(/etc/openldap/ldap.conf,/etc/nslcd.conf,/etc/pam_ldap.conf,/etc/pam.d/system-auth,/etc/nsswitch.conf)
       - **/etc/openldap/ldap.conf**<code 1>#vim /etc/openldap/ldap.conf
URI     ldap://192.168.0.53
BASE    dc=example,dc=com
TLS_CACERTDIR   /etc/openldap/cacerts
TLS_REQCERT     allow
</code>
       - **/etc/nsswitch.conf**<code 1>#vim /etc/nsswitch.conf
~略~
passwd:     files ldap
shadow:     files ldap
group:      files ldap
~略~
netgroup:   files ldap
~略~
automount:  files ldap
</code>
       - **/etc/pam_ldap.conf**<code 1>#vim /etc/pam_ldap.conf
~略~
base dc=Qoop,dc=com
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://192.168.0.53/
~略~
#在檔尾增加
tls_cacertdir /etc/openldap/cacerts
pam_password md5
ssl start_tls
tls_reqcert allow
</code>
       - **/etc/pam.d/system-auth**<code 1>#vim /etc/pam.d/system-auth
~略~
auth        required      pam_ldap.so use_first_pass
~略~
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
~略~
password    sufficient    pam_ldap.so use_authtok
~略~
session     optional      pam_ldap.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077 #加入此項的功用，當/home/中沒有使用者時，會自動建立該使用者的家目錄。
</code>
       - **/etc/nslcd.conf**<code 1>#vim /etc/nslcd.conf
~略~
uri ldap://192.168.0.53/
base dc=Qoop,dc=com
ssl  start_tls
tls_reqcert     allow
</code>
       - 重新啟動nslcd<code 1>#service nslcd restart</code>
=====驗證ldap server =====
驗證ldap client與ldap server之間的通訊是否有加密
<code 1>#getent passwd</code>
<code 1>#tcpdump -i eth0 -nn -X "tcp port ldap"|grep -i guest10

無任何訊息,即表示有加密
</code>

======參考資料======
  - [[http://www.server-world.info/en/note?os=CentOS_5&p=ldap&f=3|LDAP over TLS]]
  - [[https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s2-ldap-configuration|Red-Hat  Configuring an OpenLDAP Server]]
  - [[http://www.storageonline.com.cn/rec-posts/the-ldap-authentication-the-red-hat-an-an-enterprise-linux-centos-6-2/|CentOS (RedHat) 6.2 使用 OpenLDAP ]]