openldap server use tls
2024-08-02this is the result for tls /etc/openldap/slapd.d/cn=config.ldif add parameters;
modifiersName: cn=config
modifyTimestamp: 20240802022517Z
olcSecurity: ssf=128
olcTLSCACertificateFile: /etc/ssl/cert.pem
olcTLSCertificateFile: /etc/ssl/2024/star.my.net.pem
olcTLSCertificateKeyFile: /etc/ssl/2024/star.my.net.key
olcTLSCipherSuite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:E
CDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20
-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES25
6-GCM-SHA384
olcTLSDHParamFile: /etc/ssl/dh.pem
1、系统中常见的根证书
apt install ca-certificates
yum install ca-certificates
/etc/pki/tls/cert.pem
/etc/ssl/cert.pem
/etc/ssl/2024/star.my.net.key
/etc/ssl/2024/star.my.net.pem
##wget https://ssl-config.mozilla.org/ffdhe2048.txt -O /etc/ssl/dh.pem
ls -l /etc/ssl
2、cat << EOF > add_tls.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/2024/star.my.net.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/2024/star.my.net.key
add: olcTLSCipherSuite
olcTLSCipherSuite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
add: olcTLSDHParamFile
olcTLSDHParamFile: /etc/ssl/dh.pem
EOF
slapmodify -n 0 -F /etc/slapd.d -l add_tls.ldif
3、cat << EOF > replace_tls.ldif
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/2024/star.my.net.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/2024/star.my.net.key
replace: olcTLSCipherSuite
olcTLSCipherSuite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
replace: olcTLSDHParamFile
olcTLSDHParamFile: /etc/ssl/dh.pem
EOF
slapmodify -n 0 -F /etc/slapd.d -l replace_tls.ldif
4、cat << EOF > ssf.ldif
dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: ssf=128
EOF
slapmodify -n 0 -F /etc/openldap/slapd.d -l ssf.ldif
5、当不指定 -h 参数运行 slapd 时,默认端点为 ldap:///,即监听所有网络接口上的 LDAP 标准端口 389,并支持 StartTLS。
虽然 slapd 支持监听 ldaps:/// 端点,即在 TLS 中传输 LDAP 协议,默认端口为 636。这种方式不是 LDAP 标准中定义的,端口号也不是互联网工程指导小组(IESG,Internet Engineering Steering Group)注册的,因此不推荐使用
6、test_readonly
ldapsearch -x -h ldap.my.net -D 'cn=readonly,dc=my,dc=net' -W -ZZ
8、ldif_read_file: Permission denied for /etc/openldap/slapd.d/cn=config.ldif
chown ldap.ldap /etc/openldap/slapd.d/cn=config.ldif