Shulou(Shulou.com)06/02 Report--

Openldap Integrated windows AD Certification

i. Problem solved

Openldap is an open source directory service implementation, and windows AD is Microsoft's directory service reality. The current situation is that some scenarios (application, client) are easy to combine with openldap, and some scenarios have to use AD, so it is almost impossible to abandon any of them. But maintaining two systems at the same time means a significant increase in maintenance work (not only doubling, but also considering information maintenance, synchronous etc, etc.) and error probability.

One of the more mature and widely used solutions is that openldap uses windows AD authentication, so it only needs to maintain a set of user passwords on AD.

ii. Flow chart

As shown in the figure, the related components are divided into four parts:

1.LDAP client; this is the system that actually invokes the ldap service, or it can be a client program like ldapsearch

2. Open source server, the actual process is slapd.

3.Saslauthd; simple authentication service layer daemon, which is to be installed on the openldap server

4.Active directory; is windows AD. There is no need to explain.

iii. Specific configuration

a. Check Openldap

Check whether there are compilation parameters during openldap installation. / configure-- if enable-spasswd; does not need to be recompiled, the syntax configuration such as userPassword: {SASL} user@domain is not supported.

The installation of Openldap will not be described in detail in this article

B.Saslauthd installation configuration

1. Install yum install cyrus-sasl

You can view it through the command

[root@localhost ~] # rpm-ql cyrus-sasl | grep bin

/ usr/sbin/pluginviewer

/ usr/sbin/saslauthd # daemon, main program

/ usr/sbin/testsaslauthd # Test program

[root@localhost ~] # rpm-ql cyrus-sasl | grep etc

/ etc/rc.d/init.d/saslauthd # startup script

/ etc/sysconfig/saslauthd # configuration file, conf

2. [optional] be familiar with and test sasl itself first

For example, adduser blake; passwd blake # adds a linux system test account and sets the password

Configure saslauthd to use shadow authentication

Edit / etc/sysconfig/saslauthd, modify to MECH=shadow one line, and finally change to MECH=ldap

Start the saslauthd process, service saslauthd start

Test the testsaslauthd-u blake-p password

Here, if the password is correct, the authentication should be successful, and if the password is wrong, it will fail. Here you can understand the OK of sasl itself. Subsequent configurations will also be tested and debugged with testsaslauthd programs. Users can be deleted after verifying OK.

3. Configure sasl to associate to ad domain

[optional] first use the ldap client to test whether the windowad domain is available and whether the user password is correct, such as

Ldapsearch-x-H ldap://192.168.0.101-D "CN=administrator,CN=Users,DC=test,DC=com"-w password-b "DC=test,DC=com"

This command ldapsearch is the client program, the IP address is the address of windows AD, the-x parameter indicates simple authentication, and the string followed by the-D parameter is the user DN in AD, where DC=test is the domain name of the AD domain,-w is followed by a password, and-b refers to base DN.

This command needs to output something successfully, otherwise there is something wrong with the ldap server with windows AD, and you need to check the network, user, password, DN, and so on.

Next, configure sasl to access ad, modify vi / etc/sysconfig/saslauthd again, and modify two lines: MECH=ldap FLAGS= "- O / etc/saslauthd2ad.conf"

Then create a new / etc/saslauthd2ad.conf and write the following

/ etc/saslauthd2ad.conf

Ldap_servers: ldap://192.168.0.101

Ldap_search_base: CN=Users,DC=test,DC=com

Ldap_timeout: 10

Ldap_filter: sAMAccountName=%U

Ldap_bind_dn: CN=administrator,CN=Users,DC=test,DC=com

Ldap_password: password

Ldap_deref: never

Ldap_restart: yes

Ldap_scope: sub

Ldap_use_sasl: no

Ldap_start_tls: no

Ldap_version: 3

Ldap_auth_method: bind

Such as: ldap_servers: ldap://192.168.0.7 ldap://192.168.0.20

Ldap_search_base: DC=shuobaotang,DC=com

Ldap_timeout: 10

Ldap_filter: sAMAccountName=%U

Ldap_bind_dn: CN=ldap_office,CN=Users,DC=shuobaotang,DC=com

Ldap_password: *

Ldap_deref: never

Ldap_restart: yes

Ldap_scope: sub

Ldap_use_sasl: no

Ldap_start_tls: no

Ldap_version: 3

Ldap_auth_method: bind

The main parameters of the file:

Ldap_servers: LDAP URI, windowsAD address

Ldap_bind_dn: DN for connection, the DN of a windows AD user, actually does not need admin's

Ldap_password: Password for connection, password

Ldap_search_base: Search base

Ldap_filter: Search filter,% U for user,% u for user@domain

Restart the service service saslauthd restart

Test the testsaslauthd-u administrator-p password, here is the user-password authentication using the AD domain, not just the administrator written into the configuration file, but all AD users can be tested and verified with the testsaslauthd program. Can further add users to AD, or change the password test. Note that AD changes the password, and the old password can still be used for 5 minutes. For example, the verification fails to check the configuration of the sasl.

c. Configure openldap to use Saslauthd

Modify the configuration file of openldap / etc/openldap/slapd.conf join

Sasl-host localhost

Sasl-secprops none

These two lines are configured to tell openldap to use native sasl

Then modify / create the configuration file of sasl, vi / etc/sasl2/slapd.conf

Mech_list: plain

Pwcheck_method: saslauthd

Saslauthd_path: / var/run/saslauthd/mux

This configuration file is equivalent to the front end of sasl, meaning that the request from slapd is handled by saslauthd. Note that the two configuration file names are the same, but they are configuration files for different packages. If slapd is started with a non-root OS user, add the user to the group.

Usermod-a-G sasl ldap

Finally, modify the user configuration in openldap, such as creating a user blake in openldap and setting userpassword: {SASL} blake, so that openldap will forward the user blake to the sasl program for authentication, and sasl will further forward it to windows AD, so that the configuration is complete.

Final test:

Ldapsearch-w password 1-H ldap://192.168.0.107-D "cn=blake,ou=users,dc=saybot,dc=com"-b "cn=blake,ou

= users,dc=saybot,dc=com "

For this test command, blake users exist on both openldap and windows AD. IP is the IP,DN of native openldap, and query DN is also openldap information, but the password is managed on windows AD. If successful, change the user's password on windows AD, verify it with the new password, and wait 5 minutes for the old password to expire. At this point the configuration is complete.

iv. Configure SSL

/ TLS support

There is a security problem with the previous configuration. In this way, the password from openldap to windows AD is only transmitted in clear text. If it is not in the intranet, or has × × protection, it may be intercepted. Also, two usernames / passwords are actually transferred between openldap and windows AD. One is the user configured in saslauthd, and the other is the authenticated user who is actually connected to openldap.

/ TLS support

There is a security problem with the previous configuration. In this way, the password from openldap to windows AD is only transmitted in clear text. If it is not in the intranet, or has × × protection, it may be intercepted. Also, two usernames / passwords are actually transferred between openldap and windows AD. One is the user configured in saslauthd, and the other is the authenticated user who is actually connected to openldap.

File0002.jpg

2 usernames / passwords can be intercepted for one authentication, all in clear text

There are several solutions:

The outer layer of network layer encryption, such as × × × tunnel.

Use windows security authentication such as NTLM, Kerberos

Enable SSL/TLS nesting protocol

TLS scheme is adopted in this paper.

D.Windowsad enables TLS

To enable TLS support in Windows AD, you need to install the Certificate Service (AD CS) first. It is recommended to install relevant management tools in the feature. Execute certutil-dcinfo verify after the installation is complete, and then verify it locally with the ldp.exe program.

Ldapsearch remote verification is used after passing. There are several points to pay attention to, and the process is as follows:

4. Export the windows certificate and configure it to ldapsearch

The certificate export of windows is shown in the figure:

2 usernames / passwords can be intercepted for one authentication, all in clear text

There are several solutions:

The outer layer of network layer encryption, such as × × × tunnel.

Use windows security authentication such as NTLM, Kerberos

Enable SSL/TLS nesting protocol

TLS scheme is adopted in this paper.

D.Windowsad enables TLS

To enable TLS support in Windows AD, you need to install the Certificate Service (AD CS) first. It is recommended to install relevant management tools in the feature. Execute certutil-dcinfo verify after the installation is complete, and then verify it locally with the ldp.exe program.

Ldapsearch remote verification is used after passing. There are several points to pay attention to, and the process is as follows:

4. Export the windows certificate and configure it to ldapsearch

The certificate export of windows is shown in the figure:

The exported files are transferred to the server where ldapsearch is located.

Modify the configuration file (ldap client profile and openldap client profile are different)

/ usr/local/openldap2.4/etc/openldap/ldap.conf

Join TLS_CACERT / etc/openldap/certs/ca2.crt

5. May need to modify / etc/hosts

192.168.0.101 WIN-QLMQQENMPLO.test.com

Cannot be accessed with an ip address because it verifies that the hostname matches the field in the certificate

Test commands:

Ldapsearch-x-H ldaps://WIN-QLMQQENMPLO.test.com-D "CN=blake,CN=Users,DC=test,DC=com"-w password-b "CN=administrator,CN=Users,DC=test,DC=com"

Note that the connection protocol is ldaps. By default, port 636 is no longer ldap.

We will continue after OK here. Otherwise, it is easy to make problems later.

E.Sasl configuration TLS

Modify configuration file / etc/saslauthd2ad.conf

[root@localhost log] # cat / etc/saslauthd2ad.conf

Ldap_servers: ldaps://WIN-QLMQQENMPLO.test.com/

Ldap_search_base: CN=Users,DC=test,DC=com

Ldap_filter: sAMAccountName=%U

Ldap_bind_dn: CN=administrator,CN=Users,DC=test,DC=com

Ldap_password: password

Ldap_tls_cacert_file: / etc/openldap/certs/ca-test.cer

There are two differences between this and the previous configuration, one is that the protocol becomes ldaps, but the last line specifies the certificate. This is the certificate that was previously exported from windows. The logic here is: a self-signed ssl/tls certificate, and ldaps requires that the self-signed ca certificate be configured to the client. The Ldapsearch program modifies the ldap.conf file, and sasl modifies this file.

Verify using the testsaslauthd-u administrator-p password command

F.Openldap configuration TLS

The Openldap server can also configure TLS, and the configuration file is slapd.conf

For example, / usr/local/openldap2.4/etc/openldap/slapd.conf

Add 3 lines

TLSCACertificateFile / etc/openldap/certs/ca.crt

TLSCertificateFile / etc/openldap/certs/ldap.crt

TLSCertificateKeyFile / etc/openldap/certs/ldap.key.pem

The first line here is the ca certificate used for self-signing (it may not be native, you can use the previous windows server to sign the certificate), the second line is the native server certificate, and the third line is the native server certificate key. The concept of certificate will not be explained in detail here.

After that, open TLSslapd-4-h "ldap:/// ldaps:///" with the command

In particular, it is troublesome to verify openldapTLS here.

You can first openssl s_client-connect localhost:636 to see if the certificate is correct.

Then configure ldapsearch 1. Merge certificates, that is, the files specified in the TLS_CACERT parameter in the ldap.conf configuration file, directly use the cat command to talk about the merger of two ca certificates (one is the previous windows, the other is issued to openldap) 2. Modify / etc/hosts 192.168.0.107 ldap

Test verification command: ldapsearch-w password-H ldaps://ldap-D "cn=blake,ou=users,dc=saybot,dc=com"-b "cn=blake,ou

= users,dc=saybot,dc=com "

g. Concept summary

The overall configuration of TLS is troublesome. Grasp the following concepts:

The Ldap protocol is port 389, plaintext; the protocol after TLS encryption is ldaps, port 636

·Windowsad opens the ldaps (TLS) installation active Directory Certificate (AD CS) service

There are two kinds of certificates. 1 is the server certificate and 2 is the ca certificate that issues the server certificate.

In the case of self-signed, the client needs to configure an additional ca certificate (the second type)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.