Вы находитесь на странице: 1из 30

OpenLDAP

davinchi (davinchi@zu.org.ru boldin.pavel@gmail.com)


Anton Gorlov (gorlov@pnz.ru)
Andrey Chesnokov (aacchhee@gmail.com)
Open LDAP , :


,
Samba
Postfix (not implemented)

PAM_LDAP NSS_LDAP

openldap-server

PAM pam_ldap
ldap
nss_ldap

PAM_LDAP -> PAM_TCB

ACL
(TLS)
.
Sisyphus
slapd.conf
ldap.conf openldap
SAMBA PDC+LDAP+TLS
Squid+LDAP+TLS

, , LDAP.
: , :)

nirvana.home.

PAM_LDAP NSS_LDAP
openldap.
(, , , shell)
LDAP .

/etc/passwd /etc/shadow (, ,
), ,
openldap.


: ALM2.4 Sisyphus.
:
client1 # apt-get install pam_ldap nss_ldap
ldap
ldapserver # apt-get install openldap-servers

openldap-server
ldap-, :
1. /etc/openldap/slapd.conf database
2. suffix ,
suffix "dc=<youhostname>,dc=<youdomainname>"
( )
suffix "dc=nirvana,dc=home"
1. rootdn .
dn, .
rootpw, ( sasl + krb5),
, pwgen.
2. directory ldap:

directory /var/lib/ldap/bases/nirvana.home
(ACL) , .
1. slapd (# service slapd start)

LDAP c , , LDAP
public interface:
[root@huygens sysconfig]# netstat -al | grep LISTEN tcp 0 0 *:ldap *:* LISTEN
tcp

0 *:ldap

*:*

LISTEN

branch4.0 LDAP loopback- SSL.


/etc/sysconfig/ldap:
########################################
# SLAPD Proccess options
########################################
# SLAPD URL list
#SLAPDURLLIST="ldap://localhost/"
SLAPDURLLIST="'ldap://localhost/ ldaps:///'"
#SLAPDURLLIST="'ldap:/// ldaps:///'"
SLAPD_OPTIONS=""
SSL.
branch4.0 ldap tty12.
, /etc/syslog.conf :
[root@huygens ~]# cat /etc/syslog.conf | grep ldap
local4.*

-/var/log/ldap/slapd.log

syslogd.
:
newentry.ldif:
dn: dc=nirvana,dc=home
objectClass: organization
objectClass: dcObject
dc: nirvana
o: home
dn: ou=People,dc=nirvana,dc=home
objectClass: organizationalUnit
ou: People
dc=nirvana,dc=home suffix ( ).
objectClass ,
o: home.

, (
, ou=People ou=accounts).
ldap.
# ldapadd -x -f newentry.ldif -h ' slapd' -D < rootdn> -w < rootpw>
-w -W stdin (
openldap-clients,
ldapadd).
:
# ldapadd -x -f newentry.ldif -h localhost -D cn=admin,dc=nirvana,dc=home -w secret
:
adding new entry "dc=nirvana, dc=home"
adding new entry "ou=People,dc=nirvana,dc=home"
, gq,
shadow/tcb migration-tools
tcb ( ??).
.
tcb, tcb shadow
tcb_unconvert tcb-utils.
( )
# cd /usr/share/openldap/migration
# edit migration_common.ph
.... set $DEFAULT_BASE to you rootdn...
# ./migrate_passwd.pl /etc/passwd > ~/accounts.ldif
accounts.ldif LDIF
Open LDAP.
accounts.ldif ,
.
:
# ldapadd -f ~/accounts.ldif -h ' slapd' -p 389 -x -D < rootdn> -w < rootpw>
, :
ldapserver# service slapd stop
ldapserver# slapadd -b < suffix> -l ~/accounts.ldif
, ldap.
.


nss_ldap pam_ldap.
ALM2.4 :
/etc/ldap.conf ( /etc/openldap/ldap.conf).
sisyphus :
/etc/nss_ldap.conf /etc/pam_ldap.conf
:
#
# ( , ,
# )
base <suffix>
# Universal Resource Identifier - ldap
# , <protocol>://<hostname>/
# ldap ( ),
# ldaps ( SSL/TLS). ( )
uri <uri to ldapserver>
# , "" (bind)
# ldap , -
#
binddn <DN to bind with>
# - DN root.
# , ( ) .
# ( passwd <username> - root
rootbinddn <dn to bind as root>
# ldap , 389 ldap,
# 636 ldaps ( , ldap server)
port <port number>
# , :
# sub -
# base -
# one - ?
scope <scope for search>

#.....
# ,
#.....

# ,
# uid=%s
# ,
# ( openldap)
# :
# pam_filter allow_server_login=1
pam_filter <filter>
# , , uid
# ( )
pam_login_attribute <login attribute>
# groupname
# .
#pam_groupdn cn=<groupname>,ou=Groups,dc=nirvana,dc=home
# pam_groupdn
#pam_member_attribute

# uid
# , pam_ldap
pam_min_uid <number>
pam_max_uid <number>

# ,
# pam_ldap openldap .
# : clear crypt nds ad exop
# _clear_, ,
#
# OpenLDAP migration-tools
# tcb --

# crypt, , tls/ssl.
pam_password < >
# ,
# url,
# ( ldapv3 - kpasswd)
pam_password_prohibit_message
#............
# ,
#............
# ,
#
# nss_base_passwd - passwd
# nss_base_shadow - shadow
# nss_base_group - group
nss_base_passwd

ou=People,<suffix>

nss_base_shadow

ou=People,<suffix>

nss_base_group

ou=Group,<suffix>

# TLS/SSL
# TLS/SSL
#.....
, :
( )
base dc=nirvana,dc=home
uri ldaps://nirvana.home/
rootbinddn cn=admin,dc=nirvana,dc=home
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password crypt
nss_base_passwd

ou=People,dc=nirvana,dc=home

nss_base_shadow

ou=People,dc=nirvana,dc=home

nss_base_group

ou=Group,dc=nirvana,dc=home

#ssl on
#tls_checkpeer yes
#tls_cacertfile /etc/openldap/ssl/cacert.pem

PAM pam_ldap
pam pam_ldap , '>'
/etc/pam.d/system-auth
#%PAM-1.0
> auth sufficient /lib/security/pam_ldap.so
auth

required

> account

pam_tcb.so shadow fork prefix=$2a$ count=8 nullok use_first_pass

sufficient /lib/security/pam_ldap.so

account required

pam_tcb.so shadow fork use_first_pass

password required
pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4
similar=deny random=42 enforce=users retry=3
> password

sufficient /lib/security/pam_ldap.so use_authtok

password required
use_first_pass
> session

pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 write_to=tcb

optional /lib/security/pam_ldap.so

session required

pam_tcb.so

sessionrequired

/lib/security/pam_mkhomedir.so skel=/etc/skel.ru_RU.KOI8-R/ umask=0077

session required

pam_limits.so

, sshd ALT Linux Master 2.4.


( ), pam_mkhomedir
account:
> account required /lib/security/pam_mkhomedir.so skel=/etc/skel.ru_RU.KOI8-R/ umask=0077
(!), account- .

sshd (- pam_userpass)
xscreensaver (- <PAMROOT>/system-auth-user_first_pass)
/etc/pam.d/sshd
#%PAM-1.0
auth

required

pam_userpass.so

> auth

sufficient

pam_ldap.so use_first_pass

auth required
use_first_pass

pam_tcb.so shadow fork prefix=$2a$ count=8 nullok nodelay blank_nolog

auth

pam_nologin.so

required

account include

system-auth

password include

system-auth

session include

system-auth

/etc/pam.d/system-auth-use_first_pass
#%PAM-1.0
> auth sufficient

/lib/security/pam_ldap.so

auth

pam_tcb.so shadow fork prefix=$2a$ count=8 nullok use_first_pass

required

> password

sufficient

password required

use_first_pass

/lib/security/pam_ldap.so

use_first_pass

pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 write_to=tcb

ldap
, - ldap.
( .)
/etc/pam.d/passwd .
#%PAM-1.0
auth

sufficient

/lib/security/pam_ldap.so

account sufficient /lib/security/pam_ldap.so


password required
pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4
similar=deny random=42 enforce=users retry=3
password sufficient /lib/security/pam_ldap.so
, rootbinddn /etc/ldap.conf /etc/ldap.secret
( Sisyphus pam_ldap.secret),
rootbinddn, root (
).
, , ldapadd gq
.
: /etc/pam.d/passwd :
#%PAM-1.0
auth

include

system-auth

account include

system-auth

password include

system-auth

session required

pam_deny.so

c ,
/etc/pam.d/system-auth.

nss_ldap
NSS , glibc,
(files, dns, nis, nisplus, ldap).
, nss_ldap, /etc/nsswitch.conf
.
passwd, shadow group .
#LDAP
passwd:

files ldap nisplus nis

shadow:

tcb ldap files nisplus nis

group:

files ldap nisplus nis

: , ldap ,
(rpm, sh, vi) segfault.

file:///usr/share/doc/nss_ldap-220/README.ALT

.
ldap ( vasya pupkin :-) ).
(, gq ldapadd).
:
( # root, $ )
0. $ ldapsearch -x -h 'ldap://<hostname>/' -d -1
1. # id vasya
2. # su vasya
3. # ssh vasya@localhost
4. vasya$ id vasya
5. vasya$ stat .
6. vasya$ exit
7. # su <user not in ldap>

8. user$ id vasya
9. user$ su vasya
10. user$ ssh vasya@localhost
:
0: acl uri
1: /etc/nsswitch.conf , nss_ /etc/ldap.conf
2: vasya (
pam_mkhomedir), pam.d/system-auth
3: vasya (
pam_mkhomedir), sshd, (, ?)
4: /etc/ldap.conf
/etc/openldap/ldap.conf ( , tls/ssl)
5: ( ) owner group.
6: :-).
7: :-).
8: 4.
9: /etc/nsswitch.conf /etc/ldap.conf.
10: .
-: , uri /etc/ldap.conf,
acl ldap .

PAM_LDAP -> PAM_TCB


, ldap ,
pam_tcb ( pam)
perl , (, , perl-ldap,
15 Mb ( perl -
)).
!
#!/usr/bin/perl
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.

#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

use Net::LDAP;
use strict;

my $TCB_ROOT = $ENV{TCB_ROOT};
my $PASSWD = $ENV{PASSWD};
my $BASEDN = $ENV{BASEDN};
my $FILTER = $ENV{FILTER};
my $BINDDN = $ENV{BINDDN};
my $PASSWORD = $ENV{PASSWORD};
my $URI = $ENV{URI};
my $VERIFY = $ENV{VERIFY};
my $CAFILE = $ENV{CAFILE};
my $MIN_UID_NUMBER = $ENV{MIN_UID_NUMBER};
my $MAX_UID_NUMBER = $ENV{MAX_UID_NUMBER};
$TCB_ROOT = "$ENV{HOME}/etc/tcb" if $TCB_ROOT eq "";
$PASSWD = "$ENV{HOME}/etc/passwd" if $PASSWD eq "";
$BASEDN = "dc=nirvana,dc=home" if $BASEDN eq "";
$BINDDN = "cn=tcb,$BASEDN" if $BINDDN eq "";
$URI = "ldap://ldap.server/" if $URI eq "";
$VERIFY = "never" if $VERIFY eq "";
$CAFILE = "/etc/openldap/ssl/cacert.pem" if $CAFILE eq "";
$MIN_UID_NUMBER = 500 if $MIN_UID_NUMBER eq "";
$MAX_UID_NUMBER = 65535 if $MAX_UID_NUMBER eq "";

my @passwd;
my %shadow;
sub getuid
{
my $name = $_[0];
my (undef, undef, $uid) = getpwnam($name);
return $uid;
}
sub getgid
{
my $name = $_[0];
my (undef, undef, $gid) = getgrnam($name);
return $gid;
}
sub add_passwd
{
my $e = $_[0];
my $pe; #password entry
$pe = join(':', $e->get_value('uid'), 'x', $e->get_value('uidNumber'),
$e->get_value('gidNumber'), $e->get_value('gecos'),
$e->get_value('homeDirectory'), $e->get_value('loginshell'));
# ????
$passwd[$#passwd + 1] = $pe;
}
sub add_shadow
{
my $e = $_[0];
my $se;
my ($uid, $passwd);
$uid = $e->get_value('uid');

$passwd = $e->get_value('userPassword');
return if($passwd !~ /{crypt}(.*)/i);
$passwd = $1;
$se = join(':', $uid, $passwd,
$e->get_value('shadowLastChange')."", $e->get_value('shadowMin')."",
$e->get_value('shadowMax')."", $e->get_value('shadowWarning')."",
$e->get_value('shadowInactive')."",
$e->get_value('shadowExpire')."",
$e->get_value('shadowFlag')."");
$shadow{$uid} = $se;
}
sub write_passwd
{
# PASSWD_FILE - is file for /etc/passwd entries
open(PASSWD_TEMPLATE,"<$PASSWD")
or die "Cannot open system users file";
my @ldappasswd = @passwd;
@passwd = ();
while(<PASSWD_TEMPLATE>)
{
my @entry;
chomp;
@entry = split /:/;
next if $entry[2] == undef;
if( $entry[2] < $MIN_UID_NUMBER or $entry[2] > $MAX_UID_NUMBER )
{
@passwd = (@passwd, $_);
}
}
close(PASSWD_TEMPLATE);

# copy it
@passwd = (@passwd, "", @ldappasswd);
system("cp $PASSWD $PASSWD-");
open(PASSWD_FILE,">$PASSWD");
# print PASSWD_FILE "# LDAP users\n";
for my $var (@passwd)
{
print PASSWD_FILE "$var\n";
}
close(PASSWD_FILE);
if ( $< == 0 )
{
chown getuid("root"), getgid("root"), $PASSWD;
chmod 0644, $PASSWD;
}
}
sub write_shadow
{
mkdir "$TCB_ROOT" if ( ! -d "$TCB_ROOT" );
if ( $< == 0 )
{
chown getuid("root"), getgid("shadow"), $TCB_ROOT;
chmod 0710, $TCB_ROOT;
}
foreach my $key (keys %shadow)
{
mkdir "$TCB_ROOT/$key" if ( ! -d "$TCB_ROOT/$key" );
open(TCB_FILE, ">$TCB_ROOT/$key/shadow");
print TCB_FILE $shadow{$key}."\n";
close(TCB_FILE);
if ( $< == 0 )
{
chown getuid($key), getgid("auth"), "$TCB_ROOT/$key";

chown getuid($key), getgid("auth"), "$TCB_ROOT/$key/shadow";


chmod 02710, "$TCB_ROOT/$key";
chmod 0640, "$TCB_ROOT/$key/shadow";
}
}
}
my $ldap = Net::LDAP->new( $URI,
verify => $VERIFY,
cafile => $CAFILE
) or die "$@";
my $mesg = $ldap->bind( $BINDDN, password => $PASSWORD ) ;
$mesg = $ldap->search( # perform a search
base => "$BASEDN",
filter => "(&(objectClass=posixAccount)$FILTER)",
scope => 'sub'
);
$mesg->code && die $mesg->error;
#foreach $entry ($mesg->all_entries) { $entry->dump; }
foreach my $entry ( $mesg->entries) {
my $uid = $entry->get_value('uidNumber' );
if( $uid >= $MIN_UID_NUMBER &&
$uid <= $MAX_UID_NUMBER)
{
add_passwd($entry);
add_shadow($entry);
}
}
$mesg = $ldap->unbind; # take down session
write_passwd();

write_shadow();

ACL
ACL :
1.
2. (loginShell,gecos,cn,uid)
3. userPassword
4. userPassword, loginShell, gecos
5. TCB ( )
ACL:
<YOUR ADMIN DN> DN (
uid=davinchi,ou=People,dc=vnet1)
access to attr=cn,givenName,sn,gecos
by dn="^<YOUR ADMIN DN>$" write
by self write
by users read
access to attr=loginShell,gecos
by dn="^<YOUR ADMIN DN>$" write
by self write
by * read
access to attr=userPassword
by dn="^<YOUR ADMIN DN>$" write
by anonymous auth
by self write
by * none

# The admin dn has full write access


access to *
by dn="^<YOUR ADMIN DN>$" write
by * read

(TLS)

, LDAP'
( ) - LDAP' ,
( ) (
LDAP)
ldap ( , -.) (
- )
.
.
.
ALT LINUX MASTER 2.4.
:
[stalker@ring stalker]$ rpm -qa | grep ssl
openssl-0.9.7d-alt1
libssl-0.9.7d-alt1
.
CA.pl openssl-0.9.7d-alt1.
/var/lib/ssl/misc CA.pl ,

cd /etc/openldap/
/var/lib/ssl/misc/CA.pl -newca

, ldap .
[stalker@fs stalker]$ nslookup ring.local
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server:
Address:

192.168.1.1
192.168.1.1#53

Name: ring.local
Address: 192.168.1.111
ldap-.
Common Name ring.local
ldap- . IP 192.168.1.111
. ring.local.
CN ,

SASL/KRB5.
Generating a 1024 bit RSA private key
...........++++++
.....++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:<sobakazlaya:)>
Verifying - Enter PEM pass phrase:<sobakazlaya>
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:ru
State or Province Name (full name) [Some-State]:Privolzhskiy Region
Locality Name (eg, city) []:Penza
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyveryCOOLwork
Organizational Unit Name (eg, section) []:SysAdmin
Common Name (eg, your name or your server's hostname) []:ring.local
Email Address []:root@ring.local
nslookup ring.local, : Common Name
LDAP ip-, nslookup.
:
demoCA cacert.pem
openssl req -new -nodes -keyout newreq.pem -out newreq.pem

[root@ring.local openldap]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
.................++++++
.....++++++
writing new private key to 'newreq.pem'

----You are about to be asked to enter information that will be incorporated


into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:ru
State or Province Name (full name) [Some-State]:Privolzhskiy Region
Locality Name (eg, city) []:Penza
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyveryCOOLwork
Organizational Unit Name (eg, section) []:SysAdmin
Common Name (eg, your name or your server's hostname) []:ring.local
Email Address []:root@ring.local
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:< enter>
An optional company name []:MyveryCOOLwork
Common Name == ring.local
:
newreq.pem
/var/lib/ssl/misc/CA.pl -sign

[root@ring.local openldap]# /var/lib/ssl/misc/CA.pl -sign
Using configuration from /var/lib/ssl/openssl.cnf
26354:error:0E06D06C:configuration file routines:NCONF_get_string:no
value:conf_lib.c:329:group=CA_default name=unique_subject
Enter pass phrase for ./demoCA/private/cakey.pem:< ,
>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity

Not Before: Mar 15 12:33:44 2005 GMT


Not After : Mar 15 12:33:44 2006 GMT
Subject:
countryName
stateOrProvinceName
localityName
organizationName

= ru
= Privolzhskiy Region
= Penza
= MyveryCOOLwork

organizationalUnitName = SysAdmin
commonName
emailAddress

= ring.local
= root@ring.local

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
< >
X509v3 Authority Key Identifier:
< >
DirName:/C=ru/ST=Privolzhskiy
Region/L=Penza/O=MyveryCOOLwork/OU=root/CN=ring.local/emailAddress=root@ring.local
serial:00
Certificate is to be certified until Mar 15 12:33:44 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y


Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
:
newreq.pem, demoCA, newcert.pem
cd /etc/openldap
mkdir ssl
cp demoCA/cacert.pem ssl
cp newreq.pem ssl/key.pem
cp newcert.pem ssl/crt.pem

. , ,
.
.
Sisyphus

openldap Sisyphus ( 2.2.26, ) chroot:


libgssapi , sasl.
: /var/lib/ldap/lib
: .
slapd.conf


TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap/ssl/crt.pem
TLSCertificateKeyFile /etc/openldap/ssl/key.pem
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSVerifyClient never
, , service slapd start, slapd
.
ldap.conf openldap

/etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/ssl/cacert.pem
ldap ldaps URI.
ldap ,
127.0.0.1
/etc/sysconfig ldap
:
########################################
# SLAPD Proccess options
########################################

# SLAPD URL list


SLAPDURLLIST="ldap://localhost/"
#SLAPDURLLIST="ldap://localhost/ ldaps:///"
#SLAPDURLLIST="ldap:/// ldaps:///"
SLAPD_OPTIONS=""
########################################
# SLURPD Proccess options
########################################
SLURPD_OPTIONS='-t /var/lib/ldap'
:
########################################
# SLAPD Proccess options
########################################
# SLAPD URL list
#SLAPDURLLIST="ldap://localhost/"
SLAPDURLLIST='"ldap://localhost/ ldaps:///"'
#SLAPDURLLIST='"ldap://localhost/ ldap:///"'
#SLAPDURLLIST="ldap:/// ldaps:///"
SLAPD_OPTIONS=""
########################################
# SLURPD Proccess options
########################################
SLURPD_OPTIONS='-t /var/lib/ldap'
:
SLAPDURLLIST='"ldap://localhost/ ldaps:///"' -- ' ( ) +" ()ldap://localhost/
ldaps:///" ()+' ( )

.
[root@ring sysconfig]# netstat -nap | grep slapd

[root@ring sysconfig]# netstat -nap | grep slapd


tcp

0 127.0.0.1:389

tcp

0 0.0.0.0:636

0.0.0.0:*
0.0.0.0:*

LISTEN

8395/slapd

LISTEN


[root@ring.local openldap]# openssl s_client -connect ring.local:636 -showcerts -state -CAfile
/etc/openldap/ssl/cacert.pem

openssl s_client -connect ring.local:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
verify return:1
depth=0 /C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
--Certificate chain
0 s:/C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
i:/C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
<>
-----BEGIN CERTIFICATE----<>
-----END CERTIFICATE------Server certificate

subject=/C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
issuer=/C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
< >
--No client certificate CA names sent
--SSL handshake has read 971 bytes and written 346 bytes
--New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher

: AES256-SHA

Session-ID: 8CB1768A5F90E71FDA7D0CBF47003E36AE9E12643BC35378132DDB111EC1C852
Session-ID-ctx:
Master-Key:
996B7555686CDA1142B83CA67BE43C46F6EDCC6567713C00E42F4ECAAD1BAC7EABDE4BB0E7D
04C5C72165AB253658498
Key-Arg : None
Start Time: 1110890913
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

ldap.conf nss_ldap
ldap.conf nss_ldap /etc
base dc=ring,dc=local
uri ldaps://ring.local/
ssl on
tls_cacertfile /etc/openldap/certs/cacert.pem

tls_checkpeer yes

ssl on
( man-in-middle ).

ldap.conf /etc/openldap
- openldap-server /etc
openldap.
ldap.conf.
(: , rpm -qf /etc/openldap/ldap.conf => openldap-clients)
-rw-r--r-- 1 root root 333 Apr 25 10:59 ldap.conf
:
URI

ldaps://ring.local

TLS_CACERT /etc/openldap/ssl/cacert.pem
cacert,
nss_ldap .
[root@ring.local openldap]# ls -la ./ssl
total 12
drwxr-xr-x 2 ldap ldap 51 Apr 21 11:32 .
drwxr-xr-x 6 root root 140 Apr 21 12:43 ..
-rw-r--r-- 2 ldap ldap 1265 Apr 21 11:31 cacert.pem
-rw-r----- 2 ldap ldap 3628 Apr 21 11:32 crt.pem
-rw-r----- 2 ldap ldap 1587 Apr 21 11:32 key.pem

SAMBA PDC+LDAP+TLS
LDAP+
.
: 3 , .
NSS_LDAP ( ).
/etc/openldap/ldap.conf . , (
, LDAP )
+, ()
/etc/openldap/ldap.conf CA-.
nss_ldap , ().
. :
encrypt passwords = yes
unix password sync = no

# LDAP
#
#( . , IP- -
LDAP # )
passdb backend = ldapsam:ldaps://ring.local
ldap ssl = off
ldap admin dn = "cn=admin,dc=MyveryCOOLwork"
#
ldap suffix = dc=MyveryCOOLwork
# , .
admin users = zombie
# SAMBA .
ldap admin dn = "cn=admin,dc=MyveryCOOLwork"
# ,
ldap user suffix = ou=Users
# ,
ldap group suffix = ou=Groups
# , ,
ldap machine suffix = ou=Computers
ldap delete dn = no
# , uid. .
ldap filter = (uid=%u)
# smbpasswd LDAP ;-)
ldap passwd sync = yes
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = yes
# 6. Domain Control Options:
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations or Primary Domain Controller for WinNT and Win2k
domain logons = yes
# The add user script is used by a domain member to add local user accounts

# that have been authenticated by the domain controller, or by the domain


# controller to add local machine accounts when adding machines to the domain.
# The script must work from the command line when replacing the macros,
# or the operation will fail. Check that groups exist if forcing a group.
# Script for domain controller for adding machines:
add machine script = /usr/sbin/smbldap-useradd -w %u
# Script for domain member for adding local accounts for authenticated users:
add user script = /usr/local/sbin/smbldap-useradd -m %u
[homes]
comment = Home Directory for '%u'
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
browseable = no
path = /var/lib/samba/netlogon
guest ok = yes
writable = yes
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
path= /profiles
#

path = /var/lib/samba/profiles

path = /home/%U

browseable = yes
guest ok = no
writable = yes

smbpasswd -w LDAP.
. smbpasswd ....
SAMBA lDAP':

homeDirectory
loginShell
sambaAcctFlags
sambaHomeDrive
sambaHomePath
sambaKickoffTime
sambaLMPassword
sambaLogoffTime
sambaLogonTime
sambaNTPassword
sambaPasswordHistory
sambaPrimaryGroupSID
sambaProfilePath
sambaPwdCanChange
sambaPwdLastSet
sambaSID
uid
uidNumber
userPassword
POSIX ACCOUNT!
.
homeDirectory : /home/anton
sambaHomeDrive : R:
sambaHomePath : \\ring.local\anton
sambaProfilePath : \\ring.local\profiles\anton
/profiles/username
R: () /home/anton (
sambaHomePat UNC .) NETBIOS NAME ,
.
LDAP.

Squid+LDAP+TLS
- squid openldap- .
.. -
cat /etc/squid/squid.conf |grep ldap

auth_param basic program /usr/lib/squid/squid_ldap_auth -P -b dc=nirvana,dc=home -f (uid=%s) -H


"ldaps://ring.local" -v 3 -p 636
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -P -b dc=nirvana,dc=home -f
(&(memberUid=%v)(cn=%a)) -H "ldaps://ring.local" -v 3 -p 636
acl users external ldap_group squiduser
....
#myACL
acl users external ldap_group squiduser
http_access allow users
squiduser LDAP:
dn:cn=squiduser,ou=Groups,dc=nirvana,dc=home
objectClass: posixGroup
cn: squiduser
gidNumber: 10007
memberUid: proxyuser
memberUid: proxyuser2

LDAP
OpenLDAP
LDAP *NIXP.ru
OpenLDAP
OpenLDAP backends

, : ALTLinux/Dokumentacija/OpenLDAP/TLS
ALTLinux//OpenLDAP
ALTLinux//SSH
AltLinux//OpenLDAP
AltLinux//SSH
Sysadmin
TZ/
Windows/Desktop/Utils
/

Оценить