Habilitar TLS Openldap
De Slacam_Wiki
Revisão de 15h50min de 11 de agosto de 2012 por Machado (Discussão | contribs) (Criou página com 'Como Habilitar o TLS no Openldap Depois de instalado do Openldap sem a criptografia, proceda com as seguinte modificações: 1 - Edite o arquivo: vim slapd.d/cn\=config/olcDat…')
Como Habilitar o TLS no Openldap
Depois de instalado do Openldap sem a criptografia, proceda com as seguinte modificações:
1 - Edite o arquivo:
vim slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
2 - Coloque as informações a seguir no final do arquivo:
########################CONFIG TLS SLAPD ############################## olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=admin,dc=des-brazil,dc=org" write by * none olcAccess: to * by self write by dn.base="cn=admin,dc=des-brazil,dc=org" write by * read
3 - Edita o /etc/sysconfig/ldap, descomenta SLAPD_LDAPS e troca de‘no’ para ‘yes’.
4 - Criar os certificados com o comando:
[root@as01 openldap]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 3650
Veja saida da Tela:
Generating a 2048 bit RSA private key ...........+++ .............................................................................................................+++ writing new private key to '/etc/pki/tls/certs/slapdkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:BR State or Province Name (full name) []:Rio de Janeiro Locality Name (eg, city) [Default City]:Rio de Janeiro Organization Name (eg, company) [Default Company Ltd]:LIneA Organizational Unit Name (eg, section) []:POPRJ Common Name (eg, your name or your server's hostname) []:ldap.linea.gov.br Email Address []:machado@slacam.com.br [root@as01 openldap]#
Obs - Repara que criei o certificado para 10 anos ;)