系统 CentOS 6.4x64最小化安装
[root@vpn-ldap ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@vpn-ldap ~]# sed -i 's@#b@b@g' /etc/yum.repos.d/epel.repo
[root@vpn-ldap ~]# sed -i 's@mirrorlist@#mirrorlist@g' /etc/yum.repos.d/epel.repo
[root@vpn-ldap ~]# echo "*/10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org &>/dev/null" >/var/spool/cron/root
[root@vpn-ldap ~]# crontab -l
*/10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org &>/dev/null
[root@vpn-ldap ~]# yum install openssl openssl-devel lzo openvpn easy-rsa -y
[root@vpn-ldap ~]# cd /usr/share/easy-rsa/2.0/
[root@vpn-ldap 2.0]# vim vars
export KEY_EMAIL="lyao@weyee.com"
[root@vpn-ldap 2.0]# source vars
[root@vpn-ldap 2.0]# ./clean-all
[root@vpn-ldap 2.0]# ./build-ca
Generating a 2048 bit RSA private key
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GUANGDONG]:
Locality Name (eg, city) [GUANGZHOU]:
Organization Name (eg, company) [MY COMPANY]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [MY COMPANY CA]:
Name [EasyRSA]:
Email Address [lyao@weyee.com]:
[root@vpn-ldap 2.0]# ./build-key-server server
Generating a 2048 bit RSA private key
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GUANGDONG]:
Locality Name (eg, city) [GUANGZHOU]:
Organization Name (eg, company) [MY COMPANY]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [lyao@weyee.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GUANGDONG'
organizationName :PRINTABLE:'MY COMPANY'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'lyao@weyee.com'
Certificate is to be certified until Jul 14 13:12:57 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@vpn-ldap 2.0]# ./build-key win7
Generating a 2048 bit RSA private key
writing new private key to 'win7.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GUANGDONG]:
Locality Name (eg, city) [GUANGZHOU]:
Organization Name (eg, company) [MY COMPANY]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [win7]:
Name [EasyRSA]:
Email Address [lyao@weyee.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GUANGDONG'
organizationName :PRINTABLE:'MY COMPANY'
commonName :PRINTABLE:'win7'
emailAddress :IA5STRING:'lyao@weyee.com'
Certificate is to be certified until Jul 14 13:13:51 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成Diffie Hellman文件
[root@vpn-ldap 2.0]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
[root@vpn-ldap 2.0]# openvpn --genkey --secret keys/ta.key
[root@vpn-ldap 2.0]# pwd
[root@vpn-ldap 2.0]# ll keys/
total 88
-rw-r--r-- 1 root root 5604 Jul 17 21:13 01.pem
-rw-r--r-- 1 root root 5481 Jul 17 21:13 02.pem
-rw-r--r-- 1 root root 1801 Jul 17 21:12 ca.crt
-rw------- 1 root root 1704 Jul 17 21:12 ca.key
-rw-r--r-- 1 root root 424 Jul 17 21:14 dh2048.pem
-rw-r--r-- 1 root root 292 Jul 17 21:13 index.txt
-rw-r--r-- 1 root root 21 Jul 17 21:13 index.txt.attr
-rw-r--r-- 1 root root 21 Jul 17 21:13 index.txt.attr.old
-rw-r--r-- 1 root root 147 Jul 17 21:13 index.txt.old
-rw-r--r-- 1 root root 3 Jul 17 21:13 serial
-rw-r--r-- 1 root root 3 Jul 17 21:13 serial.old
-rw-r--r-- 1 root root 5604 Jul 17 21:13 server.crt
-rw-r--r-- 1 root root 1098 Jul 17 21:12 server.csr
-rw------- 1 root root 1708 Jul 17 21:12 server.key
-rw------- 1 root root 636 Jul 17 21:15 ta.key
-rw-r--r-- 1 root root 5481 Jul 17 21:13 win7.crt
-rw-r--r-- 1 root root 1094 Jul 17 21:13 win7.csr
-rw------- 1 root root 1708 Jul 17 21:13 win7.key
# 在openvpn的配置目录下新建一个keys目录
[root@vpn-ldap ~]# mkdir -p /etc/openvpn/keys
[root@vpn-ldap ~]# cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
[root@vpn-ldap ~]# ll /etc/openvpn/keys/
total 24
-rw-r--r-- 1 root root 1801 Jul 17 21:18 ca.crt
-rw-r--r-- 1 root root 424 Jul 17 21:18 dh2048.pem
-rw-r--r-- 1 root root 5604 Jul 17 21:18 server.crt
-rw------- 1 root root 1708 Jul 17 21:18 server.key
-rw------- 1 root root 636 Jul 17 21:18 ta.key
[root@vpn-ldap ~]# cp /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/server.conf /etc/openvpn/
[root@vpn-ldap ~]# egrep -v "^$|^#|^;" /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
ifconfig-pool-persist ipp.txt
push "route"
keepalive 10 120
status openvpn-status.log
verb 4
[root@vpn-ldap ~]# chkconfig openvpn on
[root@vpn-ldap ~]# service openvpn start
Starting openvpn: [ OK ]
[root@vpn-ldap ~]# netstat -anpt |grep vpn
tcp 0 0* LISTEN 1674/openvpn
openVPN 2.3.3 Windows 32位 安装文件:
OpenVPN 2.3.3 Windows 64位 安装文件:
将openvpn服务器上的ca.crt,win7.crt,win7.csr,win7.key,下载到C:\Program Files\OpenVPN\config目录下
[root@vpn-ldap keys]# cp ca.crt win7.crt win7.csr win7.key ~
dev tun
# 改为tcp
proto tcp
remote 1194 # OpenVPN服务器的外网IP和端口
resolv-retry infinite
ca ca.crt
cert win7.crt # win7的证书
key win7.key # win7的密钥
ns-cert-type server
# 去掉前面的注释
#tls-auth ta.key 1
verb 3
连接vpn server
结果正常,可以正常连接到vpn server
[root@vpn-ldap keys]# cat /etc/openvpn/openvpn-status.log
Updated,Fri Jul 17 21:46:37 2015
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
win7,,18131,6421,Fri Jul 17 21:45:08 2015
Virtual Address,Common Name,Real Address,Last Ref,win7,,Fri Jul 17 21:45:09 2015
Max bcast/mcast queue length,0
[root@vpn-ldap ~]# yum install openldap openldap-* -y
[root@vpn-ldap ~]# yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y --skip-broken
[root@vpn-ldap ~]# cd /etc/openldap/
[root@vpn-ldap openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@vpn-ldap openldap]# cp slapd.conf slapd.conf_`date +%Y%m%d`.bak
[root@vpn-ldap openldap]# slappasswd -s weyee
[root@vpn-ldap openldap]# slappasswd -s weyee |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf #密码是weyee
[root@vpn-ldap openldap]# tail -1 /etc/openldap/slapd.conf
rootpw {SSHA}KecOLEH/+7paRfpi+hUYZDblskjDHGXI
[root@vpn-ldap openldap]# vim /etc/openldap/slapd.conf
database bdb #使用bdb数据库
suffix "dc=dev,dc=com" #定义dc,指定搜索的域
rootdn "cn=admin,dc=dev,dc=com" #定义管理员的dn,使用这个dn能登陆openldap
[root@vpn-ldap openldap]# vim /etc/openldap/slapd.conf
loglevel 296 #定义日志级别
cachesize 1000 #换成条目数
checkpoint 2048 10 #表示内存中达到2048k或者10分钟,执行一次checkpoint,即写入数据文件的操作
[root@vpn-ldap openldap]# vim /etc/openldap/slapd.conf
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
access to *
by self write
by anonymous auth
by * read
[root@vpn-ldap openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf_`date +%Y%m%d`.bak
[root@vpn-ldap openldap]# tail -1 /etc/rsyslog.conf
local4.* /var/log/ldap.log
[root@vpn-ldap openldap]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@vpn-ldap openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@vpn-ldap openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@vpn-ldap openldap]# chmod 700 /var/lib/ldap/
[root@vpn-ldap openldap]# ll /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap 845 Jul 18 11:02 DB_CONFIG
[root@vpn-ldap openldap]# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
[root@vpn-ldap openldap]# slaptest -u #检查配置文件是否正常
config file testing succeeded
[root@vpn-ldap openldap]# egrep -v "^#|^$" /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
access to *
by self write
by anonymous auth
by * read
database bdb
suffix "dc=dev,dc=com"
rootdn "cn=admin,dc=dev,dc=com"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
rootpw {SSHA}KecOLEH/+7paRfpi+hUYZDblskjDHGXI
loglevel 296
cachesize 1000
checkpoint 2048 10
[root@vpn-ldap ~]# /etc/init.d/slapd start
Starting slapd: [ OK ]
[root@vpn-ldap ~]# netstat -tunlp |grep slapd
tcp 0 0* LISTEN 1652/slapd
tcp 0 0 :::389 :::* LISTEN 1652/slapd
[root@vpn-ldap ~]# ps aux | grep slapd
ldap 1652 0.1 1.7 494664 17632 ? Ssl 11:04 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
root 1660 0.0 0.0 103248 868 pts/0 S+ 11:05 0:00 grep slapd
[root@vpn-ldap ~]# chkconfig slapd on
[root@vpn-ldap ~]# tail /var/log/ldap.log
Jul 18 11:04:58 vpn-ldap slapd[1651]: @(#) $OpenLDAP: slapd 2.4.39 (Oct 15 2014 09:51:43) $#012#011mockbuild@c6b8.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
[root@vpn-ldap ~]# ldapsearch -LLL -w weyee -x -H ldap:// -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)"
ldap_bind: Invalid credentials (49) #这里有报错
[root@vpn-ldap ~]# rm -rf /etc/openldap/slapd.d/*
[root@vpn-ldap ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
55a9c327 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
[root@vpn-ldap ~]# ll /etc/openldap/slapd.d/
total 8
drwxr-x--- 3 root root 4096 Jul 18 11:08 cn=config
-rw------- 1 root root 1302 Jul 18 11:08 cn=config.ldif
[root@vpn-ldap ~]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: [FAILED]
55a9c34c ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@vpn-ldap ~]# chown -R ldap.ldap /etc/openldap/slapd.d
[root@vpn-ldap ~]# /etc/init.d/slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
[root@vpn-ldap ~]# netstat -tunlp | grep slapd
tcp 0 0* LISTEN 1732/slapd
tcp 0 0 :::389 :::* LISTEN 1732/slapd
[root@vpn-ldap ~]# ldapsearch -LLL -w weyee -x -H ldap:// -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)"
No such object (32) #ldap中还没有任何数据
[root@vpn-ldap ~]# yum install migrationtools -y
[root@vpn-ldap ~]# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
# Default base
$DEFAULT_BASE = "dc=dev,dc=com";
#下面利用pl脚本将/etc/passwd 和/etc/shadow生成LDAP能读懂的文件格式,保存在/tmp/下
[root@vpn-ldap ~]# /usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif
[root@vpn-ldap ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif
[root@vpn-ldap ~]# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/base.ldif
Enter LDAP Password:
adding new entry "dc=dev,dc=com"
adding new entry "ou=Hosts,dc=dev,dc=com"
adding new entry "ou=Rpc,dc=dev,dc=com"
adding new entry "ou=Services,dc=dev,dc=com"
adding new entry "nisMapName=netgroup.byuser,dc=dev,dc=com"
adding new entry "ou=Mounts,dc=dev,dc=com"
adding new entry "ou=Networks,dc=dev,dc=com"
adding new entry "ou=People,dc=dev,dc=com"
adding new entry "ou=Group,dc=dev,dc=com"
adding new entry "ou=Netgroup,dc=dev,dc=com"
adding new entry "ou=Protocols,dc=dev,dc=com"
adding new entry "ou=Aliases,dc=dev,dc=com"
adding new entry "nisMapName=netgroup.byhost,dc=dev,dc=com"
[root@vpn-ldap ~]# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=dev,dc=com"
adding new entry "uid=bin,ou=People,dc=dev,dc=com"
adding new entry "uid=daemon,ou=People,dc=dev,dc=com"
adding new entry "uid=adm,ou=People,dc=dev,dc=com"
adding new entry "uid=lp,ou=People,dc=dev,dc=com"
adding new entry "uid=sync,ou=People,dc=dev,dc=com"
adding new entry "uid=shutdown,ou=People,dc=dev,dc=com"
adding new entry "uid=halt,ou=People,dc=dev,dc=com"
adding new entry "uid=mail,ou=People,dc=dev,dc=com"
adding new entry "uid=uucp,ou=People,dc=dev,dc=com"
adding new entry "uid=operator,ou=People,dc=dev,dc=com"
adding new entry "uid=games,ou=People,dc=dev,dc=com"
adding new entry "uid=gopher,ou=People,dc=dev,dc=com"
adding new entry "uid=ftp,ou=People,dc=dev,dc=com"
adding new entry "uid=nobody,ou=People,dc=dev,dc=com"
adding new entry "uid=dbus,ou=People,dc=dev,dc=com"
adding new entry "uid=vcsa,ou=People,dc=dev,dc=com"
adding new entry "uid=abrt,ou=People,dc=dev,dc=com"
adding new entry "uid=haldaemon,ou=People,dc=dev,dc=com"
adding new entry "uid=ntp,ou=People,dc=dev,dc=com"
adding new entry "uid=saslauth,ou=People,dc=dev,dc=com"
adding new entry "uid=postfix,ou=People,dc=dev,dc=com"
adding new entry "uid=sshd,ou=People,dc=dev,dc=com"
adding new entry "uid=tcpdump,ou=People,dc=dev,dc=com"
adding new entry "uid=openvpn,ou=People,dc=dev,dc=com"
adding new entry "uid=ldap,ou=People,dc=dev,dc=com"
adding new entry "uid=nscd,ou=People,dc=dev,dc=com"
adding new entry "uid=avahi,ou=People,dc=dev,dc=com"
adding new entry "uid=nslcd,ou=People,dc=dev,dc=com"
[root@vpn-ldap ~]# ldapsearch -LLL -w weyee -x -H ldap:// -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=root)"
dn: uid=root,ou=People,dc=dev,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJGhhaGFoYSR0VWhYaXFQSHNncFJFODBsNGZpQjkw
shadowLastChange: 16633
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
[root@vpn-ldap ~]# id user1
id: user1: No such user
[root@vpn-ldap ~]# ldapsearch -LLL -w weyee -x -H ldap:// -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)"
dn: uid=user1,ou=People,dc=dev,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: user1
sn: user1
uid: user1
homeDirectory: /home/user1
cn: user1
uidNumber: 15546
[root@vpn-ldap ~]# cat /etc/openvpn/authfile.conf #openvpn授权文件
user1 #这个用户是ldap中的用户
[root@vpn-ldap ~]# cat /etc/openvpn/user.conf
user1 #ldap中的用户
user1 #用户的密码
[root@vpn-ldap openvpn]# cat check_credit.py
import sys
import os
import logging
import ldap
# settings for ldap
ldap_uri = "ldap://dev.com:389"
ldap_starttls = True
ldap_dn = "uid=%s,ou=People,dc=dev,dc=com"
# settings for logging
log_filename = "/tmp/check_ldap.log"
log_format = "%(asctime)s %(levelname)s %(message)s"
log_level = logging.DEBUG
# settings for authorization
auth_filename = "/etc/openvpn/authfile.conf"
def get_users(fpath):
fp = open(fpath, "rb")
lines = fp.readlines()
users = {}
for line in lines:
line = line.strip()
if len(line) <= 0 or line.startswith('#'):
users[line] = True
return users
def get_credits(fpath):
fp = open(fpath, "rb")
lines = fp.readlines()
assert len(lines)>=2, "invalid credit file"
username = lines[0].strip()
password = lines[1].strip()
return (username, password)
def check_credits(username, password):
passed = False
ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
l = ldap.initialize(ldap_uri)
if ldap_starttls:
l.simple_bind_s(ldap_dn % (username,), password)
passed = True
logging.error("username,'%s' /password,'%s' failed verifying" % (username,password))
return passed
def main(argv):
credit_fpath = argv[1]
(username,password) = get_credits(credit_fpath)
if len(username) <= 0 or len(password) <= 0:
logging.error("invalid creadits for user '%s'" % username)
return 1
logging.info("user '%s',password '%s' request logining" % (username,password))
if check_credits(username, password):
users = get_users(auth_filename)
if not username in users:
logging.error("user '%s' not authorized to access" % username)
return 1
logging.info("access of user '%s' granted" % username)
return 0
logging.error("access of user '%s' denied" % username)
return 1
if __name__ == "__main__":
if len(sys.argv) != 2:
logging.fatal("usage: %s <credit-file>" % sys.argv[0])
rcode = 1
rcode = main(sys.argv)
except Exception, e:
logging.fatal("exception happened: %s" % str(e))
rcode = 1
[root@vpn-ldap openvpn]# python check_credit.py user.conf
[root@vpn-ldap openvpn]# cat /tmp/check_ldap.log
2015-07-18 13:41:29,246 INFO user 'user1',password 'user1' request logining
2015-07-18 13:41:29,830 CRITICAL exception happened: {'info': 'TLS error -5938:Encountered end of file', 'desc': 'Connect error'}
[root@vpn-ldap openvpn]# cd /etc/openldap/certs/
[root@vpn-ldap certs]# ls
cert8.db key3.db password secmod.db
[root@vpn-ldap certs]# openssl genrsa -out ldap.key 2014
Generating RSA private key, 2014 bit long modulus
e is 65537 (0x10001)
[root@www certs]# openssl req -new -key ldap.key -out ldap.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.dev.com
Email Address []:lyao@weyee.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@www certs]# openssl x509 -req -days 1095 -in ldap.csr -signkey ldap.key -out ldap.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=www.dev.com/emailAddress=lyao@weyee.com
Getting Private key
[root@www certs]# ll
total 112
-rw-r--r-- 1 root root 65536 Jul 17 22:09 cert8.db
-rw-r--r-- 1 root root 16384 Jul 17 22:09 key3.db
-rw-r--r-- 1 root root 1229 Jul 18 13:46 ldap.crt
-rw-r--r-- 1 root root 1009 Jul 18 13:45 ldap.csr
-rw-r--r-- 1 root root 1639 Jul 18 13:43 ldap.key
-r-------- 1 root root 45 Jul 17 22:09 password
-rw-r--r-- 1 root root 16384 Jul 17 22:09 secmod.db
[root@www openldap]# chmod 700 certs/
[root@www openldap]# chown ldap.ldap certs/ -R
[root@www openldap]# vim /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/certs
[root@www openldap]# vim /etc/openldap/slapd.conf
TLSCertificateFile /etc/openldap/certs/ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap.key
[root@www openldap]# slaptest -u
config file testing succeeded
[root@www openldap]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@www openldap]# netstat -tunlp |grep slapd
tcp 0 0* LISTEN 5757/slapd
tcp 0 0 :::389 :::* LISTEN 5757/slapd
(责任编辑:IT) |