Openldap配置TLS加密传输(完整版——shell脚本实现[即在客户端执行代码,即可实现TLS加密])
生活随笔
收集整理的這篇文章主要介紹了
Openldap配置TLS加密传输(完整版——shell脚本实现[即在客户端执行代码,即可实现TLS加密])
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
此腳本中只是負責實現了TLS加密配置部分,openLDAP的編譯安裝以及設置是前期已經配置好的!
具體的配置看上上篇文章openLDAP的編譯安裝以及配置。
注意slapd.conf中的配置,腳本中為【suffix "dc=mirage,dc=com"? ?rootdn? "
cn=AuthUsers,dc=mirage,dc=com"】
ldapTls.sh
代碼在此不做太多的解釋,配置文檔看Openldap配置TLS加密傳輸(完整版——手動配置)
| 代碼的下載:鏈接:https://pan.baidu.com/s/1OeYA8MptDUFqKnY3mppPYA 密碼:uqza |
ldapTls.sh |
主配置文件: ??????sh -n ldapTls.sh ???#只讀shell腳本,但不執行 ??????sh -x ldapTls.sh ???#跟蹤調試shell腳本,顯示執行的命令 |
| #!/bin/sh#description: LDAP TLSCLICA_PATH="/etc/pki/CA"CLICATLS_PATH="/etc/pki/tls/"CLICATLS_NAME="/etc/pki/tls/openssl.cnf" SERVER_PATH="/root/openldap_server"SERVEROLDLDAP_PATH="/etc/openldap"SERVERLDAP_PATH="/usr/local/etc/openldap"SERVERCERT_PATH="/usr/local/etc/openldap/certs/"SERVER_IP="192.168.1.188" #服務器端IP地址SERVER_PORT="22" SERVER_UNAME="root" #遠程服務器時需要的用戶名SERVER_PASSWD="asd" #遠程服務器時需要的密碼 RUN_PATH="/root/workspace"EXPECTTAR_PATH="/root/workspace/expect5.45.tar.gz"EXPECT_PATH="/root/workspace/expect5.45"TCLTAR_PATH="/root/workspace/tcl8.4.11-src.tar.gz"TCL_PATH="/root/workspace/tcl8.4.11"#########################################################(1)這部分實現 判斷client 與 服務器 是否都安裝了 openssl 軟件包#(2)注意:默認已經安裝 在此只是做判斷;如沒有安裝 并沒有安裝包########################################################function deterPack_openssl() {OPENPACKNAME=`rpm -qa openssl`if [ `rpm -qa openssl|wc -l` -ne 0 ];thenecho -e "The packet_list:$OPENPACKNAME"echo -e "\033[32m-----------------------------------------------\033[0m"elseecho "You need to install packages openssl!"fi}deterPack_openssl#########################################################(1)這部分實現expect的安裝#(2)expect 需要 依賴tcl的庫#(3)expect的位置 /use/expect/bin/expect; tcl位置 /usr/tcl/bin/tclsh8.4#(4)注意:腳本每執行一次 就會安裝一次########################################################function testInstal_pack() {echo -e "\033[32m-----------------------------------------------\033[0m"echo "This is going to install package $1!"if [ $1 == "tcl" ]thenecho "tcl tcl"tar -xzf $TCLTAR_PATH -C $RUN_PATHcd $TCL_PATH/unix./configure --prefix=/usr/tcl --enable-sharedmake && make installcp $TCL_PATH/unix/tclUnixPort.h $TCL_PATH/generic/fiif [ $1 == "expect" ]thenecho "aa"tar -xzf $EXPECTTAR_PATH -C $RUN_PATHcd $EXPECT_PATH./configure --prefix=/usr/expect --with-tcl=/usr/tcl/lib --with-tclinclude=$TCL_PATH/genericmake && make installln -s /usr/tcl/bin/expect /usr/expect/bin/expectfi}#testInstal_pack openssltestInstal_pack tcltestInstal_pack expect########################################################i#(1)這部分實現 修改/root/workspace目錄下文件的權限########################################################chmod +x $RUN_PATH/*########################################################i#(1)這部分實現 建立CA中心 CA服務器生成自己的私鑰、公鑰#(2)注意:第一次CA服務器 生成公鑰時候,需要人輸入操作;#之后需要修改 用expect避免人機交互#########################################################CA服務器生成自己的私鑰 CA服務器生成自己的公鑰(umask 077;openssl genrsa -out $CLICA_PATH/private/CA.key)$RUN_PATH/cakey.exp $CLICA_PATH/private/CA.key $CLICA_PATH/CA.crt########################################################i#(1)這部分實現 openldap server生成私鑰及證書請求文件 CA服務器向openldap server簽發證書#(2)使用expect工具ssh登錄遠程服務器,并執行命令操作,操作結束后退出#(3)注意:登陸格式 ./shLdsr02key ipaddress port username passwd#CA服務器頒發證書時候 需要手動的輸入兩次y#########################################################服務器上生成私鑰 并把其下載到本地$RUN_PATH/sshLdsr02key.exp $SERVER_IP $SERVER_PORT $SERVER_UNAME $SERVER_PASSWD#本地生成證書請求文件 同時完成了ldapsrv02向CA請求證書$RUN_PATH/serkey.exp $RUN_PATH/ldapsrv02.key $RUN_PATH/ldapsrv02.csr#配置/etc/pki/tls/openssl.cnf文件 與CA服務器生成公鑰填寫的信息一致echo "-------------------開始配置CA簽發信息--------------------------"`source $RUN_PATH/chenOpslConf.sh`echo "-------------------結束配置CA簽發信息--------------------------"#CA服務頒發證書 $RUN_PATH/cliLdsr02crt.exp $RUN_PATH/ldapsrv02.csr $RUN_PATH/ldapsrv02.crt########################################################i#(1)這部分實現 openldap server下載并安裝證書#(2)使用expect工具ssh登錄遠程服務器,并執行命令操作,操作結束后退出#(3)注意:登陸格式 ./uploadFile.exp locaFilepath username ipaddress servFilepath passwd\n #內部需要slapd服務 但是在此次測試時候 是沒有的((此時這行是被注釋掉的,隨后記得去掉注釋))#########################################################ldapsrv02下載證書$RUN_PATH/uploadFile.exp $RUN_PATH/ldapsrv02.crt $SERVER_UNAME $SERVER_IP $SERVER_PATH $SERVER_PASSWD$RUN_PATH/uploadFile.exp $CLICA_PATH/CA.crt $SERVER_UNAME $SERVER_IP $SERVERCERT_PATH $SERVER_PASSWD #ldapsrv02安裝證書$RUN_PATH/sshCheSlaconf.exp $SERVER_IP $SERVER_PORT $SERVER_UNAME $SERVER_PASSWD########################################################i#(1)這部分實現 客戶端測試 修改ldap客戶端配置#(2)注意: #########################################################下載公鑰mkdir -p $SERVERCERT_PATH;cp $CLICA_PATH/CA.crt $SERVERCERT_PATHcp -n $CLICA_PATH/private/CA.key $SERVERCERT_PATH\cp $SERVEROLDLDAP_PATH/ldap.conf $SERVERLDAP_PATHsed -i '$a TLS_REQCERT allow' $SERVERLDAP_PATH/ldap.confsed -i '/^TLS_CACERTDIR/{s/etc.*$/usr\/local\/etc\/openldap\/certs/g}' $SERVERLDAP_PATH/ldap.confsed -i 's/^SASL_NOCANON/#&/' $SERVERLDAP_PATH/ldap.confcat $SERVERLDAP_PATH/ldap.conf|grep ^BASE && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf;fi#sed -i '$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.confcat $SERVERLDAP_PATH/ldap.conf|grep ^URI && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a URI ldaps://127.0.0.1/' $SERVERLDAP_PATH/ldap.conf;fi#sed -i '$a URI ldaps://127.0.0.1' $SERVERLDAP_PATH/ldap.conf |
cakey.exp |
建立CA中心 ?CA服務器生成自己的公鑰 |
| #!/usr/expect/bin/expect -fset prikeyname [lindex $argv 0]set pubkeyname [lindex $argv 1]set timeout 30 if {$argc != 2} {send "usage ./cakey.exp \$prikeyname \$pubkeyname\n"exit} spawn openssl req -new -x509 -key $prikeyname -out $pubkeyname -days 365expect {"Country Name" { send "CN\r";exp_continue }"State or Province" { send "ShangHai\r";exp_continue }"Locality Name" { send "ShangHai\r";exp_continue }"Organization Name" { send "IT\r";exp_continue }"Organizational Unit Name" { send "IT\r";exp_continue }"Common Name" { send "192.168.1.77\r";exp_continue } #可以發送客戶端ip也可以為 其他"Email Address" { send "1457375505@qq.com\r";exp_continue } #可以按照需求寫} |
sshLdsr02key.exp |
openldap server生成私鑰,并把其傳到本地 |
| #!/usr/expect/bin/expect -f#SERVER_PATH="/root/openldap_server"set ipaddress [lindex $argv 0]set port [lindex $argv 1]set username [lindex $argv 2]set passwd [lindex $argv 3]set srv02pat /root/openldap_server/ldapsrv02.keyset cli02pat /root/workspace/set timeout 30 if {$argc != 4} {send "usage ./sshLdsr02key.exp \$ipaddress \$port \$username \$passwd\n"exit} spawn ssh $ipaddress -p$port -l$usernameexpect {"yes/no" { send "yes\r";exp_continue }"password:" { send "$passwd\r" }}expect -re "\](\$|#) "send "mkdir -p openldap_server && cd openldap_server;openssl genrsa -out ldapsrv02.key;mkdir -p /usr/local/etc/openldap/certs\r"expect -re "\](\$|#) "send "exit\r"spawn scp $ipaddress:$srv02pat $cli02patexpect {"yes/no" { send "yes\r";exp_continue }"password:" { send "asd\r" }}expect eof |
serkey.exp |
本地生成證書請求文件 ?同時完成了ldapsrv02向CA請求證書 |
?#!/usr/expect/bin/expect -f set prikeyname [lindex $argv 0]set pubkeyname [lindex $argv 1]set timeout 30if {$argc != 2} {send "usage ./cakey.exp \$prikeyname \$pubkeyname\n"exit}#spawn openssl req -new -x509 -key $prikeyname -out $pubkeyname -days 365spawn openssl req -new -key $prikeyname -out $pubkeynameexpect {"Country Name" { send "CN\r";exp_continue }"State or Province" { send "ShangHai\r";exp_continue }"Locality Name" { send "ShangHai\r";exp_continue }"Organization Name" { send "IT\r";exp_continue }"Organizational Unit Name" { send "IT\r";exp_continue }"Common Name" { send "192.168.1.88\r";exp_continue } #發送"Email Address" { send "1457375505@qq.com\r";exp_continue }"password []" { send "asd\r";exp_continue }"company name []" { send "heihei\r";exp_continue }} |
chenOpslConf.sh |
配置CA簽發信息 |
| #/bin/bashcd $CLICA_PATHif [ ! -f index.txt ];thenecho "NO ********************"touch index.txtelseecho "YES *******************"rm -rf index.txttouch index.txtfi#echo `touch index.txt`echo "01" > serialcd $CLICATLS_PATH#for testcp openssl.cnf.bak openssl.cnfif [ ! -f $CLICATLS_PATH/openssl.cnf.bak ];thencp openssl.cnf openssl.cnf.bakelseif [ ! -f $CLICATLS_PATH/openssl.cnf.bak$(date +%F) ];thencp openssl.cnf openssl.cnf.bak$(date +%F)elserm -rf openssl.cnf.bak$(date +%F)cp openssl.cnf openssl.cnf.bak$(date +%F)fifised -i '/^certificate/{s/cacert.pem/CA.crt/g}' $CLICATLS_NAMEsed -i '/^private_key/{s/cakey.pem/CA.key /g}' $CLICATLS_NAMEsed -i '/^countryName_default/{s/XX/CN/g}' $CLICATLS_NAME#sed -i '$astateOrProvinceName_default = ShangHai' $CLICATLS_NAMEline=`sed -n '/#stateOrProvinceName_default/=' $CLICATLS_NAME`if [ $line ];thensed -i "$line d" $CLICATLS_NAMEsed -i "$line istateOrProvinceName_default = ShangHai" $CLICATLS_NAMEelsesed -i '\$a stateOrProvinceName_default = ShangHai' $CLICATLS_NAMEfised -i '/^localityName_default/{s/Default City/ShangHai/g}' $CLICATLS_NAMEsed -i '/^0.organizationName_default/{s/Default Company Ltd/IT/g}' $CLICATLS_NAMEline1=`sed -n '/#organizationalUnitName_default/=' $CLICATLS_NAME`if [ $line1 ];thensed -i "$line1 d" $CLICATLS_NAMEsed -i "$line1 iorganizationalUnitName_default = IT" $CLICATLS_NAMEelsesed -i '\$a organizationalUnitName_default = IT' $CLICATLS_NAMEfi#sed -i '\$a organizationalUnitName_default = IT' $CLICATLS_NAME#sed -i '/^organizationalUnitName/{s/Organizational Unit Name (eg, section)/IT/g}' $CLICATLS_NAME |
cliLdsr02crt.exp |
CA服務頒發證書 |
| #!/usr/expect/bin/expect -f set requeFilename [lindex $argv 0]set certiFilename [lindex $argv 1]set timeout 30if {$argc != 2} {send "usage ./cliLdsr02crt.exp \$requeFilename \$certiFilename\n"exit}spawn openssl ca -in $requeFilename -out $certiFilenameexpect {"Certificate is" { send "y\r";exp_continue }"1 out of" { send "y\r";exp_continue }} |
uploadFile.exp |
openldap server下載證書 |
| #!/usr/expect/bin/expect -f set locaFilepath [lindex $argv 0]set username [lindex $argv 1]set ipaddress [lindex $argv 2]set servFilepath [lindex $argv 3]set passwd [lindex $argv 4]set timeout 30 if {$argc != 5} {send "usage ./uploadFile.exp \$locaFilepath \$username \$ipaddress \$servFilepath \$passwd\n"exit}#eg : scp ldapsrv02.csr root@192.168.1.126:/root/openldap_server spawn scp $locaFilepath $username@$ipaddress:$servFilepathexpect {"yes/no" { send "yes\r";exp_continue }"password:" { send "asd\r" }}expect eof |
sshCheSlaconf.exp |
ldapsrv02安裝證書 |
| #!/usr/expect/bin/expect -f#注意ldap.conf sldap.conf兩個文件在安裝openssl安裝包時候 就必須完成備份#killall sldap以下內容是對lapd服務器開啟ldaps服務的操作 set SERVERCERT_PATH /usr/local/etc/openldap/certsset SERVERLDAP_PATH /usr/local/etc/openldapset SERVER_PATH /root/openldap_serverset SERVEROLDLDAP_PATH /etc/openldapset ipaddress [lindex $argv 0]set port [lindex $argv 1]set username [lindex $argv 2]set passwd [lindex $argv 3]set timeout 30if {$argc != 4} {send "usage ./account.sh \$ipaddress \$port \$username \$passwd\n"exit} spawn ssh $ipaddress -p$port -l$usernameexpect {"yes/no" { send "yes\r";exp_continue }"password:" { send "$passwd\r" }}expect -re "\](\$|#) "send "useradd ldap\r"expect -re "\](\$|#) "send "chown -R ldap:ldap $SERVERCERT_PATH;\\cp $SERVER_PATH/ldapsrv02.crt $SERVERCERT_PATH;\\cp $SERVER_PATH/ldapsrv02.key $SERVERCERT_PATH\r"expect -re "\](\$|#) "send "\\cp $SERVEROLDLDAP_PATH/ldap.conf $SERVERLDAP_PATH/\r"expect -re "\](\$|#) "send "sed -i '/^TLS_CACERTDIR/{s/etc.*$/usr\\/local\\/etc\\/openldap\\/certs/g}' $SERVERLDAP_PATH/ldap.conf\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/ldap.conf|grep ^BASE && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf;fi\r"#send "sed -i '\$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/ldap.conf|grep ^URI && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a URI ldap://192.168.1.188/' $SERVERLDAP_PATH/ldap.conf;fi\r"#send "sed -i '\$a URI ldap://127.0.0.1/' $SERVERLDAP_PATH/ldap.conf\r"expect -re "\](\$|#) "send "sed -i 's/^SASL_NOCANON/#&/' $SERVERLDAP_PATH/ldap.conf\r"expect -re "\](\$|#) "send "\\cp $SERVERLDAP_PATH/slapd.conf.bak $SERVERLDAP_PATH/slapd.conf\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/slapd.conf|grep ^TLSCACertificatePath && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a TLSCACertificatePath $SERVERCERT_PATH' $SERVERLDAP_PATH/slapd.conf;fi\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/slapd.conf|grep ^TLSCertificateFile && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a TLSCertificateFile $SERVERCERT_PATH/ldapsrv02.crt' $SERVERLDAP_PATH/slapd.conf;fi\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/slapd.conf|grep ^TLSCertificateKeyFile && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a TLSCertificateKeyFile $SERVERCERT_PATH/ldapsrv02.key' $SERVERLDAP_PATH/slapd.conf;fi\r"expect -re "\](\$|#) "send "rm -rf $SERVERLDAP_PATH/slapd.d/* ; slaptest -f $SERVERLDAP_PATH/slapd.conf -F $SERVERLDAP_PATH/slapd.d/\r"expect -re "\](\$|#) "send "chown -R ldap:ldap $SERVERLDAP_PATH/slapd.d\r"expect -re "\](\$|#) "send "killall slapd;/usr/local/libexec/slapd -h \"ldap://$ipaddress/ ldaps://$ipaddress/\";netstat -tunlp | grep slapd\r"expect -re "\](\$|#) "send "iptables -F\r"expect -re "\](\$|#) "send "exit\r" |
總結
以上是生活随笔為你收集整理的Openldap配置TLS加密传输(完整版——shell脚本实现[即在客户端执行代码,即可实现TLS加密])的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 函数 —— popen() fsca
- 下一篇: Openldap配置TLS加密传输(完整