mardi 29 novembre 2011

Debian Squeeze: Installer un serveur LDAPS (SSL/TLS) a partir d'une source:


Coté serveur :

% wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-stable/openldap-stable-20100719.tgz
% tar -xzvf openldap-stable-20100719.tgz
% cd openldap-2.4.23



% ./configure --prefix=/usr --with-tls --enable-slapd --with-cyrus-sasl --enable-crypt --disable-ldbm --enable-bdb
checking openssl/ssl.h usability... no
checking openssl/ssl.h presence... no
checking for openssl/ssl.h... no
checking gnutls/gnutls.h usability... no
checking gnutls/gnutls.h presence... no
checking for gnutls/gnutls.h... no
configure: WARNING: Could not locate TLS/SSL package
configure: WARNING: TLS data protection not supported!
% aptitude install libssl-dev libgnutls-dev

% ./configure --prefix=/usr --with-tls --enable-slapd --with-cyrus-sasl --enable-crypt --disable-ldbm --enable-bdb
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for SSL_library_init in -lssl... yes
checking OpenSSL library version (CRL checking capability)... yes
checking gnutls/gnutls.h usability... yes
checking gnutls/gnutls.h presence... yes
checking for gnutls/gnutls.h... yes
checking for gnutls_init in -lgnutls... yes
...
checking db.h usability... no
checking db.h presence... no
checking for db.h... no
configure: error: BDB/HDB: BerkeleyDB not available

% aptitude install libdb4.7-dev

% ./configure --prefix=/usr --with-tls --enable-slapd --with-cyrus-sasl --enable-crypt --disable-ldbm --enable-bdb
checking db.h usability... yes
checking db.h presence... yes
checking for db.h... yes
checking for Berkeley DB major version in db.h... 4
checking for Berkeley DB minor version in db.h... 7
checking if Berkeley DB version supported by BDB/HDB backends... yes
checking for Berkeley DB link (-ldb-4.7)... yes
checking for Berkeley DB library and header version match... yes
checking for Berkeley DB thread support... yes
checking for openlog... yes
checking unicode/utypes.h usability... no
checking unicode/utypes.h presence... no
checking for unicode/utypes.h... no
configure: WARNING: ICU not available
checking sasl/sasl.h usability... no
checking sasl/sasl.h presence... no
checking for sasl/sasl.h... no
checking sasl.h usability... no
checking sasl.h presence... no
checking for sasl.h... no
configure: error: Could not locate Cyrus SASL

% sudo aptitude install libsasl2-dev libsasl2-modules-ldap

% ./configure --prefix=/usr --with-tls --enable-slapd --with-cyrus-sasl --enable-crypt --disable-ldbm --enable-bdb
checking sasl/sasl.h usability... yes
checking sasl/sasl.h presence... yes
checking for sasl/sasl.h... yes
checking sasl.h usability... no
checking sasl.h presence... no
checking for sasl.h... no
checking for sasl_client_init in -lsasl2... yes
checking Cyrus SASL library version... yes
checking for sasl_version... yes
...
Please run "make depend" to build dependencies

% make depend
% make
% make test
% su root -c 'make install'
% aptitude install gnutls-bin
% mkdir /usr/etc/openldap/certs

% cd /usr/etc/openldap/certs

% certtool --generate-privkey --outfile ca-key.pem
% certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem

Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): MG
Organization name: monORGANISATION
Organizational unit name: monORGANISATION
Locality name: Madagascar
State or province name: Antananarivo
Common name: ldap.mondomaine.com
UID:
This field should not be used in new certificates.
E-mail: ldapadmin@mondomaine.com
Enter the certificate's serial number in decimal (default: 1321958109):

Activation/Expiration time.
The certificate will expire in (days): 3650

Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): y
Will the certificate be used to sign OCSP requests? (y/N): y
Will the certificate be used for time stamping? (y/N): y
Enter the URI of the CRL distribution point:

...

Is the above information ok? (Y/N): Y

% certtool --generate-privkey --outfile key.pem
% certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem

Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): MG
Organization name: monORGANISATION
Organizational unit name: monORGANISATION
Locality name: Madagascar
State or province name: Antananarivo
Common name: ldap.mondomaine.com
UID:
This field should not be used in new certificates.
E-mail: ldapadmin@mondomaine.com
Enter the certificate's serial number in decimal (default: 1321958109):

Activation/Expiration time.
The certificate will expire in (days): 3650

Extensions.
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y

...

Is the above information ok? (Y/N): Y

% vim /usr/etc/openldap/slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/etc/openldap/schema/core.schema
include /usr/etc/openldap/schema/cosine.schema
include /usr/etc/openldap/schema/inetorgperson.schema
include /usr/etc/openldap/schema/misc.schema
include /usr/etc/openldap/schema/openldap.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /usr/var/run/slapd.pid
argsfile /usr/var/run/slapd.args

# Load dynamic backend modules:
# modulepath /usr/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#
TLSCertificateFile /etc/ldap/ssl/cert.pem
TLSCertificateKeyFile /etc/ldap/ssl/key.pem
TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
TLSVerifyClient never

#######################################################################
# BDB database definitions
#######################################################################

database bdb
suffix "dc=mondomaine,dc=com"
rootdn "cn=Manager,dc=mondomaine,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}/mpgPlwH19ge+r45wOpV/1T08fAJImjg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/var/openldap-data
# Indices to maintain
index objectClass eq

% scp /usr/etc/openldap/certs/ca-cert.pem user@userpc.mondomaine.com:/home/user/certs/
% /usr/libexec/slapd -h "ldaps:///" -d 2024

Coté client:

% aptitude install ldap-utils
% vim /etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=mondomaine,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldaps://ldap.mondomaine.com:636

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /home/user/certs/ca-cert.pem
TLS_REQCERT demand

$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object