Openldap配置TLS加密传输(完整版——shell脚本实现[即在客户端执行代码,即可实现TLS加密])
生活随笔
收集整理的这篇文章主要介绍了
Openldap配置TLS加密传输(完整版——shell脚本实现[即在客户端执行代码,即可实现TLS加密])
小编觉得挺不错的,现在分享给大家,帮大家做个参考.
此脚本中只是负责实现了TLS加密配置部分,openLDAP的编译安装以及设置是前期已经配置好的!
具体的配置看上上篇文章openLDAP的编译安装以及配置。
注意slapd.conf中的配置,脚本中为【suffix "dc=mirage,dc=com" rootdn "
cn=AuthUsers,dc=mirage,dc=com"】
ldapTls.sh
代码在此不做太多的解释,配置文档看Openldap配置TLS加密传输(完整版——手动配置)
| 代码的下载:链接:https://pan.baidu.com/s/1OeYA8MptDUFqKnY3mppPYA 密码:uqza |
ldapTls.sh |
主配置文件: sh -n ldapTls.sh #只读shell脚本,但不执行 sh -x ldapTls.sh #跟踪调试shell脚本,显示执行的命令 |
| #!/bin/sh#description: LDAP TLSCLICA_PATH="/etc/pki/CA"CLICATLS_PATH="/etc/pki/tls/"CLICATLS_NAME="/etc/pki/tls/openssl.cnf" SERVER_PATH="/root/openldap_server"SERVEROLDLDAP_PATH="/etc/openldap"SERVERLDAP_PATH="/usr/local/etc/openldap"SERVERCERT_PATH="/usr/local/etc/openldap/certs/"SERVER_IP="192.168.1.188" #服务器端IP地址SERVER_PORT="22" SERVER_UNAME="root" #远程服务器时需要的用户名SERVER_PASSWD="asd" #远程服务器时需要的密码 RUN_PATH="/root/workspace"EXPECTTAR_PATH="/root/workspace/expect5.45.tar.gz"EXPECT_PATH="/root/workspace/expect5.45"TCLTAR_PATH="/root/workspace/tcl8.4.11-src.tar.gz"TCL_PATH="/root/workspace/tcl8.4.11"#########################################################(1)这部分实现 判断client 与 服务器 是否都安装了 openssl 软件包#(2)注意:默认已经安装 在此只是做判断;如没有安装 并没有安装包########################################################function deterPack_openssl() {OPENPACKNAME=`rpm -qa openssl`if [ `rpm -qa openssl|wc -l` -ne 0 ];thenecho -e "The packet_list:$OPENPACKNAME"echo -e "\033[32m-----------------------------------------------\033[0m"elseecho "You need to install packages openssl!"fi}deterPack_openssl#########################################################(1)这部分实现expect的安装#(2)expect 需要 依赖tcl的库#(3)expect的位置 /use/expect/bin/expect; tcl位置 /usr/tcl/bin/tclsh8.4#(4)注意:脚本每执行一次 就会安装一次########################################################function testInstal_pack() {echo -e "\033[32m-----------------------------------------------\033[0m"echo "This is going to install package $1!"if [ $1 == "tcl" ]thenecho "tcl tcl"tar -xzf $TCLTAR_PATH -C $RUN_PATHcd $TCL_PATH/unix./configure --prefix=/usr/tcl --enable-sharedmake && make installcp $TCL_PATH/unix/tclUnixPort.h $TCL_PATH/generic/fiif [ $1 == "expect" ]thenecho "aa"tar -xzf $EXPECTTAR_PATH -C $RUN_PATHcd $EXPECT_PATH./configure --prefix=/usr/expect --with-tcl=/usr/tcl/lib --with-tclinclude=$TCL_PATH/genericmake && make installln -s /usr/tcl/bin/expect /usr/expect/bin/expectfi}#testInstal_pack openssltestInstal_pack tcltestInstal_pack expect########################################################i#(1)这部分实现 修改/root/workspace目录下文件的权限########################################################chmod +x $RUN_PATH/*########################################################i#(1)这部分实现 建立CA中心 CA服务器生成自己的私钥、公钥#(2)注意:第一次CA服务器 生成公钥时候,需要人输入操作;#之后需要修改 用expect避免人机交互#########################################################CA服务器生成自己的私钥 CA服务器生成自己的公钥(umask 077;openssl genrsa -out $CLICA_PATH/private/CA.key)$RUN_PATH/cakey.exp $CLICA_PATH/private/CA.key $CLICA_PATH/CA.crt########################################################i#(1)这部分实现 openldap server生成私钥及证书请求文件 CA服务器向openldap server签发证书#(2)使用expect工具ssh登录远程服务器,并执行命令操作,操作结束后退出#(3)注意:登陆格式 ./shLdsr02key ipaddress port username passwd#CA服务器颁发证书时候 需要手动的输入两次y#########################################################服务器上生成私钥 并把其下载到本地$RUN_PATH/sshLdsr02key.exp $SERVER_IP $SERVER_PORT $SERVER_UNAME $SERVER_PASSWD#本地生成证书请求文件 同时完成了ldapsrv02向CA请求证书$RUN_PATH/serkey.exp $RUN_PATH/ldapsrv02.key $RUN_PATH/ldapsrv02.csr#配置/etc/pki/tls/openssl.cnf文件 与CA服务器生成公钥填写的信息一致echo "-------------------开始配置CA签发信息--------------------------"`source $RUN_PATH/chenOpslConf.sh`echo "-------------------结束配置CA签发信息--------------------------"#CA服务颁发证书 $RUN_PATH/cliLdsr02crt.exp $RUN_PATH/ldapsrv02.csr $RUN_PATH/ldapsrv02.crt########################################################i#(1)这部分实现 openldap server下载并安装证书#(2)使用expect工具ssh登录远程服务器,并执行命令操作,操作结束后退出#(3)注意:登陆格式 ./uploadFile.exp locaFilepath username ipaddress servFilepath passwd\n #内部需要slapd服务 但是在此次测试时候 是没有的((此时这行是被注释掉的,随后记得去掉注释))#########################################################ldapsrv02下载证书$RUN_PATH/uploadFile.exp $RUN_PATH/ldapsrv02.crt $SERVER_UNAME $SERVER_IP $SERVER_PATH $SERVER_PASSWD$RUN_PATH/uploadFile.exp $CLICA_PATH/CA.crt $SERVER_UNAME $SERVER_IP $SERVERCERT_PATH $SERVER_PASSWD #ldapsrv02安装证书$RUN_PATH/sshCheSlaconf.exp $SERVER_IP $SERVER_PORT $SERVER_UNAME $SERVER_PASSWD########################################################i#(1)这部分实现 客户端测试 修改ldap客户端配置#(2)注意: #########################################################下载公钥mkdir -p $SERVERCERT_PATH;cp $CLICA_PATH/CA.crt $SERVERCERT_PATHcp -n $CLICA_PATH/private/CA.key $SERVERCERT_PATH\cp $SERVEROLDLDAP_PATH/ldap.conf $SERVERLDAP_PATHsed -i '$a TLS_REQCERT allow' $SERVERLDAP_PATH/ldap.confsed -i '/^TLS_CACERTDIR/{s/etc.*$/usr\/local\/etc\/openldap\/certs/g}' $SERVERLDAP_PATH/ldap.confsed -i 's/^SASL_NOCANON/#&/' $SERVERLDAP_PATH/ldap.confcat $SERVERLDAP_PATH/ldap.conf|grep ^BASE && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf;fi#sed -i '$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.confcat $SERVERLDAP_PATH/ldap.conf|grep ^URI && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a URI ldaps://127.0.0.1/' $SERVERLDAP_PATH/ldap.conf;fi#sed -i '$a URI ldaps://127.0.0.1' $SERVERLDAP_PATH/ldap.conf |
cakey.exp |
建立CA中心 CA服务器生成自己的公钥 |
| #!/usr/expect/bin/expect -fset prikeyname [lindex $argv 0]set pubkeyname [lindex $argv 1]set timeout 30 if {$argc != 2} {send "usage ./cakey.exp \$prikeyname \$pubkeyname\n"exit} spawn openssl req -new -x509 -key $prikeyname -out $pubkeyname -days 365expect {"Country Name" { send "CN\r";exp_continue }"State or Province" { send "ShangHai\r";exp_continue }"Locality Name" { send "ShangHai\r";exp_continue }"Organization Name" { send "IT\r";exp_continue }"Organizational Unit Name" { send "IT\r";exp_continue }"Common Name" { send "192.168.1.77\r";exp_continue } #可以发送客户端ip也可以为 其他"Email Address" { send "1457375505@qq.com\r";exp_continue } #可以按照需求写} |
sshLdsr02key.exp |
openldap server生成私钥,并把其传到本地 |
| #!/usr/expect/bin/expect -f#SERVER_PATH="/root/openldap_server"set ipaddress [lindex $argv 0]set port [lindex $argv 1]set username [lindex $argv 2]set passwd [lindex $argv 3]set srv02pat /root/openldap_server/ldapsrv02.keyset cli02pat /root/workspace/set timeout 30 if {$argc != 4} {send "usage ./sshLdsr02key.exp \$ipaddress \$port \$username \$passwd\n"exit} spawn ssh $ipaddress -p$port -l$usernameexpect {"yes/no" { send "yes\r";exp_continue }"password:" { send "$passwd\r" }}expect -re "\](\$|#) "send "mkdir -p openldap_server && cd openldap_server;openssl genrsa -out ldapsrv02.key;mkdir -p /usr/local/etc/openldap/certs\r"expect -re "\](\$|#) "send "exit\r"spawn scp $ipaddress:$srv02pat $cli02patexpect {"yes/no" { send "yes\r";exp_continue }"password:" { send "asd\r" }}expect eof |
serkey.exp |
本地生成证书请求文件 同时完成了ldapsrv02向CA请求证书 |
#!/usr/expect/bin/expect -f set prikeyname [lindex $argv 0]set pubkeyname [lindex $argv 1]set timeout 30if {$argc != 2} {send "usage ./cakey.exp \$prikeyname \$pubkeyname\n"exit}#spawn openssl req -new -x509 -key $prikeyname -out $pubkeyname -days 365spawn openssl req -new -key $prikeyname -out $pubkeynameexpect {"Country Name" { send "CN\r";exp_continue }"State or Province" { send "ShangHai\r";exp_continue }"Locality Name" { send "ShangHai\r";exp_continue }"Organization Name" { send "IT\r";exp_continue }"Organizational Unit Name" { send "IT\r";exp_continue }"Common Name" { send "192.168.1.88\r";exp_continue } #发送"Email Address" { send "1457375505@qq.com\r";exp_continue }"password []" { send "asd\r";exp_continue }"company name []" { send "heihei\r";exp_continue }} |
chenOpslConf.sh |
配置CA签发信息 |
| #/bin/bashcd $CLICA_PATHif [ ! -f index.txt ];thenecho "NO ********************"touch index.txtelseecho "YES *******************"rm -rf index.txttouch index.txtfi#echo `touch index.txt`echo "01" > serialcd $CLICATLS_PATH#for testcp openssl.cnf.bak openssl.cnfif [ ! -f $CLICATLS_PATH/openssl.cnf.bak ];thencp openssl.cnf openssl.cnf.bakelseif [ ! -f $CLICATLS_PATH/openssl.cnf.bak$(date +%F) ];thencp openssl.cnf openssl.cnf.bak$(date +%F)elserm -rf openssl.cnf.bak$(date +%F)cp openssl.cnf openssl.cnf.bak$(date +%F)fifised -i '/^certificate/{s/cacert.pem/CA.crt/g}' $CLICATLS_NAMEsed -i '/^private_key/{s/cakey.pem/CA.key /g}' $CLICATLS_NAMEsed -i '/^countryName_default/{s/XX/CN/g}' $CLICATLS_NAME#sed -i '$astateOrProvinceName_default = ShangHai' $CLICATLS_NAMEline=`sed -n '/#stateOrProvinceName_default/=' $CLICATLS_NAME`if [ $line ];thensed -i "$line d" $CLICATLS_NAMEsed -i "$line istateOrProvinceName_default = ShangHai" $CLICATLS_NAMEelsesed -i '\$a stateOrProvinceName_default = ShangHai' $CLICATLS_NAMEfised -i '/^localityName_default/{s/Default City/ShangHai/g}' $CLICATLS_NAMEsed -i '/^0.organizationName_default/{s/Default Company Ltd/IT/g}' $CLICATLS_NAMEline1=`sed -n '/#organizationalUnitName_default/=' $CLICATLS_NAME`if [ $line1 ];thensed -i "$line1 d" $CLICATLS_NAMEsed -i "$line1 iorganizationalUnitName_default = IT" $CLICATLS_NAMEelsesed -i '\$a organizationalUnitName_default = IT' $CLICATLS_NAMEfi#sed -i '\$a organizationalUnitName_default = IT' $CLICATLS_NAME#sed -i '/^organizationalUnitName/{s/Organizational Unit Name (eg, section)/IT/g}' $CLICATLS_NAME |
cliLdsr02crt.exp |
CA服务颁发证书 |
| #!/usr/expect/bin/expect -f set requeFilename [lindex $argv 0]set certiFilename [lindex $argv 1]set timeout 30if {$argc != 2} {send "usage ./cliLdsr02crt.exp \$requeFilename \$certiFilename\n"exit}spawn openssl ca -in $requeFilename -out $certiFilenameexpect {"Certificate is" { send "y\r";exp_continue }"1 out of" { send "y\r";exp_continue }} |
uploadFile.exp |
openldap server下载证书 |
| #!/usr/expect/bin/expect -f set locaFilepath [lindex $argv 0]set username [lindex $argv 1]set ipaddress [lindex $argv 2]set servFilepath [lindex $argv 3]set passwd [lindex $argv 4]set timeout 30 if {$argc != 5} {send "usage ./uploadFile.exp \$locaFilepath \$username \$ipaddress \$servFilepath \$passwd\n"exit}#eg : scp ldapsrv02.csr root@192.168.1.126:/root/openldap_server spawn scp $locaFilepath $username@$ipaddress:$servFilepathexpect {"yes/no" { send "yes\r";exp_continue }"password:" { send "asd\r" }}expect eof |
sshCheSlaconf.exp |
ldapsrv02安装证书 |
| #!/usr/expect/bin/expect -f#注意ldap.conf sldap.conf两个文件在安装openssl安装包时候 就必须完成备份#killall sldap以下内容是对lapd服务器开启ldaps服务的操作 set SERVERCERT_PATH /usr/local/etc/openldap/certsset SERVERLDAP_PATH /usr/local/etc/openldapset SERVER_PATH /root/openldap_serverset SERVEROLDLDAP_PATH /etc/openldapset ipaddress [lindex $argv 0]set port [lindex $argv 1]set username [lindex $argv 2]set passwd [lindex $argv 3]set timeout 30if {$argc != 4} {send "usage ./account.sh \$ipaddress \$port \$username \$passwd\n"exit} spawn ssh $ipaddress -p$port -l$usernameexpect {"yes/no" { send "yes\r";exp_continue }"password:" { send "$passwd\r" }}expect -re "\](\$|#) "send "useradd ldap\r"expect -re "\](\$|#) "send "chown -R ldap:ldap $SERVERCERT_PATH;\\cp $SERVER_PATH/ldapsrv02.crt $SERVERCERT_PATH;\\cp $SERVER_PATH/ldapsrv02.key $SERVERCERT_PATH\r"expect -re "\](\$|#) "send "\\cp $SERVEROLDLDAP_PATH/ldap.conf $SERVERLDAP_PATH/\r"expect -re "\](\$|#) "send "sed -i '/^TLS_CACERTDIR/{s/etc.*$/usr\\/local\\/etc\\/openldap\\/certs/g}' $SERVERLDAP_PATH/ldap.conf\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/ldap.conf|grep ^BASE && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf;fi\r"#send "sed -i '\$a BASE dc=mirage,dc=com' $SERVERLDAP_PATH/ldap.conf\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/ldap.conf|grep ^URI && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a URI ldap://192.168.1.188/' $SERVERLDAP_PATH/ldap.conf;fi\r"#send "sed -i '\$a URI ldap://127.0.0.1/' $SERVERLDAP_PATH/ldap.conf\r"expect -re "\](\$|#) "send "sed -i 's/^SASL_NOCANON/#&/' $SERVERLDAP_PATH/ldap.conf\r"expect -re "\](\$|#) "send "\\cp $SERVERLDAP_PATH/slapd.conf.bak $SERVERLDAP_PATH/slapd.conf\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/slapd.conf|grep ^TLSCACertificatePath && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a TLSCACertificatePath $SERVERCERT_PATH' $SERVERLDAP_PATH/slapd.conf;fi\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/slapd.conf|grep ^TLSCertificateFile && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a TLSCertificateFile $SERVERCERT_PATH/ldapsrv02.crt' $SERVERLDAP_PATH/slapd.conf;fi\r"expect -re "\](\$|#) "send "cat $SERVERLDAP_PATH/slapd.conf|grep ^TLSCertificateKeyFile && result=0||result=1;if \[ \"$\{result\}\" = 1 \];then sed -i '\$a TLSCertificateKeyFile $SERVERCERT_PATH/ldapsrv02.key' $SERVERLDAP_PATH/slapd.conf;fi\r"expect -re "\](\$|#) "send "rm -rf $SERVERLDAP_PATH/slapd.d/* ; slaptest -f $SERVERLDAP_PATH/slapd.conf -F $SERVERLDAP_PATH/slapd.d/\r"expect -re "\](\$|#) "send "chown -R ldap:ldap $SERVERLDAP_PATH/slapd.d\r"expect -re "\](\$|#) "send "killall slapd;/usr/local/libexec/slapd -h \"ldap://$ipaddress/ ldaps://$ipaddress/\";netstat -tunlp | grep slapd\r"expect -re "\](\$|#) "send "iptables -F\r"expect -re "\](\$|#) "send "exit\r" |
总结
以上是生活随笔为你收集整理的Openldap配置TLS加密传输(完整版——shell脚本实现[即在客户端执行代码,即可实现TLS加密])的全部内容,希望文章能够帮你解决所遇到的问题。
- 上一篇: 函数 —— popen() fsca
- 下一篇: Openldap配置TLS加密传输(完整