配置LDAP SSL访问

1. 配置证书信息

$ cat /usr/share/openldap-servers/slapd.ldif
...
#
# TLS settings
#
#olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSCACertificateFile: /path/to/cacert.pem
olcTLSCertificateFile: /path/to/server.pem
olcTLSCertificateKeyFile: /path/to/server.key
...

使用ldif配置

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /path/to/cacert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /path/to/server.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /path/to/server.pem
EOF

需要注意的是：

• 修改用add还是replace：如果之前没有则用add，如果之前已存在则使用replace
• 所以得/path/to/server.pem文件必须是ldap执行用户可以访问的，不然会遇到莫名其妙的执行错误描述：
  ldap_modify: Other (e.g., implementation specific) error (80)

2. 配置监听端口

$ cat /etc/sysconfig/slapd
...
# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
#   (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
...

缺省的值为：
ldapi=/var/run/ldapi, ldap=389, ldaps=636

3. 重启ldap

$ sudo systemctl stop slapd
$ sudo systemctl start slapd

验证证书信息:
$ openssl s_client -connect <hostname>:636
$ openssl s_client -showcerts -CAfile /path/to/ca.pem -connect <hostname>:636

4. client配置

client的缺省配置文件

$ cat /etc/openldap/ldap.conf
...
TLS_CACERT  /path/to/certificate/cacert.pem
...

运行(假定SSL端口是636)

$ ldapsearch -x -b "dc=mydomain,dc=com" -H ldaps://:636

如果没有CA，也可以或略，则：

$ cat /etc/openldap/ldap.conf
...
TLS_REQCERT never
...

$