Molweni bahlobo!. Masingene kulo mbandela, kwaye njengoko sihlala sincoma ukufunda amanqaku amathathu adlulileyo kolu chungechunge:
- Inkonzo kavimba weefayili kunye ne-LDAP. Intshayelelo.
- Inkonzo yesikhombisi ne-LDAP [2]: NTP kunye nednsmasq.
- Inkonzo yesikhombisi kunye ne-LDAP [3]: Isc-DHCP-Server kunye neBind9.
I-DNS, i-DHCP kunye ne-NTP zezona nkonzo zibalulekileyo kuluhlu lwethu olulula olusekwe VulaLDAP native, isebenza ngokufanelekileyo kwi 6.0 "Cudisa" kwiDebian, okanye ku-Ubuntu 12.04 LTS "Precise Pangolin".
Umzekelo wothungelwano:
Lan: 10.10.10.0/24
Dominio: amigos.cu
Servidor: mildap.amigos.cu
Sistema Operativo Servidor: Debian 6 "Squeeze
Dirección IP del servidor: 10.10.10.15
Cliente 1: debian7.amigos.cu
Cliente 2: raring.amigos.cu
Cliente 3: suse13.amigos.cu
Cliente 4: seven.amigos.cu
Kwicandelo Lokuqala siza kubona:
- Kuhlohlwa i-OpenLDAP (qhwaba 2.4.23-7.3)
- Iitshekhi emva kofakelo
- Ii-indices ukuba zithathelwe ingqalelo
- Imithetho yoLawulo lokuFikelela kwiDatha
- Ukuveliswa kweZatifikethi ze-TLS kwi-Csqueeze
ngelixa kwiCandelo leSibini siza kuqhubeka ngokuthi:
- Ukuqinisekiswa komsebenzisi wasekhaya
- Gcwalisa uvimba weenkcukacha
- Lawula uvimba weenkcukacha usebenzisa izinto eziluncedo zeconsole
- Isishwankathelo ukuza kuthi ga ngoku...
Kuhlohlwa i-OpenLDAP (qhwaba 2.4.23-7.3)
Iseva ye-OpenLDAP ihlohlwe kusetyenziswa umqulu qhwaba. Kufuneka kwakhona siyifake ipakethe ldap-izixhobo, esibonelela ngezixhobo ezithile zecala lomxhasi, kunye nezinto eziluncedo ze-OpenLDAP.
:~# ubuchule bokufaka i-slapd ldap-utils
Ngexesha lenkqubo yofakelo, i debconf Iza kusibuza igama eligqithisiweyo lomlawuli okanye lomsebenzisi.admin«. Uluhlu lwabaxhomekeke nalo lufakwe; umsebenzisi uyadalwa openldap; Uqwalaselo lokuqala lweseva luyadalwa, kunye nolawulo lwe-LDAP.
Kwiinguqulelo zangaphambili ze-OpenLDAP, ubumbeko lwedaemon qhwaba yenziwe ngokupheleleyo ngefayile /etc/ldap/slapd.conf. Kwinguqulelo esiyisebenzisayo kwaye kamva, ubumbeko lwenziwa ngokufanayo qhwaba, kwaye ngale njongo a DIT «Uluhlu loLwazi loMthi» okanye uMthi woLwazi lweNgcaciso, ngokwahlukeneyo.
Indlela yoqwalaselo eyaziwa ngokuba RTC «Uqwalaselo lwexesha lokwenyani»Ubumbeko lweXesha lokwenyani, okanye njengeNdlela cn=config, ikuvumela ukuba siqwalasele ngokuguquguqukayo i qhwaba ngaphandle kokufuna ukuqala kwakhona inkonzo.
Uqwalaselo lwedatha luqulathe ingqokelela yeefayile ezibhaliweyo kwifomathi I-LDIF «i-LDAP Data Interchange Format» IFomathi ye-LDAP yoTshintsho lweDatha, ebekwe kwisiqulathi seefayili /etc/ldap/slapd.d.
Ukufumana umbono wombutho wefolda slapd.d, masenze:
: ~ # ls -lR /etc/ldap/slapd.d/
/etc/ldap/slapd.d/: iyonke 8 drwxr-x--- 3 openldap openldap 4096 Feb 16 11:08 cn=config -rw------- 1 openldap openldap 407 Feb 16 11:08 cn= config.ldif /etc/ldap/slapd.d/cn=config: iyonke 28 -rw-------- 1 openldap openldap 383 Feb 16 11:08 cn=modyuli{0}.ldif drwxr-x--- 2 openldap openldap 4096 Feb 16 11:08 cn=schema -rw------- 1 openldap openldap 325 Feb 16 11:08 cn=schema.ldif -rw------- 1 openldap openldap 343 Feb 16 11:08 olcBackend={0}hdb.ldif -rw------- 1 openldap openldap 472 Feb 16 11:08 olcDatabase={0}config.ldif -rw------- 1 openldap openldap 586 Feb 16 11:08 olcDatabase={-1}frontend.ldif -rw------- 1 openldap openldap 1012 Feb 16 11:08 olcDatabase={1}hdb.ldif /etc/ldap/slapd.d/cn =config/cn=schema: iyonke 40 -rw------- 1 openldap openldap 15474 Feb 16 11:08 cn={0}core.ldif -rw------- 1 openldap openldap 11308 Feb 16 11:08 cn={1}cosine.ldif -rw------- 1 openldap openldap 6438 Feb 16 11:08 cn={2}nis.ldif -rw------- 1 openldap openldap 2802 Feb 16 11:08 cn={3}inetorgperson.ldif
Ukuba sijonga imveliso yangaphambili kancinci, sibona ukuba i Umva isetyenziswe kwi Cola luhlobo lwesiseko sedata hdb, nto leyo eyahlukileyo Iibhdi "I-Database yaseBerkeley", kwaye enoluhlu olupheleleyo kwaye ixhasa ukuthiywa ngokutsha kwemithi engaphantsi. Ukuze ufunde ngakumbi malunga nokwenzeka Ngasemva exhasa i-OpenLDAP, ndwendwela http://es.wikipedia.org/wiki/OpenLDAP.
Sikwabona ukuba kusetyenziswa oovimba bedatha abathathu abahlukeneyo, oko kukuthi, enye inikezelwe kuqwalaselo, enye ku frontend, kwaye eyokugqibela yidatabase hdb ngomntu ngamnye.
Ngakolunye uhlangothi, qhwaba Ifakwe ngokungagqibekanga kunye neschematics umbilini, ICosine, April e Inetorgperson.
Iitshekhi emva kofakelo
Kwi-terminal senza kwaye ngokuzolileyo sifunde iziphumo. Siza kujonga, ngakumbi ngomyalelo wesibini, uqwalaselo olufunyenwe kuluhlu lwefolda slapd.d.
:~# ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi:/// -b cn=config | ngakumbi :~# ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi:/// -b cn=config dn
dn: cn=config dn: cn=imodyuli{0},cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine ,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: olcBackend={0}hdb,cn =config dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}hdb,cn=config
Inkcazo yesiphumo ngasinye:
- cn=config: Iiparamitha zehlabathi.
- cn=imodyuli{0},cn=config: Imodyuli elayishwe ngamandla.
- cn=schema,cn=config: Iqulethe i ikhowudi enzima kwinqanaba lezicwangciso zenkqubo.
- cn={0}core,cn=schema,cn=config: I ikhowudi enzima yeskimu esingundoqo.
- cn={1}cosine,cn=schema,cn=config: Inkqubo Cosine.
- cn={2}nis,cn=schema,cn=config: Inkqubo Nis.
- cn={3}inetorgperson,cn=schema,cn=config: Inkqubo Inetorgperson.
- olcBakend={0}hdb,cn=config: Umva uhlobo lokugcina idatha hdb.
- olcDatabase={-1}frontend,cn=config: frontend yedatabase kunye neeparamitha ezihlala zikhona zezinye iidatabase.
- olcDatabase={0}config,cn=config: Configuration database qhwaba (cn=config).
- olcDatabase={1}hdb,cn=config: Umzekelo wethu wedatha (dc = abahlobo, dc = cu)
:~# ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn dn: dc=abahlobo,dc=cu dn: cn=admin,dc=abahlobo,dc=cu
- dc = abahlobo, dc = cu: DIT Base Directory Information Tree
- cn=admin,dc=abahlobo,dc=cu: Umlawuli (rootDN) weDIT ubhengezwe ngexesha lofakelo.
Qaphela: Isimamva sesiseko dc=abahlobo, dc=cu, wayithatha debconf ngexesha lofakelo ukusuka FQDN kwiseva mildap.amigos.cu.
Ii-indices ukuba zithathelwe ingqalelo
Ukwalathiswa kwamangenelo kwenziwa ukuphucula ukwenziwa kophando kwi DIT, kunye neendlela zokucoca. Izalathisi esiya kuthi sizithathele ingqalelo zezona zincinci zicetyiswayo ngokweempawu ezichazwe kwiinkqubo ezingagqibekanga.
Ukuguqula ngokuguquguqukayo izalathisi kwisiseko sedatha, senza ifayile yokubhaliweyo kwifomathi I-LDIF, kwaye kamva siyongeza kwisiseko sedatha. Senza ifayile olcDbIndex.ldif kwaye siyishiya nomxholo olandelayo:
: ~ # nano olcDbIndex.ldif
dn: olcDatabase={1}hdb,cn=config changetype: lungisa ukongeza: olcDbIndex olcDbIndex: uidNumber eq - yongeza: olcDbIndex olcDbIndex: gidNumber eq - yongeza: olcDbIndex olcDbqIndex: olcDbIndex: memberIdexbD loginslcD: ll eq - yongeza: olcDbIndex olcDbIndex: uid pres, sub, eq - yongeza: olcDbIndex olcDbIndex: cn pres, sub, eq - yongeza: olcDbIndex olcDbIndex: sn pres, sub, eq - yongeza: olcDbIndex, presDbIndex: sub-yongeza: olcDbIndex olcDbIndex: displayName pres, sub, eq -yongeza: olcDbIndex olcDbIndex: sub-yongeza: olcDbIndex olcDbIndex: mail eq, subinitial-yongeza: olcDbIndex olcDbIndex: dc
Songeza izalathisi kwisiseko sedatha kwaye sijonge ukuguqulwa:
:~# ldapmodify -Y NGAPHANDLE -H ldapi:/// -f ./olcDbIndex.ldif
:~# ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi:/// -b \ cn=config '(olcDatabase={1}hdb)' olcDbIndex
dn: olcDatabase={1}hdb,cn=config olcDbIndex: objectClass eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: memberUid eq,pres,sub olcDbIndex: loginShell eq olcDbIndex: uidIndex, sub, sub, sub, sub, olcDbIndex: sn pres,sub,eq olcDbIndex: givenName,ou pres,eq,sub olcDbIndex: displayName pres,sub,eq olcDbIndex: i-default sub olcDbIndex: mail eq,subinitial olcDbIndex: dc e
Imithetho yoLawulo lokuFikelela kwiDatha
Imithetho esekwe ukuze abasebenzisi bakwazi ukufunda, ukuguqula, ukongeza kunye nokucima idatha kwi-database ye-Directory ibizwa ngokuba yi-Access Control, ngelixa siza kubiza uLuhlu loLawulo lokuFikelela okanye «Uluhlu loLawulo loFikelelo lwe-ACL» kwimigaqo emisela imithetho.
Ukwazi ukuba yeyiphi Ii-ACLs ziye zabhengezwa ngokungagqibekanga ngexesha lenkqubo yofakelo lwe qhwaba, senza:
:~# ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi:/// -b \
cn=config '(olcDatabase={1}hdb)' olcAccess
:~# ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi:/// -b \
cn=config '(olcDatabase={-1}frontend)' olcAccess
:~# ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi:/// -b \
cn=config '(olcDatabase={0}config)' olcAccess
:~# ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi:/// -b \
cn=config '(olcAccess=*)' olcFikelela olcSuffix
Umyalelo ngamnye kweyangaphambili uza kusibonisa i Ii-ACLs ukuba kude kube ngoku siye sabhengeza kuluhlu lwethu lweencwadi. Ngokukodwa, umyalelo wokugqibela ubonisa zonke, ngelixa ezintathu zokuqala zisinika imithetho yokufikelela yokufikelela kwabathathu DIT zibandakanyeke kwethu qhwaba.
Kumxholo we Ii-ACLs kwaye ukuze ungenzi inqaku elide kakhulu, sincoma ukufunda amaphepha encwadana indoda slapd.ukufikelela.
Ukuqinisekisa ukufikelela kubasebenzisi kunye nabalawuli ukuhlaziya amangenelo abo loginShell y IiGeckos, siya kongeza le ACL ilandelayo:
## Senza ifayile ye-olcAccess.ldif kwaye siyishiye inomxholo olandelayo:~# nano olcAccess.ldif
dn: olcDatabase={1}hdb,cn=config changetype: lungisa yongeza: olcAccess olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=amigos,dc=cu" bhala ngokuzibhalela *funda
## Songeza i-ACL
:~# ldapmodify -Y NGAPHANDLE -H ldapi:/// -f ./olcAccess.ldif
# Sijonga utshintsho
ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi:/// -b \
cn=config '(olcAccess=*)' olcFikelela olcSuffix
Isizukulwana sesatifikethi TLS kwi Cola
Ukuze sibe noqinisekiso olukhuselekileyo kunye neseva ye-OpenLDAP, kufuneka siyenze ngeseshoni efihliweyo esinokuyifumana ngokusebenzisa I-TLS "uKhuseleko lweNqanawa lezoThutho" o Khusela umaleko wezoThutho.
Iseva ye-OpenLDAP kunye nabaxhasi bayo bayakwazi ukusebenzisa i sikhokelo I-TLS ukunika imfezeko kunye nokhuseleko lwemfihlo, kunye nenkxaso yoqinisekiso olukhuselekileyo lwe-LDAP ngokusebenzisa indlela I-SASL «Ungqinisiso olulula kunye noMaleko woKhuseleko« Ngaphandle.
Iiseva zangoku ze-OpenLDAP zivumela ukusetyenziswa kwe-*/QalisaTLS/* o Qalisa iprothokholi eKhuselekileyo yeNdlela yoThutho /LDAPS:///, ephelelwe lixesha. Ukuba unayo nayiphi na imibuzo, ndwendwela *Qala TLS v. ldaps://* en http://www.openldap.org/faq/data/cache/605.html
Yishiye ngokulula ifayile njengoko ifakwe ngokungagqibekanga. /etc/default/slapd kunye nengxelo SLAPD_SERVICES=»ldap:/// ldapi:///», ngeenjongo zokusebenzisa itshaneli efihliweyo phakathi komxhasi kunye nomncedisi, kunye nezicelo ezincedisayo ngokwazo ukulawula i-OpenLDAP efakwe ekuhlaleni.
Indlela echazwe apha, ngokusekelwe kwiiphakheji gnutls-bin y ssl-cert Iyasebenza kwi-Debian 6 "Cwina" kunye nakwi-Ubuntu Server 12.04. KwiDebian 7 "Wheezy" enye indlela isetyenziswa ngokusekelwe OpenSSL.
Ukuveliswa kwezatifikethi kwi-Squeeze kwenziwa ngolu hlobo lulandelayo:
1.- Sifaka iiphakheji eziyimfuneko :~# ubuchule bokufaka i-gnutls-bin ssl-cert 2.- Senza iSitshixo esiPhambili kwiGunya leSatifikethi : ~ # sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem" 3.- Senza itemplate ukuchaza i-CA (iGunya leSatifikethi) :~# nano /etc/ssl/ca.info cn = Abahlobo baseCuba ca cert_signing_key 4.- Senza iSatifikethi se-CA sokuZisayina okanye sokuZisayina kubathengi : ~ # certtool --generate-self-signed \ --load-privkey /etc/ssl/private/cakey.pem \ --template /etc/ssl/ca.info \ --outfile /etc/ssl/certs/ cacert.pem 5.- Senza iSitshixo saBucala seSeva : ~ # certtool --generate-privkey \ --bits 1024 \ --outfile /etc/ssl/private/mildap-key.pem Qaphela: Susa "mildap" Egameni lefayile engentla kunye nelomncedisi wakho. Ukuthiya iSiqinisekiso kunye nesitshixo, zombini kumncedisi kunye nenkonzo esisebenzisayo, kusinceda sigcine izinto zicacile. 6.- Senza ifayile /etc/ssl/mildap.info ngomxholo olandelayo: :~# nano /etc/ssl/mildap.info inhlangano = Abahlobo baseCuba cn = mildap.amigos.cu tls_www_server encryption_key signing_key expiration_days = 3650 Qaphela: Kulo mxholo ungasentla sibhengeza ukuba isatifikethi sisebenza ixesha eliyiminyaka eyi-10. Kufuneka silungelelanise iparameter kwizinto eziluncedo zethu. 7.- Senza iSatifikethi somncedisi :~# certtool --generate-certificate \ --load-privkey /etc/ssl/private/mildap-key.pem \ --load-ca-certificate /etc/ssl/certs/cacert.pem \ --load- ca-privkey /etc/ssl/private/cakey.pem \ --template /etc/ssl/mildap.info \ --outfile /etc/ssl/certs/mildap-cert.pem
Ukuza kuthi ga ngoku siye savelisa iifayile eziyimfuneko. Kufuneka songeze kuphela indawo yeSiqinisekiso sokuSayina kwiCandelo loLawulo. cacert.pem; leyo yeSatifikethi soMncedisi mildap-cert.pem; kunye neleSitshixo saBucala seSeva mildap-key.pem. Kufuneka kwakhona silungise iimvume kunye nomnini weefayile ezenziweyo.
:~# nano /etc/ssl/certinfo.ldif dn: cn = ukongeza ukongeza: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - yongeza: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/mildap-certficac-certficTLSCerSCert-cert. Ifayile: / etc/ssl/private /mildap-key.pem 8.- Sidibanisa:~# ldapmodify -Y NGAPHANDLE -H ldapi:/// -f /etc/ssl/certinfo.ldif 9.- Silungisa umnini kunye neemvume :~# adduser openldap ssl-cert :~# chgrp ssl-cert /etc/ssl/private/mildap-key.pem :~# chmod g+r /etc/ssl/private/mildap-key.pem :~# chmod okanye /etc/ssl/private/mildap-key.pem
Isiqinisekiso cacert.pem Yeyona ekufuneka siyikope kumxhasi ngamnye. Ukuze esi satifikethi sisetyenziswe kumncedisi ngokwawo, kufuneka sisibhengeze kwifayile /etc/ldap/ldap.conf. Ukwenza oku, silungisa ifayile kwaye siyishiye ngomxholo olandelayo:
~ ~ # nano /etc/ldap/ldap.conf BASE dc=amigos,dc=cu URI ldap://mildap.amigos.cu TLS_CACERT /etc/ssl/certs/cacert.pem
Ekugqibeleni kwaye njengetshekhi, siqala kwakhona inkonzo qhwaba kwaye sijonga imveliso ye syslog yomncedisi, ukwazi ukuba inkonzo yaqalwa ngokutsha ngokufanelekileyo kusetyenziswa isatifikethi esitsha esazisiwe.
:~# inkonzo slapd qala kwakhona :~# umsila /var/log/syslog
Ukuba inkonzo ayiqalisi kwakhona ngokuchanekileyo okanye sibona naziphi na iimpazamo ezinzulu kwi syslogMasingatyhafi. Sinokuzama ukulungisa umonakalo okanye siqale phantsi. Ukuba sigqibe ekubeni siqalise ukufakwa kwe qhwaba, akuyomfuneko ukufomatha umncedisi wethu.
Ukucima yonke into esiyenzileyo ukuza kuthi ga ngoku ngesizathu esinye okanye esinye, kufuneka siyikhuphe ipakethe qhwaba, kwaye emva koko ucime incwadi eneenkcukacha /var/lib/ldap. Kufuneka kwakhona siyishiye ifayile kwinguqulelo yayo yoqobo /etc/ldap/ldap.conf.
Kunqabile ukuba yonke into isebenze ngokuchanekileyo kwitry yokuqala. 🙂
Khumbula ukuba kwinqaku elilandelayo siza kubona:
- Ukuqinisekiswa komsebenzisi wasekhaya
- Gcwalisa uvimba weenkcukacha
- Lawula uvimba weenkcukacha usebenzisa izinto eziluncedo zeconsole
- Isishwankathelo ukuza kuthi ga ngoku...
Sanibonani makhwenkwe!.
Mfundisi!!!
KWENZEKA KUNYE NE-TUTO!
igqwesile
zonke IZINTO EZITHANDWAYO EHLABATHINI KUWE.
😀
Enkosi kakhulu, Hugo !!! Lindela amanqaku alandelayo ngomxholo.
Sawubona,
Ungcelele lwamanqaku enu lubangela umdla.
Ndamangaliswa ukufunda le nkcazo: "Iiseva ze-OpenLDAP zanamhlanje zikhetha ukusetyenziswa kwe-StartTLS okanye Qala i-Security Transport Layer ukuya kwiprotocol endala ye-TLS/SSL, ephelelwe lixesha."
Ngaba ubanga ukuba, kuzo zonke iimeko nangaphandle kobubanzi be-LDAP, i-STARTTLS yindlela yokukhusela ephezulu kune-TSL/SSL?
Enkosi ngezimvo. Qaphela ukuba ndibhekisa kwi-OpenLDAP. andiyi kude kakhulu. Kwi http://www.openldap.org/faq/data/cache/185.html, ungafunda oku kulandelayo:
UKhuseleko loMaleko wezoThutho (TLS) ligama eliqhelekileyo le-Secure Socket Layer (SSL). Amagama (ngaphandle kokuba ufanelekile ngeenombolo ezithile zoguqulelo) ayatshintshatshintsha.
I-StartTLS ligama lomsebenzi osemgangathweni we-LDAP wokuqalisa i-TLS/SSL. I-TLS/SSL iqalwa ekugqityweni ngempumelelo kwalo msebenzi we-LDAP. Akukho zibuko lilinye eliyimfuneko. Ngamanye amaxesha kubhekiselwa kuyo njengomsebenzi wophuculo lwe-TLS, njengoko iphucula uxhulumaniso oluqhelekileyo lwe-LDAP kulowo ukhuselwe yi-TLS/SSL.
I-ldaps:// kunye ne-LDAPS ibhekisa kwi-“LDAP phezu kwe-TLS/SSL” okanye “i-LDAP Secured”. I-TLS/SSL iqaliswe ekudibaneni kwelinye izibuko (idla ngokuba yi-636). Nangona izibuko le-LDAPS (636) libhaliselwe olu setyenziso, iinkcukacha zendlela yokuqaliswa kwe-TLS/SSL ayibekwanga emgangathweni.
Nje ukuba iqalisiwe, akukho mahluko phakathi kwe-ldaps:// kunye ne-StartTLS. Babelana ngeendlela ezifanayo zoqwalaselo (ngaphandle kwe-ldaps:// ifuna uqwalaselo lomphulaphuli owahlukileyo, bona i-slapd(8)'s -h ukhetho) kwaye isiphumo sokusekwa kweenkonzo zokhuseleko ezifanayo.
Phawula:
1) ldap:// + StartTLS kufuneka iqondiswe kwizibuko le-LDAP eqhelekileyo (iqhele ukuba yi-389), hayi i-ldaps:// port.
2) i-ldaps:// kufuneka ibhekiswe kwizibuko le-LDAPS (ngokuqhelekileyo i-636), hayi izibuko le-LDAP.
Uxolo, kodwa andikaqiniseki ukuba kutheni ubanga ukuba: 1) abancedisi bale mihla bakhetha i-STARTTLS ukuya kwi-SSL/TLS; 2) ukuba i-STARTTLS yeyanamhlanje, ngokuchasene ne-SSL/TLS ephelelwe lixesha.
Ndibe nzima isiqingatha senyanga kunye noqwalaselo lwabathengi be-imeyile abahlukeneyo abafikelela kumncedisi nge-SSL (usebenzisa iilayibrari ze-openssl, njengoko uninzi lwesoftware lusenza), kunye nezatifikethi ze-CA kwi /etc/ssl/certs/ kunye nezinye izinto. Kwaye into endiyifundileyo kukuba: 1) I-STARTTLS ifihla kuphela ukuqinisekiswa kweseshoni, kwaye yonke enye into ithunyelwa ingabhalwanga; 2) I-SSL ifihla ngokupheleleyo yonke imixholo yeseshoni. Ke ngoko, akukho meko i-STARTTLS ingaphezulu kobugcisa kune-SSL; Ndingathanda ukutyekela ekucingeni ngokuchaseneyo, kuba umxholo weseshoni yakho uhamba ungafihlwanga kuthungelwano.
Enye into eyahlukileyo kukuba i-STARTTLS inconywa ngenxa yezinye izizathu endingaziyo malunga noku: ukuhambelana ne-MSWindows, kuba ukuphunyezwa kuzinzile okanye kuvavanywa ngcono ... andazi. Kungoko ndikubuzayo.
Ukusuka kwisicatshulwa esisuka kwincwadana yemigaqo oyincamathele kwimpendulo yakho, ndiyabona ukuba umahluko phakathi kwe-ldap:// kunye ne-ldaps:// ulingana nomahluko phakathi kwe-imap:// kunye ne-imaps://, okanye phakathi kwe-smtp:/ / kunye ne-smtps://: izibuko elahlukileyo liyasetyenziswa, olunye ungeno olongezelelweyo longezwa kwifayile yoqwalaselo, kodwa ezinye iiparameters zigciniwe. Kodwa loo nto ayithethi nto malunga nokukhetha i-STARTTLS okanye hayi.
Ndiyabulisa, kwaye ndiyaxolisa ngempendulo. Ndizama nje ukufunda ngakumbi.
Jonga, kunqabile ukuba kumanqaku am ndenze iingxelo zolo mgangatho ngaphandle kokuba zixhaswe lupapasho oluthile. Ekupheleni kolu ngcelele ndiza kubandakanya onke amakhonkco kumaxwebhu endiwathatha njengento ebalulekileyo, kwaye ndiye ndabonisana ukuba ndibhale isithuba. Ndikunika ezi linki zilandelayo:
https://wiki.debian.org/LDAP/OpenLDAPSetup
Ubuntu ServerGuide https://code.launchpad.net/serverguide
OpenLDAP-Okusemthethweni http://www.openldap.org/doc/admin24/index.html
I-LDAP ngaphezulu kwe-SSL/TLS kunye ne-StartTLS http://tt4cs.wordpress.com/2014/01/18/ldap-over-ssltls-and-starttls/
Kwaye kwakhona, ndiye ndabonisana namaxwebhu akhaphayo afakwe kunye nephakheji nganye.
Isihloko sokhuseleko ngokubanzi kunye nokwahlukana phakathi kwe-StartTLS kunye ne-TLS / SSL zobugcisa kakhulu kwaye bunzulu kangangokuba andiziboni ukuba ndinolwazi oluyimfuneko ukunika olo hlobo lwenkcazo. Ndicinga ukuba singaqhubeka sithethe nge-imeyile.
Kwelinye icala, akukho ndawo apho ndichaza khona ukuba i-LDAPS:// AWUKWAZI ukusetyenziswa. Ukuba ucinga ukuba ikhuselekile, qhubeka !!!
Andisakwazi ukukunceda kwaye ndiyayibulela kakhulu izimvo zakho.
Ungafumana ingcaciso engakumbi kancinane- rhoqo malunga ne-OpenLDAP-ku:
http://www.openldap.org/faq/data/cache/605.html
Umsebenzi owandisiweyo we-StartTLS [RFC 2830] sisixhobo esisemgangathweni se-LDAPv3 sokwenza ukuba i-TLS (SSL) isebenze ngokuyimfihlo. Umatshini usebenzisa i-LDAPv3 umsebenzi owandisiweyo ukuseka uqhagamshelwano oluntsonkothileyo lwe-SSL/TLS ngaphakathi koqhagamshelwano olusele lusekiwe lwe-LDAP. Ngelixa umatshini uyilelwe ukusetyenziswa ne-TLSv1, uninzi lophumezo luya kubuyela umva kwi-SSLv3 (kunye ne-SSLv2) ukuba kuyimfuneko.
ldaps:// yindlela yokuseka uqhagamshelwano oluntsonkothileyo lwe-SSL/TLS lwe-LDAP. Ifuna ukusetyenziswa kwezibuko elahlukileyo, eliqhele ukuba yi-636. Nangona ekuqaleni yayiyilelwe ukusetyenziswa ne-LDAPv2 kunye ne-SSLv2, uphumezo oluninzi luxhasa ukusetyenziswa kwayo nge-LDAPv3 kunye ne-TLSv1. Nangona kungekho nkcazelo yobugcisa ye-ldaps:// isetyenziswa kakhulu.
I-ldaps:// iyekisiwe kulungiselelwa i-Start TLS [RFC2830]. I-OpenLDAP 2.0 ixhasa zombini.
Ngezizathu zokhuseleko umncedisi kufuneka abunjwe ukuba angamkeli i-SSLv2.
Eli liza kuba lelinye laloo manqaku apho abasebenzisi bangayi kuphawula kuba njengoko bebukela kuphela iphonografi kwiindawo zabo zokusebenza zeLinux abanamdla nje. Inqaku elilungileyo !!
Enkosi ngezimvo !!!. Kwaye ingxelo yakho iyinyani malunga namagqabantshintshi ambalwa kumanqaku am amaninzi. Nangona kunjalo, ndifumana imbalelwano evela kubafundi abanomdla, okanye kwabanye abakhuphela inqaku ukuze ndilifunde kamva kwaye lisetyenziswe.
Kuhlala kuluncedo kakhulu ukuba nengxelo ngamagqabaza, nokuba ngaba: Ndiyigcinele ukufundwa kamva, umdla, okanye olunye uluvo.
Phendula nge quote
I Freeke!!! Enkosi ngezimvo. Ndifumene uluvo lwakho nge-imeyile kodwa andiyiboni nangona ndilihlaziya iphepha izihlandlo ezininzi. Mhlobo, ungazama oku kunye namanqaku angaphambili ngaphandle kweengxaki kwi-Squeeze okanye kwi-Ubuntu Server 12.04. Kwi-Wheezy izatifikethi zenziwe ngokwahlukileyo, kusetyenziswa i-OpenSSL. Kodwa akukho nto. Molo wam, mzalwana !!!.
@thisnameisfalse: Elona gqwetha libalaseleyo lifumana ukufiphala. Enkosi ngamagqabaza akho, ndicinga ukuba isiqendu ekuthethwa ngaso kufuneka sifundeke ngolu hlobo:
Iiseva zale mihla ze-OpenLDAP zikhetha ukusetyenziswa kwe-StartTLS, okanye Qala ngokuKhuselekileyo umaleko wezoThutho, kwi-LDAPS:// protocol, ephelelwe lixesha. Ukuba unayo nayiphi na imibuzo, ndwendwela Qala i-TLS v. ldaps: // kwi http://www.openldap.org/faq/data/cache/605.html
Phendula nge quote
Iphelele, ngoku ndinomsebenzi wasekhaya kwi-ldap
Awukwazi ukubeka yonke into kwifayile enye ukuze ukwazi ukukhuphela isifundo esipheleleyo
Ndiligcisa lekhompyuter elinamava abanzi kwiLinux kwaye ndisalahlekile phakathi kwinqaku. Emva koko ndiza kuphinda ndiyifunde ngocoselelo. Enkosi kakhulu ngesifundo.
Nangona kuyinyani ukuba isivumela ukuba siqonde ngakumbi ukuba kutheni i-ActiveDirectory iqhele ukukhethelwa ezi zinto. Kukho ulwahlulo lwendalo yonke ngokubhekiselele kubulula bobumbeko kunye nokuphunyezwa.
Phendula nge quote
Ndiyanibulela nonke ngokuhlomla!!!
@jose monge, ndiyathemba ukuba iluncedo kuwe
@walter ekupheleni kwazo zonke izithuba, ndiya kubona ukuba ndingenza i-compendium kwi-html okanye ifomathi ye-pdf
@eVeR ngenye indlela, kulula - nangona ingabonakala ingekho - ukuba ne-OpenLDAP kune-Active Directory. linda amanqaku alandelayo kwaye uya kubona.
Umbuzo, ndenza inyathelo lofakelo ngenyathelo kodwa xa ndiqala kwakhona inkonzo ye-slapd, ndifumana impazamo elandelayo>
Jul 30 15:27:37 xxxx slapd[1219]: @(#) $OpenLDAP: slapd (Ubuntu) (Mar 17 2014 21:20:08) $#012#011buildd@aatxe:/build/buildd/2.4.31openldap-XNUMX. .XNUMX/debian/build/servers/slapd
Jul 30 15:27:37 xxxxx slapd[1219]: uphawu ONGAZIWAYOInkcazelo «I-CHANGETYPE» ifakiwe.
Jul 30 15:27:37 xxxxx slapd[1219]: uphawu ONGAZIWAYOInkcazelo “YONGEZELA” ifakiwe.
Jul 30 15:27:37 xxxxx[1219]: <= str2entry: slap_str2undef_ad(-): AttributeDescription engenanto
Jul 30 15:27:37 xxxxx slapd[1219]: impama iyekile.
Jul 30 15:27:37 xxxxx [1219]: uxhumano_destroy: akukho nto inokutshabalalisa.
ungabuza kwiforum 😀 http://foro.desdelinux.net/
Kuba nabani na obona esi sithuba sibalaseleyo kwaye sichazwe kakuhle kwaye unale ngxaki xa usenza ii-ACLs:
ldapmodify: ifomathi engasebenziyo (umgca 5) ungeniso: "olcDatabase={1}hdb,dc=config"
Emva kokukhangela ingqondo yam kwi-intanethi, kuye kwavela ukuba i-ldapmodify lolona hlobo luchanekileyo ebusweni bewebhu. Iyaxhatshaza kunye nabalinganiswa abangekhoyo kunye nezithuba ezilandela umkhondo. Ngaphandle kokuqhubeka, ingcebiso kukubhala ngokwemeko ecaleni komnye, oko kukuthi, ngo-X bhala ngokuzimela ngokubhala * funda. Ukuba ayikasebenzi, faka i-Notepad ++> Jonga> Bonisa iSimboli kwaye ekugqibeleni ubulale abalinganiswa abangabonakaliyo. Ndiyathemba ukuba kuyanceda umntu.
Yenza izatifikethi zeDebian Wheezy ezisekwe kwi-OpenSSL oku kunokunceda:
http://blog.phenobarbital.info/2014/10/openldap-tlsssl-configuracion-basica-y-aseguramiento/