Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 7. Identity Management

7.1. Secure LDAP Communication
Copiar o link

If you have configured the Identity service (keystone) to authenticate against or to retrieve identity information from an LDAP server, you can secure LDAP communication for the Identity service using a CA certificate.

This section outlines how to obtain the CA certificate from Active Directory, how to convert the CA certificate file into Privacy Enhanced Mail (PEM) file format, and the three methods for configuring secure LDAP communication for the Identity service. The procedure in each method must be performed depending on where and how the CA trust is configured.

7.1.1. Obtaining the CA Certificate from Active Directory
Copiar o link

The following code shows an example of how to query Active Directory to obtain the CA certificate. The CA_NAME is the name of the certificate (you can see it in mmc.exe) and the rest of the parameters can be changed according to your setup: 

CA_NAME="WIN2012DOM-WIN2012-CA"
AD_SUFFIX="dc=win2012dom,dc=com" LDAPURL="ldap://win2012.win2012dom.com"
ADMIN_DN="cn=Administrator,cn=Users,$AD_SUFFIX"
ADMINPASSWORD="MyPassword"

CA_CERT_DN="cn=latexmath:[$CA_NAME,cn=certification authorities,cn=public key services,cn=services,cn=configuration,$]AD_SUFFIX"

TMP_CACERT=/tmp/cacert.`date +'%Y%m%d%H%M%S'`.$$.pem

ldapsearch -xLLL -H
latexmath:[$LDAPURL -D `echo \"$]ADMIN_DN"`-W -s base -b`echo
"$CA_CERT_DN"` objectclass=* cACertificate
Copy to Clipboard Toggle word wrap

7.1.2. Converting the CA Certificate into PEM file format
Copiar o link

Create a file called /path/cacert.pem and include the contents of the LDAP query — that obtained the CA certificate from Active Directory, within the header and footer, as shown in the example below: 

-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQQD14hh1Yz7tPFLXCkKUOszANB... -----END
CERTIFICATE-----
Copy to Clipboard Toggle word wrap

For troubleshooting, you can execute the following query to check if LDAP is working, and to ensure the PEM certificate file was created correctly. 

LDAPTLS_CACERT=/path/cacert.pem ldapsearch -xLLL -ZZ -H $LDAPURL -s base -b "" "objectclass=*" currenttime
Copy to Clipboard Toggle word wrap

The query should return a result similar to: 

dn: currentTime:
20141022050611.0Z
Copy to Clipboard Toggle word wrap

You can run the following command to get a CA certificate if it was hosted by a web server.

Example

  • $HOST=redhat.com
  • $PORT=443 
# echo Q | openssl s_client -connect $HOST:$PORT | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p'
Copy to Clipboard Toggle word wrap

7.1.3. Methods for Configuring Secure LDAP Communication for the Identity Service
Copiar o link

7.1.3.1. Method 1
Copiar o link

Use this method if the CA trust is configured at the LDAP level using a PEM file. Manually specify the location of a CA certificate file. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.

  1. Copy the file containing your CA certificate chain in PEM format to the /etc/openldap/certs directory.

  2. Edit /etc/openldap/ldap.conf and add the following directive, replacing [CA_FILE] with the location and name of the CA certificate file: 

    TLS_CACERT /etc/openldap/certs/[CA_FILE]
    Copy to Clipboard Toggle word wrap

  3. Restart the httpd service: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

7.1.3.2. Method 2
Copiar o link

Use this method if the CA trust is configured at the LDAP library level using a Network Security Services (NSS) database. Use the certutil command to import and trust a CA certificate into the NSS certificate database used by the OpenLDAP libraries. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.

  1. Import and trust the certificate, replacing [CA_FILE] with the location and name of the CA certificate file: 

    # certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE]
# certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE]
    Copy to Clipboard Toggle word wrap

  2. Confirm the CA certificate was imported correctly: 

    # certutil -d /etc/openldap/certs -L
    Copy to Clipboard Toggle word wrap

    Your CA certificate is listed, and the trust attributes are set to CT,,.

  3. Restart the httpd service: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

7.1.3.3. Method 3
Copiar o link

Use this method if the CA trust is configured at the Keystone level using a PEM file. The final method of securing communication between the Identity service and an LDAP server is to configure TLS for the Identity service.

However, unlike the two methods above, this method only secures LDAP communication for the Identity service and does not secure LDAP communication for other applications that use the OpenLDAP libraries.

The following procedure uses the openstack-config command to edit values in the /etc/keystone/keystone.conf file.

  1. Enable TLS: 

    # openstack-config --set /etc/keystone/keystone.conf ldap use_tls True
    Copy to Clipboard Toggle word wrap

  2. Specify the location of the certificate, replacing [CA_FILE] with the name of the CA certificate: 

    # openstack-config --set /etc/keystone/keystone.conf ldap tls_cacertfile [CA_FILE]
    Copy to Clipboard Toggle word wrap

  3. Specify the client certificate checks performed on incoming TLS sessions from the LDAP server, replacing [CERT_BEHAVIOR] with one of the behaviors listed below:

    demand
    a certificate will always be requested from the LDAP server. The session will be terminated if no certificate is provided, or if the certificate provided cannot be verified against the existing certificate authorities file.
    allow
    a certificate will always be requested from the LDAP server. The session will proceed as normal even if a certificate is not provided. If a certificate is provided but it cannot be verified against the existing certificate authorities file, the certificate will be ignored and the session will proceed as normal.
    never
    a certificate will never be requested. 
    # openstack-config --set /etc/keystone/keystone.conf ldap tls_req_cert [CERT_BEHAVIOR]
    Copy to Clipboard Toggle word wrap

  4. Restart the httpd service: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat