红帽全球峰会此内容没有您所选择的语言版本。
Chapter 7. Identity Management
7.1. Secure LDAP Communication
If you have configured the Identity service (keystone) to authenticate against or to retrieve identity information from an LDAP server, you can secure LDAP communication for the Identity service using a CA certificate.
This section outlines how to obtain the CA certificate from Active Directory, how to convert the CA certificate file into Privacy Enhanced Mail (PEM) file format, and the three methods for configuring secure LDAP communication for the Identity service. The procedure in each method must be performed depending on where and how the CA trust is configured.
7.1.1. Obtaining the CA Certificate from Active Directory
The following code shows an example of how to query Active Directory to obtain the CA certificate. The CA_NAME is the name of the certificate (you can see it in mmc.exe) and the rest of the parameters can be changed according to your setup:
CA_NAME="WIN2012DOM-WIN2012-CA" AD_SUFFIX="dc=win2012dom,dc=com" LDAPURL="ldap://win2012.win2012dom.com" ADMIN_DN="cn=Administrator,cn=Users,$AD_SUFFIX" ADMINPASSWORD="MyPassword" CA_CERT_DN="cn=latexmath:[$CA_NAME,cn=certification authorities,cn=public key services,cn=services,cn=configuration,$]AD_SUFFIX" TMP_CACERT=/tmp/cacert.`date +'%Y%m%d%H%M%S'`.$$.pem ldapsearch -xLLL -H latexmath:[$LDAPURL -D `echo \"$]ADMIN_DN"`-W -s base -b`echo "$CA_CERT_DN"` objectclass=* cACertificate
CA_NAME="WIN2012DOM-WIN2012-CA"
AD_SUFFIX="dc=win2012dom,dc=com" LDAPURL="ldap://win2012.win2012dom.com"
ADMIN_DN="cn=Administrator,cn=Users,$AD_SUFFIX"
ADMINPASSWORD="MyPassword"
CA_CERT_DN="cn=latexmath:[$CA_NAME,cn=certification authorities,cn=public key services,cn=services,cn=configuration,$]AD_SUFFIX"
TMP_CACERT=/tmp/cacert.`date +'%Y%m%d%H%M%S'`.$$.pem
ldapsearch -xLLL -H
latexmath:[$LDAPURL -D `echo \"$]ADMIN_DN"`-W -s base -b`echo
"$CA_CERT_DN"` objectclass=* cACertificate7.1.2. Converting the CA Certificate into PEM file format
Create a file called /path/cacert.pem and include the contents of the LDAP query — that obtained the CA certificate from Active Directory, within the header and footer, as shown in the example below:
-----BEGIN CERTIFICATE----- MIIDbzCCAlegAwIBAgIQQD14hh1Yz7tPFLXCkKUOszANB... -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQQD14hh1Yz7tPFLXCkKUOszANB... -----END
CERTIFICATE-----For troubleshooting, you can execute the following query to check if LDAP is working, and to ensure the PEM certificate file was created correctly.
LDAPTLS_CACERT=/path/cacert.pem ldapsearch -xLLL -ZZ -H $LDAPURL -s base -b "" "objectclass=*" currenttime
LDAPTLS_CACERT=/path/cacert.pem ldapsearch -xLLL -ZZ -H $LDAPURL -s base -b "" "objectclass=*" currenttimeThe query should return a result similar to:
dn: currentTime: 20141022050611.0Z
dn: currentTime:
20141022050611.0ZYou can run the following command to get a CA certificate if it was hosted by a web server.
Example
- $HOST=redhat.com
- $PORT=443
echo Q | openssl s_client -connect $HOST:$PORT | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p'
# echo Q | openssl s_client -connect $HOST:$PORT | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p'7.1.3. Methods for Configuring Secure LDAP Communication for the Identity Service
7.1.3.1. Method 1
Use this method if the CA trust is configured at the LDAP level using a PEM file. Manually specify the location of a CA certificate file. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.
-
Copy the file containing your CA certificate chain in PEM format to the
/etc/openldap/certsdirectory. Edit
/etc/openldap/ldap.confand add the following directive, replacing [CA_FILE] with the location and name of the CA certificate file:TLS_CACERT /etc/openldap/certs/[CA_FILE]
Copy to clipboardCopiedTLS_CACERT /etc/openldap/certs/[CA_FILE]Restart the httpd service:
systemctl restart httpd.service
Copy to clipboardCopied# systemctl restart httpd.service
7.1.3.2. Method 2
Use this method if the CA trust is configured at the LDAP library level using a Network Security Services (NSS) database. Use the certutil command to import and trust a CA certificate into the NSS certificate database used by the OpenLDAP libraries. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.
Import and trust the certificate, replacing [CA_FILE] with the location and name of the CA certificate file:
certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE] certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE]
Copy to clipboardCopied# certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE] # certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE]Confirm the CA certificate was imported correctly:
certutil -d /etc/openldap/certs -L
Copy to clipboardCopied# certutil -d /etc/openldap/certs -LYour CA certificate is listed, and the trust attributes are set to CT,,.
Restart the httpd service:
systemctl restart httpd.service
Copy to clipboardCopied# systemctl restart httpd.service
7.1.3.3. Method 3
Use this method if the CA trust is configured at the Keystone level using a PEM file. The final method of securing communication between the Identity service and an LDAP server is to configure TLS for the Identity service.
However, unlike the two methods above, this method only secures LDAP communication for the Identity service and does not secure LDAP communication for other applications that use the OpenLDAP libraries.
The following procedure uses the openstack-config command to edit values in the /etc/keystone/keystone.conf file.
Enable TLS:
openstack-config --set /etc/keystone/keystone.conf ldap use_tls True
Copy to clipboardCopied# openstack-config --set /etc/keystone/keystone.conf ldap use_tls TrueSpecify the location of the certificate, replacing [CA_FILE] with the name of the CA certificate:
openstack-config --set /etc/keystone/keystone.conf ldap tls_cacertfile [CA_FILE]
Copy to clipboardCopied# openstack-config --set /etc/keystone/keystone.conf ldap tls_cacertfile [CA_FILE]Specify the client certificate checks performed on incoming TLS sessions from the LDAP server, replacing [CERT_BEHAVIOR] with one of the behaviors listed below:
- demand
- a certificate will always be requested from the LDAP server. The session will be terminated if no certificate is provided, or if the certificate provided cannot be verified against the existing certificate authorities file.
- allow
- a certificate will always be requested from the LDAP server. The session will proceed as normal even if a certificate is not provided. If a certificate is provided but it cannot be verified against the existing certificate authorities file, the certificate will be ignored and the session will proceed as normal.
- never
- a certificate will never be requested.
openstack-config --set /etc/keystone/keystone.conf ldap tls_req_cert [CERT_BEHAVIOR]
Copy to clipboardCopied# openstack-config --set /etc/keystone/keystone.conf ldap tls_req_cert [CERT_BEHAVIOR]Restart the httpd service:
systemctl restart httpd.service
Copy to clipboardCopied# systemctl restart httpd.service
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}