De acordo com as Leis 12.965/2014 e 13.709/2018, que regulam o uso da Internet e o tratamento de dados pessoais no Brasil, ao me inscrever na newsletter do portal DICAS-L, autorizo o envio de notificações por e-mail ou outros meios e declaro estar ciente e concordar com seus Termos de Uso e Política de Privacidade.
Colaboração: Alexandro Silva
Data de Publicação: 03 de agosto de 2010
Com o servidor funcionando corretamente irei restringir os acessos pelas ACLs e adicionar criptografia (ldaps) como camada de segurança.
Edite o arquivo /etc/ldap/slapd.conf restrigindo o acessos ao BD midificando as ACL como o exemplo abaixo:
vim /etc/ldap/slapd.conf
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by * read
Gerando a senha em SSHA
slappasswd -h {SSHA}
Informe a senha do **ADMIN** e confirme
Edite o arquivo /etc/ldap/slapd.conf
vim /etc/ldap/slapd
suffix "dc=acme,dc=local"
rootdn "cn=admin,dc=acme,dc=local"
rootpw "{SSHA}irRG0yGfiDoBbKqX5rRTBzy+23J5rt+J"
Reincie o slapd
invoke-rc.d slapd restart
Para habilitar o TLS/SSL no servidor execute os seguintes passos:
Crie e acesse o diretório ssl em /etc/ldap
mkdir /etc/ldap/ssl cd ssl
Caso você não possua um certificado assinado por uma CA crie uma CA usando o comando
/usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create) **[ Pressine ENTER ]** Enter PEM pass phrase: **[ INFORME A SENHA ]** Verifying - Enter PEM pass phrase: **[ REPITA A SENHA ANTERIOR ]** Country Name (2 letter code) [AU]:**BR** State or Province Name (full name) [Some-State]:**Bahia** Locality Name (eg, city): **Salvador** Organization Name (eg, company) [Internet Widgits Pty Ltd]:**ACME** Organizational Unit Name (eg, section) :**IT** Common Name (eg, YOUR name) :**localhost** Email Address:**admin@acme.local** No campo "A challenge password: **[ Pressione ENTER ] ** An optional company name: **[ Pressione ENTER ]** Enter pass phrase for ./demoCA/private/./cakey.pem: **[ Digite a senha definida no "Enter PEM pass phrase" ]**
Crie a chave:
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Country Name (2 letter code) [AU]:**BR** State or Province Name (full name) [Some-State]:**Bahia** Locality Name (eg, city):**Salvador** Organization Name (eg, company) [Internet Widgits Pty Ltd]:**ACME** Organizational Unit Name (eg, section):**IT** Common Name (eg, YOUR name):**localhost** Email Address:**admin@acme.local** A challenge password: **[ Pressione ENTER ]** An optional company name: **[ Pressione ENTER ]**
Assine a chave criada usando a CA.
/usr/lib/ssl/misc/CA.sh -sign
Digite a senha da CA e responda todos os questionamentos como "y"
Copie o arquivo cacert.pem para o diretório /etc/ldap/ssl
cp demoCA/cacert.pem /etc/ldap/ssl/
Altere o dono dos arquivo .pem
chown openldap *.pem
Altere as permissões de acesso aos arquivos .pem
chmod 600 *.pem
Adicione as seguintes linhas no arquivo /etc/ldap/slapd.conf:
TLSCACertificateFile /etc/ldap/ssl/cacert.pem TLSCertificateFile /etc/ldap/ssl/newcert.pem TLSCertificateKeyFile /etc/ldap/ssl/newreq.pem TLSVerifyClient never
Descomente e edite o arquivo /etc/default/slapd habilitando o ldaps
vim /etc/default/slapd
SLAPD_SERVICES="ldaps:///"
Edite o arquivo /etc/ldap/ldap.conf adicionando a seguinte linha:
TLS_REQCERT never
Reinicie o slapd
invoke-rc.d slapd restart
ldapsearch -LL -H ldaps://localhost -b"dc=acme,dc=local" -x "(uid=alexos)"
Após a modificações apresentadas anteriormente nosso arquivo /etc/ldap/slapd.conf ficará como no exemplo abaixo:
Exemplo arquivo /etc/ldap/slapd.conf
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/krb5-kdc.schema
include /etc/ldap/schema/qmailuser.schema
pidfile /var/run/slapd/slapd.pid
TLSCACertificateFile /etc/ldap/ssl/cacert.pem
TLSCertificateFile /etc/ldap/ssl/newcert.pem
TLSCertificateKeyFile /etc/ldap/ssl/newreq.pem
TLSVerifyClient never
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
database hdb
suffix "dc=acme,dc=local"
rootdn "cn=admin,dc=acme,dc=local"
rootpw "{SSHA}/v+HeJBQferYPfYFkqqa1TwIGmW2piFv"
directory "/var/lib/ldap"
index objectClass,ou,cn,sn,uid,uidNumber,mail,mailAlternateAddress,mailForwardingAddress,memberUid eq
lastmod on
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by * read
Referências:
Fonte: http://blog.alexos.com.br/?p=1901&lang=en
This policy contains information about your privacy. By posting, you are declaring that you understand this policy:
This policy is subject to change at any time and without notice.
These terms and conditions contain rules about posting comments. By submitting a comment, you are declaring that you agree with these rules:
Failure to comply with these rules may result in being banned from submitting further comments.
These terms and conditions are subject to change at any time and without notice.
Comentários