From: W. Trevor King Date: Tue, 21 Jun 2011 12:26:01 +0000 (-0400) Subject: Add GnuTLS and secure LDAP information. X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=aee87fce6536ec4d2039e04cc8149602590af08c;p=mw2txt.git Add GnuTLS and secure LDAP information. --- diff --git a/posts/GnuTLS.mdwn b/posts/GnuTLS.mdwn new file mode 100644 index 0000000..32a636b --- /dev/null +++ b/posts/GnuTLS.mdwn @@ -0,0 +1,15 @@ +[GnuTLS][] is the GNU [SSL/TLS][] implementation, because +[OpenSSL][]'s [license is incompatible with the GPL][incompatible]. +There are a number of small compatibility issues between the two, so +it's best to use the OpenSSL tools to create certs and keys for use by +OpenSSL-linked servers and the GnuTLS tools to create certs and keys +for use by GnuTLS-linked servers. See [[X.509_certificates]] for +details on creating self-signed keys with both packages. + +[GnuTLS]: http://www.gnu.org/software/gnutls/ +[SSL/TLS]: http://en.wikipedia.org/wiki/Transport_Layer_Security +[OpenSSL]: http://www.openssl.org/ +[incompatible]: http://en.wikipedia.org/wiki/OpenSSL#Licensing + +[[!tag tags/linux]] +[[!tag tags/tools]] diff --git a/posts/LDAP.mdwn b/posts/LDAP.mdwn index 87ffb19..b78ddd4 100644 --- a/posts/LDAP.mdwn +++ b/posts/LDAP.mdwn @@ -210,6 +210,64 @@ connection details via a config file (`~/.mutt-ldap.rc`) rather than editing the script itself. Usage details are available in the docstring. +SSL/TLS +------- + +It took me a bit of work to get [SSL/TLS][] working with my +[[GnuTLS]]-linked OpenLDAP. First, you'll probably need to generate +new SSL/TLS keys (`/etc/openldap/ssl/*`) with [certtool][] (see +[[X.509_certificates]]). Then add the following lines to +`/etc/openldap/slapd.conf`: + + TLSCipherSuite NORMAL + TLSCACertificateFile /etc/openldap/ssl/ca.crt + TLSCertificateFile /etc/openldap/ssl/ldap.crt + TLSCertificateKeyFile /etc/openldap/ssl/ldap.key + TLSVerifyClient never + +Where `ca.crt`, `ldap.crt`, and `ldap.key` are your new CA, +certificate, and private key. If you want to disable unencrypted +connections completely, remove the `ldap://` entry from your `slapd` +command line by editing (on Gentoo) `/etc/conf.d/slapd` so it has + + OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" + +Now you should be able to restart `slapd` so it will use the new +configuration. + +Have clients running on your server use the local socket by editing +`/etc/openldap/ldap.conf` to set: + + URI ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock + +Test your server setup by running (on the server) + + $ ldapsearch -x -b '' -s base '(objectclass=*)' + +Copy your CA over to any client machines (I put it in +`/etc/openldap/ssl/ldapserver.crt`), and set them up with the +following two lines in `/etc/openldap/ldap.conf`: + + URI ldaps://ldapserver.example.com + TLS_CACERT /etc/openldap/ssl/ldapserver.crt + +Test your client setup by running (on the client) + + $ ldapsearch -x -b '' -s base '(objectclass=*)' + +You can configure `shelldap` with the following lines in +`~/.shelldap.rc`: + + server: ldaps://ldapserver.example.com + tls: yes + tls_cacert: /etc/openldap/ssl/ldapserver.crt + +You can configure `mutt-ldap.py` with the following lines in +`~/.mutt-ldap.rc`: + + port = 636 + ssl = yes + References ---------- @@ -229,4 +287,9 @@ the countryName attribute, ... [rfc4512]: http://tools.ietf.org/html/rfc4512 [shelldap]: http://projects.martini.nu/shelldap/ [mutts]: http://wiki.mutt.org/?QueryCommand +[SSL/TLS]: http://en.wikipedia.org/wiki/Transport_Layer_Security +[certtool]:http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool [schema]: http://www.oreillynet.com/pub/a/sysadmin/2006/11/09/demystifying-ldap-data.html + +[[!tag tags/linux]] +[[!tag tags/tools]] diff --git a/posts/LDAP/mutt-ldap.py b/posts/LDAP/mutt-ldap.py index e27a5e3..8fac78e 100755 --- a/posts/LDAP/mutt-ldap.py +++ b/posts/LDAP/mutt-ldap.py @@ -55,11 +55,11 @@ def connect(): protocol = 'ldap' if CONFIG.getboolean('connection', 'ssl'): protocol = 'ldaps' - connection = ldap.initialize( - '%s://%s:%s' % ( - protocol, - CONFIG.get('connection', 'server'), - CONFIG.get('connection', 'port'))) + url = '%s://%s:%s' % ( + protocol, + CONFIG.get('connection', 'server'), + CONFIG.get('connection', 'port')) + connection = ldap.initialize(url) connection.bind( CONFIG.get('connection', 'user'), CONFIG.get('connection', 'password'), diff --git a/posts/X.509_certificates.mdwn b/posts/X.509_certificates.mdwn index 02a8a4d..f683df2 100644 --- a/posts/X.509_certificates.mdwn +++ b/posts/X.509_certificates.mdwn @@ -1,8 +1,47 @@ If you're running your own server, your probably not shelling out $400 to get an "official" Certificate Authority to sign your key. Here's a quick not to myself about how to create and sign your own key. +Depending on your application, you can use either the [[GnuTLS]] or +[OpenSSL][] toolchain. -Use [openssl][]'s [genpkey][] to generate an *unencrypted* public key. +GnuTLS +------ + +Following the [GnuTLS manual][gnutls-manual], create a certificate +authority with [certtool][], adjusting the `cn` as you see fit: + + $ certtool --generate-privkey > x509-ca-key.pem + $ echo 'cn = GnuTLS test CA' > ca.tmpl + $ echo 'ca' >> ca.tmpl + $ echo 'cert_signing_key' >> ca.tmpl + $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \ + --template ca.tmpl --outfile x509-ca.pem + +Now generate the *unencrypted* server key. + + $ certtool --generate-privkey > x509-server-key.pem + +And sign the key with your CA, adjusting the `cn` as you see fit, and +changing `dns_name` to match your fully qualified host name. + + $ echo 'organization = GnuTLS test server' > server.tmpl + $ echo 'cn = test.gnutls.org' >> server.tmpl + $ echo 'tls_www_server' >> server.tmpl + $ echo 'encryption_key' >> server.tmpl + $ echo 'signing_key' >> server.tmpl + $ echo 'dns_name = test.gnutls.org' >> server.tmpl + $ certtool --generate-certificate --load-privkey x509-server-key.pem \ + --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ + --template server.tmpl --outfile x509-server.pem + +You can also print certificates with [certtool][]. + + $ certtool --infile x509-server.pem --certificate-info + +OpenSSL +------- + +Use [openssl][]'s [genpkey][] to generate an *unencrypted* key. $ openssl genpkey -algorithm RSA -out key.pem @@ -30,7 +69,9 @@ You can also print certificates with [x509][]. $ openssl x509 -in cert.pem -noout -text -[openssl]: http://www.openssl.org/docs/apps/openssl.html +[gnutls-manual]: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html +[certtool]: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool +[OpenSSL]: http://www.openssl.org/docs/apps/openssl.html [genpkey]: http://www.openssl.org/docs/apps/genpkey.html [req]: http://www.openssl.org/docs/apps/req.html [x509]: http://www.openssl.org/docs/apps/x509.html