设为首页收藏本站
开启辅助访问

CentOS搭建Open服务(集成openldap认证)

 您所在的位置:网站首页 centos openldap CentOS搭建Open服务(集成openldap认证)

CentOS搭建Open服务(集成openldap认证)

#CentOS搭建Open服务(集成openldap认证)| 来源: 网络整理| 查看: 265

1、安装openvpn 和easy-rsa(该包用来制作ca证书)

(1)安装epel 仓库源

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm rpm -Uvh epel-release-6-8.noarch.rpm

(2)安装openvpn

yum install openvpn

(3)在github 上,下载最新的easy-rsa

https://github.com/OpenVPN/easy-rsa 下载包 mkdir openvpn cd openvpn unzip easy-rsa-3.0.5.zip mv easy-rsa-3.0.5 easy-rsa

2、配置/etc/openvpn/ 目录

(1)创建目录,并复制easy-rsa 目录

cp -a easy-rsa /etc/openvpn/

(2)配置,编辑vars文件,根据自己环境配置

cd /etc/openvpn/easy-rsa/easyrsa3 cp vars.example vars cd /etc/openvpn/easy-rsa/easyrsa3 vim vars set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "ZheJiang" set_var EASYRSA_REQ_CITY "HangZhou" set_var EASYRSA_REQ_ORG "ethnicity" set_var EASYRSA_REQ_EMAIL "ops set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "My OpenVPN"

3、创建服务端证书及key

进入 /etc/openvpn/easy-rsa/easyrsa3/目录

① 初始化

cd /etc/openvpn/easy-rsa/easyrsa3/ ./easyrsa init-pki

② 创建根证书

./easyrsa build-ca

注意:在上述部分需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。还需要输入common name 通用名,这个你自己随便设置个独一无二的。

③ 创建服务器端证书

./easyrsa gen-req server nopass

该过程中需要输入common name,随意但是不要跟之前的根证书的一样

④ 签约服务端证书

./easyrsa sign server server

该命令中.需要你确认生成,要输入yes,还需要你提供我们当时创建CA时候的密码。如果你忘记了密码,那你就重头开始再来一次吧

⑤ 创建Diffie-Hellman,确保key穿越不安全网络的命令

./easyrsa gen-dh

4、创建客户端证书

① 进入root目录新建client文件夹,文件夹可随意命名,然后拷贝前面解压得到的easy-ras文件夹到client文件夹,进入下列目录

mkdir client cp /etc/openvpn/easy-rsa client/ cd client/easy-rsa/easyrsa3/

② 初始化

./easyrsa init-pki //需输入yes 确定

③ 创建客户端key及生成证书(记住生成是自己客户端登录输入的密码)

./easyrsa gen-req ethnicity //名字自己定义

④ 将的到的qingliu.req导入然后签约证书

a. 进入到 /etc/openvpn/easy-rsa/easyrsa3/

cd /etc/openvpn/easy-rsa/easyrsa3/

b. 导入req

./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/ethnicity.req ethnicity

c. 签约证书

./easyrsa sign client ethnicity

//这里生成client所以必须为client,along要与之前导入名字一致

上面签约证书跟server类似,就不截图了,但是期间还是要输入CA的密码

5、把服务器端必要文件放到etc/openvpn/ 目录下

ca的证书、服务端的证书、秘钥

cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/ cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/ cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/ cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/ 6、把客户端必要文件放到root/openvpn/ 目录下

客户端的证书、

cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client/ cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/along.crt /root/client/ cp /root/client/easy-rsa/easyrsa3/pki/private/along.key /root/client 7、为服务端编写配置文件 vim /etc/openvpn/server.conf local 0.0.0.0 port 1194 proto tcp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh.pem server 10.222.1.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" client-to-client keepalive 10 120 comp-lzo max-clients 100 push "route 172.19.208.0 255.255.240.0" user openvpn group openvpn persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log #plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf %u" client-cert-not-required username-as-common-name script-security 3 verb 3

ldap配置文件

cat /etc/openvpn/auth/ldap.conf URL ldap://172.19.220.168:389 BindDN cn=admin,dc=ethnicity,dc=cn Password xxxxxxx Timeout 15 TLSEnable no FollowReferrals no BaseDN "ou=People,dc=ethnicity,dc=cn" SearchFilter "uid=%u" RequireGroup true BaseDN "ou=Group,dc=ethnicity,dc=cn" SearchFilter "(objectclass=groupOfUniqueNames)" MemberAttribute uniqueMember

8、iptables 设置nat 规则和打开路由转发

iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -j MASQUERADE iptables -vnL -t nat vim /etc/sysctl.conf //打开路由转发 net.ipv4.ip_forward = 1 sysctl -p

9、开启openvpn 服务

openvpn /etc/openvpn/server.conf 开启服务 ss -nutl |grep 1194

添加用户的脚本

cat add_user.sh #!/bin/bash user=$1 cd /root/client/easy-rsa/easyrsa3/ ./easyrsa init-pki ./easyrsa gen-req $user rm -rf /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/$user.req cd /etc/openvpn/easy-rsa/easyrsa3/ ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/$user.req $user ./easyrsa sign client $user cp -r /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client/ cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/$user.crt /root/client/ cp /root/client/easy-rsa/easyrsa3/pki/private/$user.key /root/client

最后附件client的配置

cat client.ovpn client dev tun proto tcp resolv-retry infinite nobind persist-key persist-tun verb 3 comp-lzo remote-cert-tls server route-delay 2 cipher AES-256-CBC remote xxxxxx1194 ca /etc/openvpn/client/ca.crt auth-user-pass /etc/openvpn/client/pass.txt auth-nocache

/etc/openvpn/client/pass.txt 账号密码在两行

接入 OpenLdap的 client 的案例

client dev tun proto tcp remote xx.xx.xx.xx 13330 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server comp-lzo ;explicit-exit-notify 1 verb 3 auth-user-pass -----BEGIN CERTIFICATE----- MIIFHTCCAwWgAwIBAgIJAIYh/Cg+OFU3MA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV BAMMA3l5aDAgFw0yMTEyMTcwMzI1NTdaGA8yMTIxMTEyMzAzMjU1N1owDjEMMAoG A1UEAwwDeXloMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq1yceB5B HGpXGzDxJB3T664Fzu5YegyNr1rDzTwhOAWi+f1MmLtCj6L9AN+Q4I/iZhuFfBwN sm6MfwEhuBtr1ThLcFMfihUQ358NGiS5JUSRGTLOkUtN5ezxx6HXSixyV12CZ36X iWX/8RrEn3RSjz6vfpLbgZdO3HMwcxnLFQeEDMbmDr1JiG5ItnYRwM6i89dyPG1o fSbVBzA91x8NpQ7TKPLd672vNlRcX9xGww/7Xe0PV5a2DlZNCNFxd5LX9L/9KIzP Bxzm3A3mv2LSu45xMszUEiUzgrd6eJ8rh9Q+NJnJ0neMRasm3u9KUJQBGgva5zDM nwATQCoLaPNSlXEv4veYe6CsIpezOFgLvX1HbG4ikPqMENR+IxN9qMz/JKQYAs+Z i9rA5b5m+N620D6EvFR9w41GFgoQSTxbBoEpQDXZo0spiYgCsF5m1zNI22Yj3p/+ qlOG4KYr1WTG6RaSCHrBtlxOQ6i5pRoSMwF1VDr3TapX1YjixHetXsVubpogtzeT uf6x6I66zwh77/fe2voRK+DQ18wprYr/WF0JzsfuJ0K0aSeJ6CVVqqC1NId+TzMQ H2V7P1u9vC3gNcJ4kxWP64ARtVyw7A7iRquOPdCw6ljAHG0T3Y0InKhlc68YHhzL dFnKRAo7kU27z+GNLYEipLelX0M6sDXzXgMCAwEAAaN8MHowHQYDVR0OBBYEFGV1 xv/jh5TR2jPoyPQ9URteV8d9MD4GA1UdIwQ3MDWAFGV1xv/jh5TR2jPoyPQ9URte V8d9oRKkEDAOMQwwCgYDVQQDDAN5eWiCCQCGIfwoPjhVNzAMBgNVHRMEBTADAQH/ MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAJub2YryqsfZxuVymkhOI OOJSSNXoA+wU9Knjv9NbLN6JBVKH1ATzbhyfK8h9lb8gStYh/U/awXlrtdTFXeqb gy86kKErCf5gcInXgG2bdmSbGaB760u0LVJqNeU7f5f2jSJplT7i8mYskf9gWgF3 yWGltgZ/mE2mKsyExsimiNaslBX8T21hLU+54Blo/ixscnU6XSSf8Prw+VQmGYEk yLqGjgUSrKo/ARrM20i1rEokA0/u/TXDI50ENGy42rZ1qvXKP4dLFFFQ3rvLoosB DE5d/xXoAwIqEATCx4H/8Jkg1pKBcAGGS4H/FgyaDEq3aWaNk3OUupmX04WVUQzH M5nQFggbrqW0SFVhmPTGoHK3RUhUPjBSp9M30t2KymI1FPkOBUGXLw5XUYbQHxig 3eJNLOCsOdqLpOcSVA3lzxzSjxYjH0K3eP17NlcgXkogLyrx53RKDqluspFn6F/D kI69LghFAbYIpaw6jp1O7SsIuQyiRM1to5OabKyiE4cmhQqm0Jw5s0i4+9mzYNyJ m/RXg0G/JvUerZZsQu/dZNBC+hd7lA5OsR7D/us3yiyhoDvHiKaGEGT2IZntFUqo HdUNgbvrarFI0tA2za1TpEcFoh3qin04xNFhcfpsOVDnX0ZhEwgQ+GxIaFqxucMe dqETfiq3PdGfqD8WA+5Cs7E= -----END CERTIFICATE----- key-direction 1 -----BEGIN OpenVPN Static key V1----- 040a6146a0f54018266101b4b9f600ec 987a74815e39c09da62df49a2f29e106 84b4b91392c8c947e15b783e8cafa60b 43ba0a3cdc51e7e8ec427af60828d73b 1b1d2fa6804aa43831fb5b9bb142d4b3 d9c41e119d3c1d6471ee3bfa00c16956 4606324c5766d4afda86052e40ffce03 0d186525acac25f6ae9fd2d8e990f864 77cdb6dc97a8409505051720b8a91fa2 fb07afd910d0bb41c7a56a37b7a249bf ca2bb6dc95ad9978754cd536ac798ed0 ccd4c08ddaca78683d2d4a33401ad464 026e77cd3f85af6724d87b4daf118759 74569b4ce6805facd9396af053a15bb9 bd9e9576d39b579fc3279a42efe986d2 21f84ebd873a63831ffbc6b7d3cd6580 -----END OpenVPN Static key V1-----

watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAZXRobmljaXR5YmV0YQ==,size_20,color_FFFFFF,t_70,g_se,x_16



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3