差異處
這裏顯示兩個版本的差異處。
|
java:ldap [2016/03/24 10:33] tony [OpenLDAP with SSL/TLS] |
java:ldap [2023/06/25 09:48] |
||
|---|---|---|---|
| 行 1: | 行 1: | ||
| - | ====== LDAP & AD ====== | + | |
| - | LDAP & AD都算是老東西了,會開始寫些教學是因為遇到與它的整合。內容隨著我的學習會慢慢增加,如果我有空寫的話~XD。 | + | |
| - | ===== LDAP + RestAPI + Digest Auth? ===== | + | |
| - | 目前遇到的問題是: LDAP使用者是否可以透過RestAPI進行Digest Auth? \\ | + | |
| - | 我認為有困難。\\ | + | |
| - | 由於認證行為是交給LDAP Server,RestAPI Web層只負責forwarding;而Digest Auth中的密碼會被根據Http Request種類、密碼等等內容一起MD5 encoding過。如果無法取得明文,除非LDAP Server允許接受一樣的方式。 | + | |
| - | ===== OpenLDAP with SSL/TLS ===== | + | |
| - | 我參考了[[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|此篇]]教學產生certification file與設定,結果一直無法正常連線。於是透過以下command打開debug mode: | + | |
| - | <code bash> | + | |
| - | /usr/sbin/slapd -d 1 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d | + | |
| - | </code> | + | |
| - | 出現以下錯誤訊息: | + | |
| - | <code> | + | |
| - | 56f10002 slap_listener_activate(10): | + | |
| - | 56f10002 >>> slap_listener(ldaps://) | + | |
| - | 56f10002 connection_get(19): got connid=1001 | + | |
| - | 56f10002 connection_read(19): checking for input on id=1001 | + | |
| - | TLS: can't accept: Could not negotiate a supported cipher suite.. | + | |
| - | 56f10002 connection_read(19): TLS accept failure error=-1 id=1001, closing | + | |
| - | 56f10002 connection_close: conn=1001 sd=19 | + | |
| - | </code> | + | |
| - | 最後試出在Ubuntu 14.04下的slapd,可以參考[[http://mindref.blogspot.tw/2010/12/debian-openldap-ssl-tls-encryption.html|此篇]]教學做法,將certification file設定給匯進去。 | + | |
| - | ===== SunCertPathBuilderException ===== | + | |
| - | <code bash> | + | |
| - | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target | + | |
| - | </code> | + | |
| - | 參考[[http://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail|此篇]]教學,執行以下command將root ca給匯入到Java keystore中,changeit是預設密碼,如果要用記得要改: | + | |
| - | <code bash> | + | |
| - | keytool -importcert -trustcacerts -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -noprompt -alias tonytest -file /etc/ldap/ssl/rootca.crt | + | |
| - | Certificate was added to keystore | + | |
| - | </code> | + | |
| - | 列出現有的ca: | + | |
| - | <code bash> | + | |
| - | keytool -list -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit | + | |
| - | </code> | + | |
| - | 查看看測試的ca: | + | |
| - | <code bash> | + | |
| - | ./keytool -list -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit | grep tony | + | |
| - | tonytest, Mar 23, 2016, trustedCertEntry, | + | |
| - | </code> | + | |
| - | 刪除測試的ca: | + | |
| - | <code bash> | + | |
| - | ./keytool -delete -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -alias tonytest | + | |
| - | </code> | + | |
| - | ===== TLS already started ===== | + | |
| - | http://www.openldap.org/faq/data/cache/1063.html | + | |
| - | ===== Reference ===== | + | |
| - | ==== Auth & Security ==== | + | |
| - | * [[https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html|Authentication Mechanisms of JNDI]] | + | |
| - | * [[http://www.tech-faq.com/ldap-security-issues.html|LDAP security issues]] | + | |
| - | * [[http://www.openldap.org/doc/admin24/sasl.html|OpenLDAP - SASL]] | + | |
| - | ==== OpenLDAP ==== | + | |
| - | * [[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|Setup SSL/TLS on OpenLDAP server]] | + | |
