1. prereq
yum -y install openldap-clients openssl-perlmkdir -p /etc/openldap/cacerts
curl -s http://ldap.d01.net/cacerts/cacert.asc -o /etc/openldap/cacerts/ldap.d01.net-cacert.asc
c_rehash /etc/openldap/cacerts/
echo "TLS_CACERTDIR /etc/openldap/cacerts/" > /etc/openldap/ldap.confopenssl verify -CAfile /path/to/ca.pem /path/to/my_ldap_srv_certificate2. 389
ldapsearch -LLL -x -h ldap.d01.net -b ou=groups,dc=d01,dc=net -D cn=root -w Passw0rd dndn: ou=Groups,dc=d01,dc=net
dn: cn=Accounting Managers,ou=Groups,dc=d01,dc=net
dn: cn=HR Managers,ou=Groups,dc=d01,dc=net
dn: cn=QA Managers,ou=Groups,dc=d01,dc=net
dn: cn=PD Managers,ou=Groups,dc=d01,dc=net
dn: cn=usrgroup,ou=Groups,dc=d01,dc=net
dn: cn=admgroup,ou=Groups,dc=d01,dc=net
dn: cn=cidgroup,ou=Groups,dc=d01,dc=net
dn: cn=d01group,ou=Groups,dc=d01,dc=net2.1. issue StartTLS
ldapsearch -ZZ -LLL -h ldap.d01.net -b ou=groups,dc=d01,dc=net -D cn=root -w Passw0rd dnldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
(self signed certificate in certificate chain)cause: /etc/openldap/cacerts/ does not exists or c_rehash /etc/openldap/cacerts/ not executed
ldap_start_tls: Connect error (-11)
additional info: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure3. 636
echo "#" > /etc/openldap/ldap.conf
echo "URI ldap://srv002.d01.net/" >> /etc/openldap/ldap.conf
echo "BASE dc=d01,dc=net" >> /etc/openldap/ldap.conf
echo "TLS_CACERTDIR /etc/openldap/cacerts/" >> /etc/openldap/ldap.confmkdir -p ~/etc/openldap
curl -s http://srv002.d01.net/cacerts/cacert.asc -o ~/etc/openldap/cacert.asc
echo "TLS_CACERTDIR $HOME/etc/openldap/" > ~/.ldaprcldapsearch -LLL -H ldaps://srv002.d01.net -b ou=groups,dc=d01,dc=net -D cn=root -w Passw0rd dn4. nmap
sudo nmap --script ssl-cert,ssl-enum-ciphers -p 636 srv121Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-21 23:53 CEST
Nmap scan report for srv121 (10.1.1.121)
Host is up (0.00045s latency).
rDNS record for 10.1.1.121: srv121.d01.net
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| 64-bit block cipher DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| 64-bit block cipher DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| 64-bit block cipher DES vulnerable to SWEET32 attack
|_ least strength: C
MAC Address: 08:00:27:00:01:21 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 30.73 seconds5. openssl
5.1. bad
openssl s_client -tls1_2 -connect srv002:636CONNECTED(00000003)
140183987459904:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 202 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1571777258
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---5.2. ok
openssl s_client -tls1_2 -connect srv121:636CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = CAcert
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 CN = CAcert
verify return:1
depth=0 OU = 389 Directory Server, CN = srv121.d01.net
verify return:1
---
Certificate chain
0 s:OU = 389 Directory Server, CN = srv121.d01.net
i:CN = CAcert
1 s:CN = CAcert
i:CN = CAcert
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICwzCCAaugAwIBAgICA+kwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGQ0Fj
ZXJ0MB4XDTE5MTAyMTEwMjY0MloXDTI5MTAyMTEwMjY0MlowODEdMBsGA1UECxMU
Mzg5IERpcmVjdG9yeSBTZXJ2ZXIxFzAVBgNVBAMTDnNydjEyMS5kMDEubmV0MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukpiwJBur5elxa7FXLhJsxvd
1eSZi8Hq2wIaRAyE2QDptvEzjXxAgASwMlancqSNEzqZWWARyMletvU1HrZFqqpe
gCHgb5yBTQeZybcrY+MlhjiQ9sgkKhTJptyrzWBc+3RQwT8XCgFLck6+S6u0ETFH
HE8pjSFA6IBqRCr9rlMvB801y6D7UqhhiffGxUB0P7ntxjjF4KYv10DL5/zdx4Q9
/i0ntfF0cJtZ2UluTBmWNlHzAF3douLeQrXpBUY6Y6UOWNy/RDXFeqQmam5y6phG
idRcRv27JLxsy2mfSoIwW1blYcqPJgxKkkVYMTrBpjVX+x1+kPKIA8JLX4iy9wID
AQABMA0GCSqGSIb3DQEBCwUAA4IBAQAqoeW9NwI18CYvbswsOo2eAr8SBSTBk9Ge
aQ5L8nN8Jq+ncPLnmEH1NvCaNz3KXodSw4kfMZ7OIV0oWNwoWthTpHCq5bNgpL/p
Tfr63ENU+XhyGwPmHzB0H/kYjGLqZ/0d9HqBwblRhmN94ry+K/WHf4GrC6gdVMdr
fR5HMwzbxzHnvuJaoJ0mqTPzgTEc991QlQVh/hwc6Gz1QMJumY7TMe2dq6+FMCNn
W12KsZM5Eb6E+T0KfWZnJ1eyvzj+sXduoSgX8zyYXpIT6GUSbTIwi2LLIRpd8l+7
/WLrIiIK+9GvBE/Ph8Ro9/wXjqAbiQD6B8UgR10vYi0hDpG/Zgbl
-----END CERTIFICATE-----
subject=OU = 389 Directory Server, CN = srv121.d01.net
issuer=CN = CAcert
---
Acceptable client certificate CA names
CN = CAcert
Client Certificate Types: RSA sign, ECDSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1
---
SSL handshake has read 1645 bytes and written 556 bytes
Verification error: self signed certificate in certificate chain
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA
Session-ID: 032BDA59AEFDE1F7A317F2C39F2BD5A4186EC39573DA6776157598BC89638E94
Session-ID-ctx:
Master-Key: 12097C52D70611EE3A400C6898F9079E7D7614FE6AF682123C5D35D3F99F9EB19A2CB91BB1B7B40D1881BDE135CD0387
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1571777336
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---6. openssl ciphers
openssl ciphers -v cipher-suite-specTLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD/etc/crypto-policies/back-ends/opensslcnf.config7. nslcd (and not sssd) using port 389
yum -y install nss-pam-ldapd oddjob-mkhomedirecho "#" > /etc/nslcd.conf
echo "uid nslcd" >> /etc/nslcd.conf
echo "gid ldap" >> /etc/nslcd.conf
echo "uri ldap://ldap.d01.net/" >> /etc/nslcd.conf
echo "base dc=d01,dc=net" >> /etc/nslcd.conf
echo "base group ou=groups,dc=d01,dc=net" >> /etc/nslcd.conf
echo "base passwd ou=users,dc=d01,dc=net" >> /etc/nslcd.conf
echo "base shadow ou=users,dc=d01,dc=net" >> /etc/nslcd.confcube /usr/share/authselect/default/sssd/password-auth "sss" with "ldap"
cube /usr/share/authselect/default/sssd/system-auth "sss" with "ldap"
cube /usr/share/authselect/default/sssd/nsswitch.conf "sss files" with "files ldap"
cube /usr/share/authselect/default/sssd/fingerprint-auth "sss" with "ldap"
cube /usr/share/authselect/default/sssd/smartcard-auth "sss" with "ldap"systemctl enable nslcd.service oddjobd.service
systemctl stop nslcd.service oddjobd.service
systemctl start nslcd.service oddjobd.serviceauthselect select sssd with-mkhomedir --force >/dev/null8. sssd
rpm -q --quiet "nss-pam-ldapd" && yum -y remove "nss-pam-ldapd"
yum -y install authselect-compat nscd oddjob-mkhomedir openldap-clients openssl-perl sssdmkdir -p /etc/openldap/cacerts
wget -nv http://ldap.d01.net/cacerts/cacert.asc -O /etc/openldap/cacerts/ldap.d01.net-cacert.asc
c_rehash /etc/openldap/cacerts/authselect select sssdauthconfig --enableldap \
--enableldapauth \
--enablemkhomedir \
--enablesssd \
--enablesssdauth \
--disableldaptls \
--ldapserver=ldaps://ldap.d01.net:636 \
--ldapbasedn=dc=d01,dc=net \
--updateall \
--nostartCould not start TLS encryption. error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure