考完期末考了,但因為Blogger真的太難用了,我把文章改寫在CSDN上了,歡迎大家去參考那邊的,但我那邊文章是翻譯成簡體字,所以可能會辛苦一點😰
[OpenBMC] LDAP 设定(三) - LDAPS(LDAP over TLS)_yeiris的博客-CSDN博客
產生憑證(certificate)和金鑰(key)
這邊產生憑證的手把手教學在openbmc 的github上https://github.com/openbmc/docs/blob/master/security/TLS-configuration.md
但有幾個地方需要注意
server certificate 的 cn 要填LDAPS server 的 hostname,不知道LDAP server的hostname可以下已下指令
$ hostname
IRIS001
client certificate 的 cn 我這邊填admin
上傳憑證到LDAPS server上
先產生一個設定檔certinfo.ldif,填入剛剛產生的cert相對位置,$ cat certinfo.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_slapd_key.pem
將cn=config設定導入
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif
最後,設定sldap 的參數
vi /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
上傳憑證到BMC上
這可以透過web 或是 redfish,如果透過redfish 就是下以下指令,因為我原本就有certificate,就用replace 而已
CA certificate 上傳 CA-cert.pem
Request URL: https: //{bmcip}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
Request Method: POST
{
"CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDnTCCAoWgAwIBAgIUEZOkf69SVwaLa9l6Tp/gQMJioD4wDQYJKoZIhvcNAQEL\nBQAwXjELMAkGA1UEBhMCVFcxDzANBgNVBAgMBlRhaXdhbjEPMA0GA1UEBwwGVGFp\ncGVpMQ4wDAYDVQQKDAVqYWJpbDEMMAoGA1UECwwDYm1jMQ8wDQYDVQQDDAZUZXN0\nQ0EwHhcNMjExMDIxMDI1NzA4WhcNMjQwNzE3MDI1NzA4WjBeMQswCQYDVQQGEwJU\nVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxDjAMBgNVBAoMBWph\nYmlsMQwwCgYDVQQLDANibWMxDzANBgNVBAMMBlRlc3RDQTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAKK1H9nIzIPHRRfVKPTmr1uwP8c23f/Oi+t1GVP3\nKijL/9KKDGwVf93F7wd1UWoEwWF5Hdfk84IYYe6skA5rh9RMWdQPcE9SVyDWkFTt\n/aMP/Ngl6l3zaqniW9uawa1ywXrEOdwRRpZwaizCVS0OxWaZn7mW9/aloqqTqf2q\nb4KX04x2Rdrnw3FWCnEpGaiaDc76bdeba0yg0/Lq1SFeYYuOYTcTIWOKB9BJyGhw\nD5G++QmwBUNK5s/ENzJZxnywX9yfYaARUURr19fo3pTCNMzBWOewt+PykCLTw0Wt\nmRvWpFwaIUgLaClrKkXh+9GcuEJUIRItpu06n/2nYtMAlhcCAwEAAaNTMFEwHQYD\nVR0OBBYEFPdM+K8hgEdU8/4rrFD5cjAjEgGDMB8GA1UdIwQYMBaAFPdM+K8hgEdU\n8/4rrFD5cjAjEgGDMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nAExEwJ1JD98pu5TW0aMi0L6mBMIayBaq68K9cJhB1xfA33buQIk54cOK7FXd9sBp\n+KY39vHNuYMp+J9tg/mqxS3d3/v5IcOvg96hRcHcPczWUmanNJuX29GZSoVkjMTF\n564EIfC6r0u9jbavlJsU5RuL7WSOgolvLa42PM44ShqfNIaKAi6hQzIVShhcG1UM\nulW1Ai6+Ih7yKeLVtkVTaDgSXODCTAPnXZI5qxWVWu/BU2CkllahdZ2Pna6mlvPv\n42po4X2MlBAGvy0ShwTxWA3QYqj1A87HpNjSqYLIwLWTE8S1+csWwgLGTMXpve0k\ncRgNpwA/3NURwmCvGs8yUyg=\n-----END CERTIFICATE-----\n",
"CertificateType": "PEM",
"CertificateUri": {
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1"
}
}
LDAPS certificate 上傳 client-cert.pem 和 client-key.pem 的合併檔案
可以手動合併或下指令
Request URL: https: //{bmcip}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
Request Method: POST
{
"CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDrTCCApWgAwIBAgIUPJjMDmZ/Kn44kdLol7NaAoDyFAYwDQYJKoZIhvcNAQEL\nBQAwXjELMAkGA1UEBhMCVFcxDzANBgNVBAgMBlRhaXdhbjEPMA0GA1UEBwwGVGFp\ncGVpMQ4wDAYDVQQKDAVqYWJpbDEMMAoGA1UECwwDYm1jMQ8wDQYDVQQDDAZUZXN0\nQ0EwHhcNMjExMDIxMDI1ODIwWhcNMjIxMDIxMDI1ODIwWjBdMQswCQYDVQQGEwJU\nVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxDjAMBgNVBAoMBWph\nYmlsMQwwCgYDVQQLDANibWMxDjAMBgNVBAMMBWFkbWluMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAhpU78FV7loXU7uwT2fgMqVNrVac6OA80SoOxwCWO\nOR8WL3Z7R51ZIBgDe2WcC1mQGNO8ymt0YvcZInWJGPKlrSSIxGTcgPh36ZUx8WZw\nDjC05LaOoyPa/av/snkmsWHKCWd4tXALltb7fs+agaNPThBE8gqI7L6QvBExQgZf\nRaBLPZ6lizyb+ovEYOzY/wPh4VCYSCz+41eOEHxSno6hN4X8h7dGJwYRTMAt+Dys\nrCBIpTvKSJvRkVhh8SgEr4EV+izSEelbCMJZg3uv2aeabxpWYK7x4L4r8OWfQi2P\ndW5SkAUFjg6/tf16ZaOFUY4Ro3NxA1D49nxJhkLP8aBU+wIDAQABo2QwYjALBgNV\nHQ8EBAMCA4gwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU90z4ryGA\nR1Tz/iusUPlyMCMSAYMwHQYDVR0OBBYEFMlmWZNjqmmMNFfGJRXvEfxDCL5jMA0G\nCSqGSIb3DQEBCwUAA4IBAQCYBY3cY78GmOqTbKByGXBwar5Nb7O6xYeQb/f3fJAJ\nJYLI5jZnKWbixo4P6jl34+21WGxivT2GxFC4m9qdB8YBkbhvtk5dpMynoGmKrC9d\nn+OamBUuHC8yw6zrGywauD1XLnwy+eUULg51gOFvvM4XVqg44pRwzGwnzvGSmGDq\n2vAD5KWglcJ9d0nMLRlCW70bZbgG46ifRJvDxATp69HL2aS1tpwA2xJz1akkCzn8\nHzfZD02D1xIpAOTIf5pevZakhBsdZKiJeobkyoVCI1/L3mJX/4PFIyxbVr5AchO6\nQXmVeNx5LQ09afIVI/FlQcf4EWtza/E8DAl4vO31NuFA\n-----END CERTIFICATE-----\n-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCGlTvwVXuWhdTu\n7BPZ+AypU2tVpzo4DzRKg7HAJY45HxYvdntHnVkgGAN7ZZwLWZAY07zKa3Ri9xki\ndYkY8qWtJIjEZNyA+HfplTHxZnAOMLTkto6jI9r9q/+yeSaxYcoJZ3i1cAuW1vt+\nz5qBo09OEETyCojsvpC8ETFCBl9FoEs9nqWLPJv6i8Rg7Nj/A+HhUJhILP7jV44Q\nfFKejqE3hfyHt0YnBhFMwC34PKysIEilO8pIm9GRWGHxKASvgRX6LNIR6VsIwlmD\ne6/Zp5pvGlZgrvHgvivw5Z9CLY91blKQBQWODr+1/Xplo4VRjhGjc3EDUPj2fEmG\nQs/xoFT7AgMBAAECggEACYYwkMmdCesu15TU/D5Lkxc6tWm0ux0I6Ygzpd/0zS/r\nXTnNFFxtg+Qju4Po1erJ5k2a3jLsZ21lqAki6pL9cURwjIBcOQ7lkGcpn0rfojlz\nMFnQcwvbwe/Zgc6E70MbcoftaQNk1Ef+G1NjGCX5BSUJLS+TPqZnO+I/TcvvN/S7\ncL+jP+9mTZ+U4ZsuGtW7T3yw3JpgAZ2jdNt5VB4sXilk1246btl/7kYeJqYEeK/K\nsLYJ+t4JhjBIq1Wpeblj2YHLfpSKxCdooBFiO+Pks5misk4Q1Y7ikvgMAKfKbmnm\nyrm9MN4yZ9ALKQAIBjz5YDjmvK8lbLg2xpJmoe30MQKBgQC9L9efhFTX2VWdpE+D\ngvVty3a8ZxvasG4PN9HCFlRrD+wfhAkU7DIJM6tfZoWkCo9txirBB2NTTUwIT/i8\n6Jb9ctZMdfHx0520vwxHdo3AduqE/z/RUk7YE3OWcM6AcZ7OxbqW3vkkaN15z5nG\nTORpFiKDW1Kv1lOEyxZ3HLw+sQKBgQC2HLc7u88zvah94/RyZzBtVthwpIW+Ow+6\nL/bZNbMmKh8n+kwKLXJZUjQfoY8en664LAWxxsvuOHerPmcxkwlga64ipNTZrjRL\n2aBc2wN0whY+ytaOCW7wF7MCxkGvYfFQyv2nZ6JSBM3Mss0KNZZNNbL79ZlTAGC4\nBiQLWSZxawKBgDpcXN73mpivkcq8mk7Oglmpb2p1QFF5JaqKJKoD62zPj561Q3vx\n1Qmjp9UZMlbFbzOE80FyvwA+kxrpWKkl8xYia9tQcx+PkVHlsasF9nqN9JCskQpI\nosvjTD/3cqyK4FuXAZVzGVZTByeBlEVpCPkl++WbsWlO65rGb5q1AZkxAoGAWsS7\nS2mTn+1jAsRQvYjTKVxE6vgFtUhI0XtApQjP7zDFcK6fod7/BKglVLK43AGpGyDO\nAcrdMDIy60ZiNuJbpRRmqdvQP2NFq5ygAkgjU9m9LrT49bib881MKxDYAmtl1Ogo\nP302+Xxtex6Pdgw5iug9+rlyH12r120wH/viXlsCgYBtEPGxwQuI7TSHvRi1Z6W0\nKPlEDRFidOWHRlPoqfUegCLgwIHvo6Jo5wDKRtmfDpbZovdDMvuvOM4KID5IeQas\nZkdKqtq2Ik15Tr2HRSiriktZYgO49gVHrfN59xTT1n2XIqBSvXQF3EOJ+7kXutzx\nzAFxrjvZ/QcxoBvCv/AqlA==\n-----END PRIVATE KEY-----\n",
"CertificateType": "PEM",
"CertificateUri": {
"@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1"
}
}
啟用 LDAPS
這邊要注意的是LDAP的server URI 要填hostname: "ldaps://IRIS001"
- 透過Web-vue 設定
- 透過redfish 設定
Request URL: https://{bmcip}/redfish/v1/AccountService
Request Method: PATCH
{
"LDAP": {
"ServiceEnabled": true,
"ServiceAddresses": [
"ldaps://IRIS001"
],
"Authentication": {
"Username": "cn=admin,dc=bmc,dc=com",
"Password": "admin"
},
"LDAPService": {
"SearchSettings": {
"BaseDistinguishedNames": [
"dc=bmc,dc=com"
],
"GroupsAttribute": "gidNumber",
"UsernameAttribute": "uid"
}
}
}
}
BMC端設定完後,就能用LDAPS user 登入BMC了
你有可能會遇到的Bug和解決的方法
當你登入不進去的話,可以下journalctl 來查看error log,如果log太多,可以先清除 journalctl --vacuum-time=1seconds,再測試一次
1. certificate is not yet valid
Jan 01 01:28:15 iris-obmc nslcd[582]: [7b23c6] <passwd="iris"> failed to bind to LDAP server ldaps://10.142.24.34: Can't contact LDAP server: error:1416F086:lib(20):func(367):reason(134) (certificate is not yet valid)
有可能是BMC時間不對,可以發現現在BMC時間是Thu 1970-01-01 01:30:55 UTC
root@iris-obmc:~# timedatectl status
Local time: Thu 1970-01-01 01:30:55 UTC
Universal time: Thu 1970-01-01 01:30:55 UTC
RTC time: n/a
Time zone: UTC (UTC, +0000)
System clock synchronized: no
NTP service: inactive
RTC in local TZ: no
但Server的certificate的Not Before: Oct 21 03:00:20 2021 GMT
$ openssl x509 -in server-cert.pem -text -noout
openssl req -in signingReqClieCertificate:
Data:
Version: 3 (0x2)
Serial Number:
17:31:0f:21:a7:e5:08:03:18:88:5d:6a:32:ac:1d:a8:6b:18:e0:b2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = TW, ST = Taiwan, L = Taipei, O = iris, OU = bmc, CN = TestCA
Validity
Not Before: Oct 21 03:00:20 2021 GMT
Not After : Oct 21 03:00:20 2022 GMT
Subject: C = TW, ST = Taiwan, L = Taipei, O = iris, OU = bmc, CN = TRKBC01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
把BMC時間調回正常的就能解決了
2. hostname does not match name in peer certificate or bad LDAP Server URI
Oct 21 11:31:09 iris-obmc nslcd[582]: [b141f2] <passwd="iris"> failed to bind to LDAP server ldaps://10.142.24.34: Can't contact LDAP server: TLS: hostname does not match name in peer certificate
or
Oct 21 11:31:55 iris-obmc phosphor-ldap-conf[487]: bad LDAP Server URI
Oct 21 11:31:55 iris-obmc phosphor-ldap-conf[487]: Invalid argument was given.
這個是因為BMC的hostname mapping list中沒有 IRIS001 這個item,可以手動加入
root@intel-obmc:/etc# cat hosts
127.0.0.1 localhost.localdomain localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 intel-obmc
196.142.253.189 IRIS001
沒有留言:
張貼留言
注意:只有此網誌的成員可以留言。