openBMC LDAP 設定(三) - LDAPS(LDAP over TLS)

考完期末考了，但因為Blogger真的太難用了，我把文章改寫在CSDN上了，歡迎大家去參考那邊的，但我那邊文章是翻譯成簡體字，所以可能會辛苦一點😰

[OpenBMC] LDAP 设定(三) - LDAPS(LDAP over TLS)_yeiris的博客-CSDN博客

產生憑證(certificate)和金鑰(key)

這邊產生憑證的手把手教學在openbmc 的github上https://github.com/openbmc/docs/blob/master/security/TLS-configuration.md

但有幾個地方需要注意

server certificate 的 cn 要填LDAPS server 的 hostname，不知道LDAP server的hostname可以下已下指令

$ hostname

IRIS001

client certificate 的 cn 我這邊填admin

上傳憑證到LDAPS server上

先產生一個設定檔certinfo.ldif，填入剛剛產生的cert相對位置，$ cat certinfo.ldif

dn: cn=config

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

-

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/ldap_slapd_cert.pem

-

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/ldap_slapd_key.pem

將cn=config設定導入

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif

最後，設定sldap 的參數

vi /etc/default/slapd

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" 

上傳憑證到BMC上

這可以透過web 或是 redfish，如果透過redfish 就是下以下指令，因為我原本就有certificate，就用replace 而已

CA certificate 上傳 CA-cert.pem

Request URL: https: //{bmcip}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate

Request Method: POST

{

    "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDnTCCAoWgAwIBAgIUEZOkf69SVwaLa9l6Tp/gQMJioD4wDQYJKoZIhvcNAQEL\nBQAwXjELMAkGA1UEBhMCVFcxDzANBgNVBAgMBlRhaXdhbjEPMA0GA1UEBwwGVGFp\ncGVpMQ4wDAYDVQQKDAVqYWJpbDEMMAoGA1UECwwDYm1jMQ8wDQYDVQQDDAZUZXN0\nQ0EwHhcNMjExMDIxMDI1NzA4WhcNMjQwNzE3MDI1NzA4WjBeMQswCQYDVQQGEwJU\nVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxDjAMBgNVBAoMBWph\nYmlsMQwwCgYDVQQLDANibWMxDzANBgNVBAMMBlRlc3RDQTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAKK1H9nIzIPHRRfVKPTmr1uwP8c23f/Oi+t1GVP3\nKijL/9KKDGwVf93F7wd1UWoEwWF5Hdfk84IYYe6skA5rh9RMWdQPcE9SVyDWkFTt\n/aMP/Ngl6l3zaqniW9uawa1ywXrEOdwRRpZwaizCVS0OxWaZn7mW9/aloqqTqf2q\nb4KX04x2Rdrnw3FWCnEpGaiaDc76bdeba0yg0/Lq1SFeYYuOYTcTIWOKB9BJyGhw\nD5G++QmwBUNK5s/ENzJZxnywX9yfYaARUURr19fo3pTCNMzBWOewt+PykCLTw0Wt\nmRvWpFwaIUgLaClrKkXh+9GcuEJUIRItpu06n/2nYtMAlhcCAwEAAaNTMFEwHQYD\nVR0OBBYEFPdM+K8hgEdU8/4rrFD5cjAjEgGDMB8GA1UdIwQYMBaAFPdM+K8hgEdU\n8/4rrFD5cjAjEgGDMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nAExEwJ1JD98pu5TW0aMi0L6mBMIayBaq68K9cJhB1xfA33buQIk54cOK7FXd9sBp\n+KY39vHNuYMp+J9tg/mqxS3d3/v5IcOvg96hRcHcPczWUmanNJuX29GZSoVkjMTF\n564EIfC6r0u9jbavlJsU5RuL7WSOgolvLa42PM44ShqfNIaKAi6hQzIVShhcG1UM\nulW1Ai6+Ih7yKeLVtkVTaDgSXODCTAPnXZI5qxWVWu/BU2CkllahdZ2Pna6mlvPv\n42po4X2MlBAGvy0ShwTxWA3QYqj1A87HpNjSqYLIwLWTE8S1+csWwgLGTMXpve0k\ncRgNpwA/3NURwmCvGs8yUyg=\n-----END CERTIFICATE-----\n",

    "CertificateType": "PEM",

    "CertificateUri": {

        "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1"

    }

}

LDAPS certificate 上傳 client-cert.pem 和 client-key.pem 的合併檔案

可以手動合併或下指令

Request URL: https: //{bmcip}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate

Request Method: POST

{

    "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDrTCCApWgAwIBAgIUPJjMDmZ/Kn44kdLol7NaAoDyFAYwDQYJKoZIhvcNAQEL\nBQAwXjELMAkGA1UEBhMCVFcxDzANBgNVBAgMBlRhaXdhbjEPMA0GA1UEBwwGVGFp\ncGVpMQ4wDAYDVQQKDAVqYWJpbDEMMAoGA1UECwwDYm1jMQ8wDQYDVQQDDAZUZXN0\nQ0EwHhcNMjExMDIxMDI1ODIwWhcNMjIxMDIxMDI1ODIwWjBdMQswCQYDVQQGEwJU\nVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxDjAMBgNVBAoMBWph\nYmlsMQwwCgYDVQQLDANibWMxDjAMBgNVBAMMBWFkbWluMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAhpU78FV7loXU7uwT2fgMqVNrVac6OA80SoOxwCWO\nOR8WL3Z7R51ZIBgDe2WcC1mQGNO8ymt0YvcZInWJGPKlrSSIxGTcgPh36ZUx8WZw\nDjC05LaOoyPa/av/snkmsWHKCWd4tXALltb7fs+agaNPThBE8gqI7L6QvBExQgZf\nRaBLPZ6lizyb+ovEYOzY/wPh4VCYSCz+41eOEHxSno6hN4X8h7dGJwYRTMAt+Dys\nrCBIpTvKSJvRkVhh8SgEr4EV+izSEelbCMJZg3uv2aeabxpWYK7x4L4r8OWfQi2P\ndW5SkAUFjg6/tf16ZaOFUY4Ro3NxA1D49nxJhkLP8aBU+wIDAQABo2QwYjALBgNV\nHQ8EBAMCA4gwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU90z4ryGA\nR1Tz/iusUPlyMCMSAYMwHQYDVR0OBBYEFMlmWZNjqmmMNFfGJRXvEfxDCL5jMA0G\nCSqGSIb3DQEBCwUAA4IBAQCYBY3cY78GmOqTbKByGXBwar5Nb7O6xYeQb/f3fJAJ\nJYLI5jZnKWbixo4P6jl34+21WGxivT2GxFC4m9qdB8YBkbhvtk5dpMynoGmKrC9d\nn+OamBUuHC8yw6zrGywauD1XLnwy+eUULg51gOFvvM4XVqg44pRwzGwnzvGSmGDq\n2vAD5KWglcJ9d0nMLRlCW70bZbgG46ifRJvDxATp69HL2aS1tpwA2xJz1akkCzn8\nHzfZD02D1xIpAOTIf5pevZakhBsdZKiJeobkyoVCI1/L3mJX/4PFIyxbVr5AchO6\nQXmVeNx5LQ09afIVI/FlQcf4EWtza/E8DAl4vO31NuFA\n-----END CERTIFICATE-----\n-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCGlTvwVXuWhdTu\n7BPZ+AypU2tVpzo4DzRKg7HAJY45HxYvdntHnVkgGAN7ZZwLWZAY07zKa3Ri9xki\ndYkY8qWtJIjEZNyA+HfplTHxZnAOMLTkto6jI9r9q/+yeSaxYcoJZ3i1cAuW1vt+\nz5qBo09OEETyCojsvpC8ETFCBl9FoEs9nqWLPJv6i8Rg7Nj/A+HhUJhILP7jV44Q\nfFKejqE3hfyHt0YnBhFMwC34PKysIEilO8pIm9GRWGHxKASvgRX6LNIR6VsIwlmD\ne6/Zp5pvGlZgrvHgvivw5Z9CLY91blKQBQWODr+1/Xplo4VRjhGjc3EDUPj2fEmG\nQs/xoFT7AgMBAAECggEACYYwkMmdCesu15TU/D5Lkxc6tWm0ux0I6Ygzpd/0zS/r\nXTnNFFxtg+Qju4Po1erJ5k2a3jLsZ21lqAki6pL9cURwjIBcOQ7lkGcpn0rfojlz\nMFnQcwvbwe/Zgc6E70MbcoftaQNk1Ef+G1NjGCX5BSUJLS+TPqZnO+I/TcvvN/S7\ncL+jP+9mTZ+U4ZsuGtW7T3yw3JpgAZ2jdNt5VB4sXilk1246btl/7kYeJqYEeK/K\nsLYJ+t4JhjBIq1Wpeblj2YHLfpSKxCdooBFiO+Pks5misk4Q1Y7ikvgMAKfKbmnm\nyrm9MN4yZ9ALKQAIBjz5YDjmvK8lbLg2xpJmoe30MQKBgQC9L9efhFTX2VWdpE+D\ngvVty3a8ZxvasG4PN9HCFlRrD+wfhAkU7DIJM6tfZoWkCo9txirBB2NTTUwIT/i8\n6Jb9ctZMdfHx0520vwxHdo3AduqE/z/RUk7YE3OWcM6AcZ7OxbqW3vkkaN15z5nG\nTORpFiKDW1Kv1lOEyxZ3HLw+sQKBgQC2HLc7u88zvah94/RyZzBtVthwpIW+Ow+6\nL/bZNbMmKh8n+kwKLXJZUjQfoY8en664LAWxxsvuOHerPmcxkwlga64ipNTZrjRL\n2aBc2wN0whY+ytaOCW7wF7MCxkGvYfFQyv2nZ6JSBM3Mss0KNZZNNbL79ZlTAGC4\nBiQLWSZxawKBgDpcXN73mpivkcq8mk7Oglmpb2p1QFF5JaqKJKoD62zPj561Q3vx\n1Qmjp9UZMlbFbzOE80FyvwA+kxrpWKkl8xYia9tQcx+PkVHlsasF9nqN9JCskQpI\nosvjTD/3cqyK4FuXAZVzGVZTByeBlEVpCPkl++WbsWlO65rGb5q1AZkxAoGAWsS7\nS2mTn+1jAsRQvYjTKVxE6vgFtUhI0XtApQjP7zDFcK6fod7/BKglVLK43AGpGyDO\nAcrdMDIy60ZiNuJbpRRmqdvQP2NFq5ygAkgjU9m9LrT49bib881MKxDYAmtl1Ogo\nP302+Xxtex6Pdgw5iug9+rlyH12r120wH/viXlsCgYBtEPGxwQuI7TSHvRi1Z6W0\nKPlEDRFidOWHRlPoqfUegCLgwIHvo6Jo5wDKRtmfDpbZovdDMvuvOM4KID5IeQas\nZkdKqtq2Ik15Tr2HRSiriktZYgO49gVHrfN59xTT1n2XIqBSvXQF3EOJ+7kXutzx\nzAFxrjvZ/QcxoBvCv/AqlA==\n-----END PRIVATE KEY-----\n",

    "CertificateType": "PEM",

    "CertificateUri": {

        "@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1"

    }

}

啟用 LDAPS

這邊要注意的是LDAP的server URI 要填hostname: "ldaps://IRIS001"

1. 透過Web-vue 設定
   
   
   
   
   
   
   
   
   
   
   
2. 透過redfish 設定
   Request URL: https://{bmcip}/redfish/v1/AccountService
   Request Method: PATCH
   {
       "LDAP": {
           "ServiceEnabled": true,
           "ServiceAddresses": [
               "ldaps://IRIS001"
           ],
           "Authentication": {
               "Username": "cn=admin,dc=bmc,dc=com",
               "Password": "admin"
           },
           "LDAPService": {
               "SearchSettings": {
                   "BaseDistinguishedNames": [
                       "dc=bmc,dc=com"
                   ],
                   "GroupsAttribute": "gidNumber",
                   "UsernameAttribute": "uid"
               }
           }
       }
   }
   

BMC端設定完後，就能用LDAPS user 登入BMC了

你有可能會遇到的Bug和解決的方法

當你登入不進去的話，可以下journalctl 來查看error log，如果log太多，可以先清除 journalctl --vacuum-time=1seconds，再測試一次

1. certificate is not yet valid

Jan 01 01:28:15 iris-obmc nslcd[582]: [7b23c6] <passwd="iris"> failed to bind to LDAP server ldaps://10.142.24.34: Can't contact LDAP server: error:1416F086:lib(20):func(367):reason(134) (certificate is not yet valid)

有可能是BMC時間不對，可以發現現在BMC時間是Thu 1970-01-01 01:30:55 UTC

root@iris-obmc:~# timedatectl status

               Local time: Thu 1970-01-01 01:30:55 UTC

           Universal time: Thu 1970-01-01 01:30:55 UTC

                 RTC time: n/a

                Time zone: UTC (UTC, +0000)

System clock synchronized: no

              NTP service: inactive

          RTC in local TZ: no

但Server的certificate的Not Before: Oct 21 03:00:20 2021 GMT

$ openssl x509 -in server-cert.pem -text -noout

openssl req -in signingReqClieCertificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            17:31:0f:21:a7:e5:08:03:18:88:5d:6a:32:ac:1d:a8:6b:18:e0:b2

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = TW, ST = Taiwan, L = Taipei, O = iris, OU = bmc, CN = TestCA

        Validity

            Not Before: Oct 21 03:00:20 2021 GMT

            Not After : Oct 21 03:00:20 2022 GMT

        Subject: C = TW, ST = Taiwan, L = Taipei, O = iris, OU = bmc, CN = TRKBC01

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

把BMC時間調回正常的就能解決了

2. hostname does not match name in peer certificate  or bad LDAP Server URI

Oct 21 11:31:09 iris-obmc nslcd[582]: [b141f2] <passwd="iris"> failed to bind to LDAP server ldaps://10.142.24.34: Can't contact LDAP server: TLS: hostname does not match name in peer certificate

or

Oct 21 11:31:55 iris-obmc phosphor-ldap-conf[487]: bad LDAP Server URI
Oct 21 11:31:55 iris-obmc phosphor-ldap-conf[487]: Invalid argument was given.

這個是因為BMC的hostname mapping list中沒有 IRIS001 這個item，可以手動加入

root@intel-obmc:/etc# cat hosts

127.0.0.1       localhost.localdomain           localhost

# The following lines are desirable for IPv6 capable hosts

::1     localhost ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

127.0.1.1 intel-obmc

196.142.253.189 IRIS001