はじめに
以下の構築記録の続きです。
情報が少ない中で作業をしましたが、LDAPSを有効化したという記事がなかなか見つからず、試行錯誤で実現できました。「OpenDJをLDAPSでも通信させてぇ…」という方のお力になれればと思います。
証明書問題
「検証なので証明書は自己証明で」という話はよくあります。が、ldapsearchが成功せず、ちょっとハマりました。OSにその自己証明書を信頼させればいける!みたいな情報があったけど、うまくいかず…。結果、全然違うところで時間を消費しました。(ブラウザだと手動で無視して進めるんですけどね)
Let’s Encryptで作成できるなら、それに越したことはないです。自身で管理できるドメインを持っている場合、使うことをお勧めします。Linuxで何度も自己証明書を信頼するコマンドを叩いても、ldapsearchは失敗したので、LDAPサーバ構築と関係のないところではまるよりは、信頼されている証明書を入れた方が早かったです。
※Let’s Encryptで証明書を作る方法は、記事にできたらしようと思ってます。
構築
証明書の格納・準備
ということで、以下は別のサーバーで証明書を作成した後、OpenDJの/tmp配下にファイルを置いたところからスタートです。
使うのは下記の秘密鍵(privkey.pem)と証明書(fullchain.pem)です。別のサーバで発行したものを/tmp/に格納し、/opt/opendj/にコピーしています。
[root@opendj01 config]# cp /tmp/privkey.pem /tmp/fullchain.pem /opt/opendj/config/./opt/opendj内を確認します。
[root@opendj01 config]# ll /opt/opendj/config/
total 4448
drwxr-xr-x 2 root root 168 Feb 21 00:28 MakeLDIF
-rw------- 1 root root 2212 Feb 21 00:28 admin-backend.ldif
-rw-r--r-- 1 root root 999 Feb 21 00:28 admin-backend.ldif.old
-rw-r--r-- 1 root root 2160 Feb 21 00:29 admin-keystore
-rw------- 1 root root 51 Feb 21 00:29 admin-keystore.pin
-rw-r--r-- 1 root root 871 Feb 21 00:29 admin-truststore
-rw-r--r-- 1 root root 2905 Feb 21 00:28 ads-truststore
-rw------- 1 root root 51 Feb 21 00:28 ads-truststore.pin
drwxr-xr-x 2 root root 4096 Feb 21 00:28 archived-configs
drwxr-xr-x 2 root root 4096 Feb 21 00:28 audit-handlers
-rw-r--r-- 1 root root 47 Feb 21 00:28 buildinfo
-rw------- 1 root root 70281 Feb 21 00:28 config.ldif
-rw-r--r-- 1 root root 70281 Feb 21 00:29 config.ldif.startok
-rw-r--r-- 1 root root 2884 Feb 21 00:46 fullchain.pem
-rw-r--r-- 1 root root 4290 Feb 21 00:28 java.properties
drwxr-xr-x 2 root root 4096 Feb 21 00:28 messages
-rw-r--r-- 1 root root 241 Feb 21 00:46 privkey.pem
drwxr-xr-x 3 root root 23 Feb 21 00:28 rest2ldap
drwxr-xr-x 2 root root 4096 Feb 21 00:28 schema
drwxr-xr-x 3 root root 22 Feb 21 00:28 snmp
-rw------- 1 root root 572 Feb 21 00:29 tasks.ldif
-rw-r--r-- 1 root root 1712 Feb 21 00:28 tools.properties
drwxr-xr-x 2 root root 66 Feb 21 00:28 upgrade
-rw-r--r-- 1 root root 4330722 Feb 21 00:28 wordlist.txt以下のコマンドでPKCS#12形式の証明書に変換します。
openssl pkcs12 -export -inkey privkey.pem -in fullchain.pem -out opendj.p12 -name "opendj" -passout pass:changeit次に「keystore」というファイルを作成します。
keytool -importkeystore -srckeystore opendj.p12 -srcstoretype PKCS12 -destkeystore keystore -deststoretype JKS -srcstorepass changeit -deststorepass changeit実行ログは下記の通り。changeitというのは非推奨ですが、検証なのでそのあたりはご愛嬌ということで。
[root@opendj01 config]# keytool -importkeystore -srckeystore opendj.p12 -srcstoretype PKCS12 -destkeystore keystore -deststoretype JKS -srcstorepass changeit -deststorepass changeit
Importing keystore opendj.p12 to keystore...
Entry for alias opendj successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12".中身の確認
確認したいのは「Alias name: opendj」の部分。「ssl-cert-nickname」という値に合わせるために、後で使います。
keytool -list -v -keystore keystore -storetype PKCS12 -storepass "changeit"実行結果は下記の通り。
[root@opendj01 config]# keytool -list -v -keystore keystore -storetype PKCS12 -storepass "changeit"
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: opendj
…(省略)LDAPS化の準備
JKS有効化
LDAPS化する前に下準備みたいなものが必要です。下記のコマンドを実行します。パスワードなどは構築時に指定した値に適宜変更します。
/opt/opendj/bin/dsconfig set-key-manager-provider-prop \
--provider-name "JKS" \
--hostname opendj01.lab.ricecake24book.com \
--bindDN "cn=Directory Manager" \
--bindPassword "orange1234!" \
--port 4444実行結果を載せます。実行が成功すれば、まず証明書を信頼するか聞かれるので、2を選択しておきます。
[root@opendj01 config]# /opt/opendj/bin/dsconfig set-key-manager-provider-prop \
--provider-name "JKS" \
--hostname opendj01.lab.ricecake24book.com \
--bindDN "cn=Directory Manager" \
--bindPassword "orange1234!" \
--port 4444
Server Certificate:
User DN : CN=opendj01, O=Administration Connector RSA Self-Signed Certificate
Validity : From 'Fri Feb 21 00:29:43 JST 2025'
To 'Thu Feb 16 00:29:43 JST 2045'
Issuer : CN=opendj01, O=Administration Connector RSA Self-Signed Certificate
Do you trust this server certificate?
1) No
2) Yes, for this session only
3) Yes, also add it to a truststore
4) View certificate details
Enter choice: [2]: 2下記の通り、現在の設定と何をするか聞かれます。
2)でconfig/keystoreが指定されてます。pinが未設定で、keystore.pinは作成していないので、作成します。
3) key-store-pin を変更したいので、3を選択してEnterを押します。
>>>> Configure the properties of the JKS
Property Value(s)
-------------------------------------------------------
1) enabled false
2) key-store-file config/keystore
3) key-store-pin -
4) key-store-pin-environment-variable -
5) key-store-pin-file config/keystore.pin
6) key-store-pin-property -
7) key-store-type JKS
?) help
f) finish - apply any changes to the JKS
q) quit
Enter choice [f]: 3
前段で説明が入りますが、変更したいので2を選択します。
>>>> Configuring the "key-store-pin" property
Specifies the clear-text PIN needed to access the File Based Key Manager
Provider .
Syntax: STRING
Do you want to modify the "key-store-pin" property?
1) Leave undefined
2) Change the value
?) help
q) quit
Enter choice [1]: 2changeitを設定します。
Enter a value for the "key-store-pin" property [continue]: changeit
Press RETURN to continue changeit編集を終了します。f を選択します。
>>>> Configure the properties of the JKS
Property Value(s)
---------------------------------------------------------------
1) enabled true
2) key-store-file /opt/opendj/config/keystore
3) key-store-pin changeit
4) key-store-pin-environment-variable -
5) key-store-pin-file config/keystore.pin
6) key-store-pin-property -
7) key-store-type JKS
?) help
f) finish - apply any changes to the JKS
q) quit
Enter choice [f]: f
The File Based Key Manager Provider was modified successfully「さて、次はLDAPSを有効化するか!」と思う、後述する手順でLDAPS有効化をしようとしたところ、下記のログが出力されました。
The referenced Trust Manager Provider called "JKS" must be enabled so that it
can be used with this LDAP Connection Handler. Do you want to enable it? (yes
/ no) [yes]: trust-manager-providerの設定が必要みたいです。
OpenDJ初の通信で必要になるものなので、今回は適当にkeystoreをコピーして「truststore」を作成して使いまわしてます。
OpenDJの trust-manager-provider の役割とは?
ChatGPTに聞いてみました。答えは以下。
「OpenDJの trust-manager-provider は、TLS/SSL証明書の検証(信頼性の管理) を担当する設定です。
これは、OpenDJが 外部のLDAPサーバーやクライアントとのSSL/TLS通信 を行う際に、相手の証明書を検証し、信頼できるかどうかを判断 する機能を持ちます。」
だそうです。
trust-manager-provider有効化
下記コマンドで実行します。
/opt/opendj/bin/dsconfig set-trust-manager-provider-prop \
--provider-name "JKS" \
--set enabled:true \
--set trust-store-file:/opt/opendj/config/truststore \
--hostname opendj01.lab.ricecake24book.com \
--bindDN "cn=Directory Manager" \
--bindPassword "orange1234!" \
--port 4444 以下は実行ログです。先ほどと同じ流れなので、細かい説明は割愛。
[root@opendj01 config]# /opt/opendj/bin/dsconfig set-trust-manager-provider-prop \
--provider-name "JKS" \
--set enabled:true \
--set trust-store-file:/opt/opendj/config/truststore \
--hostname opendj01.lab.ricecake24book.com \
--bindDN "cn=Directory Manager" \
--bindPassword "orange1234!" \
--port 4444
Server Certificate:
User DN : CN=opendj01, O=Administration Connector RSA Self-Signed Certificate
Validity : From 'Fri Feb 21 00:29:43 JST 2025'
To 'Thu Feb 16 00:29:43 JST 2045'
Issuer : CN=opendj01, O=Administration Connector RSA Self-Signed Certificate
Do you trust this server certificate?
1) No
2) Yes, for this session only
3) Yes, also add it to a truststore
4) View certificate details
Enter choice: [2]: 2
>>>> Configure the properties of the JKS
Property Value(s)
-------------------------------------------------------------------
1) enabled true
2) trust-store-file /opt/opendj/config/truststore
3) trust-store-pin -
4) trust-store-pin-environment-variable -
5) trust-store-pin-file -
6) trust-store-pin-property -
7) trust-store-type JKS
?) help
f) finish - apply any changes to the JKS
q) quit
Enter choice [f]: 3
>>>> Configuring the "trust-store-pin" property
Specifies the clear-text PIN needed to access the File Based Trust Manager
Provider .
Syntax: STRING
Do you want to modify the "trust-store-pin" property?
1) Leave undefined
2) Change the value
?) help
q) quit
Enter choice [1]: 2
Enter a value for the "trust-store-pin" property [continue]: changeit
Press RETURN to continue changeit
>>>> Configure the properties of the JKS
Property Value(s)
-------------------------------------------------------------------
1) enabled true
2) trust-store-file /opt/opendj/config/truststore
3) trust-store-pin changeit
4) trust-store-pin-environment-variable -
5) trust-store-pin-file -
6) trust-store-pin-property -
7) trust-store-type JKS
?) help
f) finish - apply any changes to the JKS
q) quit
Enter choice [f]: f
The File Based Trust Manager Provider was modified successfullyLDAPS有効化
少し長くなりましたが、やっとLDAPSの有効化を実施。
/opt/opendj/bin/dsconfig set-connection-handler-prop \
--handler-name "LDAPS Connection Handler" \
--set enabled:true \
--set use-ssl:true \
--hostname opendj01.lab.ricecake24book.com \
--bindDN "cn=Directory Manager" \
--bindPassword "orange1234!" \
--port 4444実行結果は下記。これまでと流れは一緒です。10)を変更します。
[root@opendj01 config]# /opt/opendj/bin/dsconfig set-connection-handler-prop \
--handler-name "LDAPS Connection Handler" \
--set enabled:true \
--set use-ssl:true \
--hostname opendj01.lab.ricecake24book.com \
--bindDN "cn=Directory Manager" \
--bindPassword "orange1234!" \
--port 4444
Server Certificate:
User DN : CN=opendj01, O=Administration Connector RSA Self-Signed Certificate
Validity : From 'Fri Feb 21 00:29:43 JST 2025'
To 'Thu Feb 16 00:29:43 JST 2045'
Issuer : CN=opendj01, O=Administration Connector RSA Self-Signed Certificate
Do you trust this server certificate?
1) No
2) Yes, for this session only
3) Yes, also add it to a truststore
4) View certificate details
Enter choice: [2]: 2
>>>> Configure the properties of the LDAPS Connection Handler
Property Value(s)
----------------------------------------------------------------------
1) allow-ldap-v2 true
2) allow-start-tls false
3) allowed-client All clients with addresses that do not match
an address on the deny list are allowed. If
there is no deny list, then all clients are
allowed.
4) denied-client If an allow list is specified, then only
clients with addresses on the allow list are
allowed. Otherwise, all clients are allowed.
5) enabled true
6) keep-stats true
7) key-manager-provider JKS
8) listen-address 0.0.0.0
9) listen-port 636
10) ssl-cert-nickname server-cert
11) ssl-cipher-suite Uses the default set of SSL cipher suites
provided by the server's JVM.
12) ssl-client-auth-policy optional
13) ssl-protocol Uses the default set of SSL protocols provided
by the server's JVM.
14) trust-manager-provider JKS
15) use-ssl true
?) help
f) finish - apply any changes to the LDAPS Connection Handler
q) quit
Enter choice [f]: 10「10) ssl-cert-nickname server-cert」は、keystoreで指定したAliasに合わせます。今回は「opendj」に設定します。ログは下記のとおりですが、説明の指示通りに進めれば問題なく進められます。
>>>> Configuring the "ssl-cert-nickname" property
Specifies the nicknames (also called the aliases) of the keys or key pairs
that the LDAP Connection Handler should use when performing SSL
communication. The property can be used multiple times (referencing
different nicknames) when server certificates with different public key
algorithms are used in parallel (for example, RSA, DSA, and ECC-based
algorithms). When a nickname refers to an asymmetric (public/private) key
pair, the nickname for the public key certificate and associated private
key entry must match exactly. A single nickname is used to retrieve both
the public key and the private key.
This is only applicable when the LDAP Connection Handler is configured to
use SSL.
Syntax: STRING
Do you want to modify the "ssl-cert-nickname" property?
1) Keep the value: server-cert
2) Add one or more values
3) Remove one or more values
4) Reset to the default behavior: Let the server decide.
?) help
q) quit
Enter choice [1]: 2
Enter another value for the "ssl-cert-nickname" property [continue]: opendj
>>>> Configuring the "ssl-cert-nickname" property (Continued)
The "ssl-cert-nickname" property has the following values:
*) opendj
*) server-cert
Do you want to modify the "ssl-cert-nickname" property?
1) Use these values
2) Add one or more values
3) Remove one or more values
4) Reset to the default behavior: Let the server decide.
5) Revert changes
?) help
q) quit
Enter choice [1]: 3
Select the values you wish to remove:
1) opendj
2) server-cert
?) help
c) cancel
q) quit
Enter one or more choices separated by commas [c]: 2
Press RETURN to continue
>>>> Configuring the "ssl-cert-nickname" property (Continued)
Do you want to modify the "ssl-cert-nickname" property?
1) Use the value: opendj
2) Add one or more values
3) Remove one or more values
4) Reset to the default behavior: Let the server decide.
5) Revert changes
?) help
q) quit
Enter choice [1]: 1
Press RETURN to continue10)がopendjになっています。編集を完了します。
>>>> Configure the properties of the LDAPS Connection Handler
Property Value(s)
----------------------------------------------------------------------
1) allow-ldap-v2 true
2) allow-start-tls false
3) allowed-client All clients with addresses that do not match
an address on the deny list are allowed. If
there is no deny list, then all clients are
allowed.
4) denied-client If an allow list is specified, then only
clients with addresses on the allow list are
allowed. Otherwise, all clients are allowed.
5) enabled true
6) keep-stats true
7) key-manager-provider JKS
8) listen-address 0.0.0.0
9) listen-port 636
10) ssl-cert-nickname opendj
11) ssl-cipher-suite Uses the default set of SSL cipher suites
provided by the server's JVM.
12) ssl-client-auth-policy optional
13) ssl-protocol Uses the default set of SSL protocols provided
by the server's JVM.
14) trust-manager-provider JKS
15) use-ssl true
?) help
f) finish - apply any changes to the LDAPS Connection Handler
q) quit
Enter choice [f]: f起動確認
サービスを再起動します。
[root@opendj01 config]# stop-ds
Stopping Server...
[21/Feb/2025:01:11:37 +0900] category=PROTOCOL severity=NOTICE msgID=277 msg=Stopped listening for new connections on LDAPS Connection Handler 0.0.0.0 port 636
[21/Feb/2025:01:11:40 +0900] category=BACKEND severity=NOTICE msgID=370 msg=The backend userRoot is now taken offline
[21/Feb/2025:01:11:40 +0900] category=CORE severity=NOTICE msgID=203 msg=The Directory Server is now stopped
[root@opendj01 config]#
[root@opendj01 config]# start-ds
[21/Feb/2025:01:11:46 +0900] category=com.forgerock.opendj.ldap.config.config severity=NOTICE msgID=571 msg=Loaded extension from file '/opt/opendj/lib/extensions/snmp-mib2605.jar' (build 4.4.11, revision 3f83673674c969142b03322d2f27a6f4c474e309)
[21/Feb/2025:01:11:46 +0900] category=CORE severity=NOTICE msgID=134 msg=OpenDJ Server 4.4.11 (build 20210621115558, revision number 3f83673674c969142b03322d2f27a6f4c474e309) starting up
[21/Feb/2025:01:11:47 +0900] category=JVM severity=NOTICE msgID=21 msg=Installation Directory: /opt/opendj
[21/Feb/2025:01:11:47 +0900] category=JVM severity=NOTICE msgID=23 msg=Instance Directory: /opt/opendj
[21/Feb/2025:01:11:47 +0900] category=JVM severity=NOTICE msgID=17 msg=JVM Information: 11.0.25+9-LTS by Red Hat, Inc., 64-bit architecture, 441974784 bytes heap size
[21/Feb/2025:01:11:47 +0900] category=JVM severity=NOTICE msgID=18 msg=JVM Host: opendj01.lab.ricecake24book.com, running Linux 5.14.0-503.22.1.el9_5.x86_64 amd64, 1826500608 bytes physical memory size, number of processors available 2
[21/Feb/2025:01:11:47 +0900] category=JVM severity=NOTICE msgID=19 msg=JVM Arguments: "-Dorg.opends.server.scriptName=start-ds"
[21/Feb/2025:01:11:47 +0900] category=BACKEND severity=NOTICE msgID=513 msg=The database backend userRoot containing 1 entries has started
[21/Feb/2025:01:11:48 +0900] category=EXTENSIONS severity=NOTICE msgID=221 msg=DIGEST-MD5 SASL mechanism using a server fully qualified domain name of: opendj01
[21/Feb/2025:01:11:48 +0900] category=CORE severity=NOTICE msgID=135 msg=The Directory Server has started successfully
[21/Feb/2025:01:11:48 +0900] category=CORE severity=NOTICE msgID=139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID org.opends.messages.core-135): The Directory Server has started successfully
[21/Feb/2025:01:11:48 +0900] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on LDAP Connection Handler 0.0.0.0 port 1389
[21/Feb/2025:01:11:48 +0900] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on Administration Connector 0.0.0.0 port 4444
[21/Feb/2025:01:11:48 +0900] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on LDAPS Connection Handler 0.0.0.0 port 636
[root@opendj01 config]# netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 52 172.16.1.32:22 172.16.1.10:64274 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::1389 :::* LISTEN
tcp6 0 0 :::4444 :::* LISTEN
tcp6 0 0 :::636 :::* LISTENnetstatの結果の通り、1389でLISTENできています。
LDAPS通信確認
ldapsearchでLDAPSを指定してみます。
ldapsearch -H "ldap://opendj01.lab.ricecake24book.com:1389" -D "cn=Directory Manager" -w "orange1234!" -b "dc=lab,dc=ricecake24book,dc=com" "(objectClass=*)"実行結果は下記の通り。
[root@ldap-client01 ~]# ldapsearch -H "ldap://opendj01.lab.ricecake24book.com:1389" -D "cn=Directory Manager" -w "orange1234!" -b "dc=lab,dc=ricecake24book,dc=com" "(objectClass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=lab,dc=ricecake24book,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#
# lab.ricecake24book.com
dn: dc=lab,dc=ricecake24book,dc=com
objectClass: top
objectClass: domain
dc: lab
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1無事にできますね。構築は以上です。誰かの助けになれば幸いです。
