Package
apt install -y slapd nginx
DMZSRV
ldapsearch -x -D "cn=administrator,cn=users,dc=skill39,dc=local" -H ldaps://intsrv.skill39.local -W
ldapsearch -x -D "cn=administrator,cn=users,dc=skill39,dc=local" -H ldaps://intsrv.skill39.local -W -b "dc=skill39,dc=local"
cd /etc/ldap
scp 10.0.0.1:/ca/certs/ldap* /etc/ldap
scp 10.0.0.1:/etc/ssl/root-ca.crt /etc/ldap
scp 10.0.0.1:/ca/cacert.pem /etc/ldap/subca.crt
cat subca.crt >> ldap.crt
cp /usr/share/doc/slapd/examples/slapd.conf /etc/ldap
vi slapd.conf
### vi ###
loglevel stats
moudleload back_ldap # 추가
backend ldap
database ldap
protocol-version 3
rebind-as-user
uri "ldaps://intsrv.skill39.local:636"
suffix "dc=skill39,dc=local"
rootdn "cn=administrator,cn=users,dc=skill39,dc=local"
rootpw Skill39**
tls ldaps
tls_cacert=/etc/ldap/root-ca.crt
idassert-azuthzFrom "dn:*"
idassert-bind bindmethod=simple
binddn="CN=administrator,CN=Users,DC=skill39,DC=local"
credentials="Skill39**"
mode=none
TLSCACertificateFile /etc/ldap/root-ca.crt
TLSCertificateFile /etc/ldap/ldap.crt
TLSCertificateKeyFile /etc/ldap/ldap.key
# 아래 전체 삭제
### vi ###
chown openldap:openldap -R .
vi /etc/default/slapd
### vi ###
SLAPD_CONF="/etc/ldap/slapd.conf"
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
# SLAPD_SERVICES="ldap:/// ldapi:///"
### vi ###
ss -ln | grep 636
vi ldap.conf
### vi ###
BASE dc=skill39,dc=local
URI ldaps://ldap.skill39.local:636
TLS_CACERT /etc/ldap/root-ca.crt
### vi ###
ldapsearch -x
cd /etc/nginx
mkdir ssl
cd ssl
scp 10.0.0.1:/ca/certs/www* /etc/nginx/ssl
scp 10.0.0.1:/ca/certs/wild* /etc/nginx/ssl
scp 10.0.0.1:/etc/ssl/root-ca.crt /etc/nginx/ssl
scp 10.0.0.1:/ca/cacert.pem /etc/nginx/ssl/subca.crt
cat subca.crt >> www.crt
cat root-ca.crt >> www.crt
cat subca.crt >> wild.crt
cat root-ca.crt >> wild.crt
cd ..
cd sites-available
cp default ca
cp default ocsp
cp default site
cp default www
vi ca
### vi ###
listen 80;
server_name ca.skill39.com;
### vi ###
vi ocsp
### vi ###
listen 80;
server_name ocsp.skill39.com;
location / {
proxy_pass <http://intsrv.skill39.local:8080>;
}
### vi ###
vi site
### vi ###
# listen 80 default_server;
# listen [::]:80 default_server;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/wild.crt;
ssl_certificate_key /etc/nginx/ssl/wild.key;
server_name site.skill39.com;
location /(.*) {
resolver 10.0.0.1;
proxy_pass <http://$1.skill39.local:80/>;
}
### vi ###
vi www
### vi ###
# listen 80 default_server;
# listen [::]:80 default_server;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/www.crt;
ssl_certificate_key /etc/nginx/ssl/www.key;
ssl_stapling on;
ssl_stapling_verify on;
server_name www.skill39.com;
location {
proxy_pass <http://www.skill39.local:80>;
}
### vi ###
cd /etc/nginx/sites-enabled/
rm default
ln -s /etc/nginx/sites-available/ca ca
ln -s /etc/nginx/sites-available/ocsp ocsp
ln -s /etc/nginx/sites-available/site site
ln -s /etc/nginx/sites-available/www www
systemctl restart nginx
ss -nl | grep 443