<HTML
><HEAD
><TITLE
>SSL/TLS $B$H!"(BSSL/TLS $B$N(B LDAP $BMQ%i%C%Q(B</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.54"><LINK
REL="HOME"
TITLE="LDAP Implementation HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="LDAP $B$K$h$k%G%8%?%k>ZL@=q$NH/9T(B"
HREF="certificates.html"><LINK
REL="NEXT"
TITLE="$B%;%-%e%j%F%#4XO"(B"
HREF="security.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>LDAP Implementation HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="certificates.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="security.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="SSL"
>10. SSL/TLS $B$H!"(BSSL/TLS $B$N(B LDAP $BMQ%i%C%Q(B</A
></H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN870"
>10.1. SSL $B$N4JC1$J@bL@(B</A
></H2
><P
>Secure Socket Layer (SSL) $B$O%Q!<%F%#4V$N%;%-%e%"$J(B
$BE>Aw7PO)$rDs6!$9$k%"%W%j%1!<%7%g%s%l%$%d%W%m%H%3%k$G$9!#(B
HTTP, LDAP, SMTP $BEy!9$N%"%W%j%1!<%7%g%s%l%Y%k$N%W%m%H%3%k$H(B
TCP/IP $B$H$N4V$r$H$j$b$D$b$N$G!"(B
$B8x3+800E9f%7%9%F%`(B ($B<o!9$N0E9f2=J}K!$,MxMQ2DG=(B) $B$H(B
X.509 $B>ZL@J}<0$K4p$E$$$F$$$^$9!#(B</P
><P
>SSL $B$O$b$H$b$H(B Netscape $B$N%W%m%H%3%k$G$7$?$,!"(B
$B=y!9$KI8=`E*$J$b$N$H$J$j!"(B
$B:#$G$O(B TLS (Transmission Layer Security) $B$H8F$P$l$k$b$N$K$J$j$^$7$?!#(B
$B0lHLE*$K(B SSL/TLS $B$H$7$F8@5Z$5$l$^$9!#(B</P
><P
>SSL/TLS $B%W%m%H%3%k$O0J2<$N5!G=$rDs6!$7$^$9!#(B</P
><P
></P
><UL
><LI
><P
>$B%G!<%?$N0E9f2=(B $B!=(B $B%/%i%$%"%s%H!?%5!<%P4V$N(B
$B%;%C%7%g%s$,0E9f2=$5$l$^$9!#(B</P
></LI
><LI
><P
>$B%5!<%PG'>Z(B $B!=(B $B%/%i%$%"%s%HB&$+$i!"%5!<%P$,(B
$BK\J*$+$I$&$+$r8!>Z$9$k$3$H$,$G$-$^$9!#(B</P
></LI
><LI
><P
>$B%a%C%;!<%840A4@-(B $B!=(B $B%G!<%?$OE>AwCf$K<j$r2C$($i$l$^$;$s!#(B
$B$3$l$O!V(Bman in the middle$B!W967b(B<A
NAME="AEN882"
HREF="#FTN.AEN882"
>[1]</A
>$B$rKI;_$7$^$9!#(B&#13;</P
></LI
><LI
><P
>$B%/%i%$%"%s%HG'>Z(B $B!=(B $B%5!<%P$O%/%i%$%"%s%H$,(B
$BK\J*$+$I$&$+8!>Z$G$-$^$9!#(B</P
></LI
></UL
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN886"
>10.2. OpenLDAP $B$N(B SSL/TLS $B%5%]!<%H(B</A
></H2
><P
>LDAP V3 $B$N%D!<%k%-%C%H$G$"$k(B OpenLDAP 2.0.x $B$+$i$O!"(B
$B%5!<%P$K$h$C$F(B SSL/TLS $B%5%]!<%H$,Hw$($i$l$F$$$^$9!#(B
$B$?$@$7(B SSL/TLS $B$rDI2C$9$k$?$a$K$O!"(BOpenLDAP 2.0.x $B$,(B OpenSSL
$B$N%i%$%V%i%j$r;H$C$F%3%s%Q%$%k$5$l$kI,MW$,$"$j$^$9!#(B
$B$^$?!"(B2.0.x $B$K$O(B Start-TLS $B$N%5%]!<%H$b$"$j$^$9!#(B</P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>Start-TLS $B$O!"%/%i%$%"%s%H$,MW5a$7$?$H$-$@$1(B
TLS $B$rM-8z$K$9$k$3$H$,$G$-$k$h$&$K$7$^$9!#$3$NJ}K!$@$H!"C1FH$N(B
LDAP $B%]!<%H$r%;%-%e%"$J@\B3$H$=$&$G$J$$@\B3$NN>J}$K;H$&$3$H$,2DG=$G$9!#(B</P
></BLOCKQUOTE
></DIV
><P
>OpenLDAP 1.2.x $B$O$=$l$H$O0[$J$j(B
LDAP V2 $B%W%m%H%3%k$K$h$k<BAu$G$"$j!"(BSSL/TLS $B$rHw$($F$$$^$;$s!#(B</P
><P
>OpenLDAP 2.0.x $B>e$N(B SSL/TLS $B$K4X$7$F$O(B OpenLDAP $B$N%&%'%V%5%$%H$K(B
$B2ACM$"$k>pJs$,$"$j$^$9$N$G!"$3$3$G$O(B SSL/TLS $B$KBP1~$7$F$$$J$$(B LDAP $B%Q!<%F%#$r(B
SSL $B%H%s%M%k$r;H$C$F%;%-%e%"$K$9$kJ}K!$K>GE@$r9g$o$;$k$3$H$K$7$^$9!#(B</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN893"
>10.3. stunnel $B$r;H$C$F(B LDAP V2 $B%5!<%P$K(B SSL/TLS $B$rDs6!$9$kJ}K!(B</A
></H2
><P
>OpenLDAP 1.2.x $B$r;H$C$F$$$k$J$i$P!"%5!<%P$K(B SSL $B5!G=$r(B
$BDI2C$9$k$?$a$K$OHFMQ(B SSL $B%i%C%Q$,I,MW$K$J$j$^$9!#(Bstunnel (<A
HREF="http://www.stunnel.org"
TARGET="_top"
>www.stunnel.org</A
>) $B$O(B
$B0BDj$7$F$$$F!"$3$NL\E*$KE,$7$F$$$^$9!#(B</P
><P
>stunnel $B$N%$%s%9%H!<%k$O$H$F$b4JC1$G$9$,!"$O$8$a$K(B OpenSSL
(<A
HREF="http://www.OpenSSL.org"
TARGET="_top"
>www.OpenSSL.org</A
>)
$B$r%$%s%9%H!<%k$7$F!"I,MW$J%i%$%V%i%j$H%D!<%k$rMQ0U$7$J$/$F$O$J$j$^$;$s!#(B</P
><P
>OpenSSL $B$H$O(B SSL $B%W%m%H%3%k$N%*!<%W%s%=!<%9$K$h$k<BAu$G$"$j!"(B
SSL $B$N%i%$%V%i%j$H0E9f%D!<%k0l<0$rHw$($F$$$^$9!#(B</P
><P
>OpenSSL $B$r%$%s%9%H!<%k$9$k$K$O(B
$B<!$N%3%^%s%I$rF~NO$7$J$/$F$O$J$j$^$;$s!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>$ ./config
$ make
$ make test
# make install</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>$B$U$D$&$O!"$9$Y$F(B <TT
CLASS="FILENAME"
>/usr/local/ssl</TT
> $BFb$K(B
$B%$%s%9%H!<%k$5$l$k$3$H$K$J$j$^$9!#(B</P
><P
>OpenSSL $B$,@5$7$/%$%s%9%H!<%k$5$l$F$$$l$P!"(Bstunnel $B$r%3%s%Q%$%k$7$F(B
$B%$%s%9%H!<%k$9$k$?$a$KF~NO$,I,MW$J$N$O!"<!$N%3%^%s%I$@$1$G$9!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>$ ./configure
$ make
# make install</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>stunnel $B$O(B SSL $B$K%5!<%P>ZL@=q$r;H$$$^$9!#(B
$B$3$l$O<+8J=pL>$N>ZL@=q(B (self signed certificate) $B$G$b$h$$$N$G$9$,!"(B
$B$5$i$KNI$$$N$O<+J,$NG'>Z6I(B (Certification Authotrity) $B$K$h$C$F=pL>$5$l$?(B
$B>ZL@=q$G$9(B (SSL $B%/%i%$%"%s%H$b$=$N(B CA $B$r?.MQ$7$F$$$J$/$F$O$J$j$^$;$s$,(B)$B!#(B</P
><P
>$B$=$N$h$&$J>ZL@=q$N!"0lHLE*$KMQ$$$i$l$kJ]4I>l=j$O$3$3$G$9!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>/usr/local/ssl/certs/stunnel.pem</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>$B$b$7G'>Z6I$N(B
$BM-L5$r5$$K$7$J$$$N$G$"$l$P!"(B
OpenSSL $B%;%C%H$K$h$C$FDs6!$5$l$k%D!<%k$r;H$C$F!"(B
$B<+8J=pL>$N>ZL@=q$r:n@.$G$-$^$9!#(B</P
><P
>stunnel $B$N%G%#%l%/%H%jFb$N(B <TT
CLASS="FILENAME"
>stunnel.cnf</TT
>
$B$H$$$&@_Dj%U%!%$%k$r;H$&$?$a!"$=$N%G%#%l%/%H%j$G!"<!$N%3%^%s%I$r(B
$BF~NO$7$F$/$@$5$$!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>$ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
$ openssl gendh 512 &#62;&#62; stunnel.pem</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>$B$3$l$K$h$C$F!"<+8J=pL>$K$h$k0lG/4VM-8z$J>ZL@=q$,(B
<TT
CLASS="FILENAME"
>stunnel.pem</TT
> $B%U%!%$%k$NCf$K:n@.$5$l$^$9!#(B</P
><P
>stunnel $B$,%$%s%9%H!<%k$5$l$?$i!"$^$::G=i$K<!$N$h$&$K$7$F(B
LDAP $B%5!<%P$r(B 389 $BHV$N%]!<%H(B ($B%G%U%)%k%H$N(B LDAP $B%]!<%H(B) $B>e$K(B
$B5/F0$7$F$/$@$5$$!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
># /usr/local/libexec/slapd</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>$B$=$l$+$i<!$N$h$&$K(B 636 $BHV$N(B (LDAPS $B%/%i%$%"%s%H$K$h$C$F(B
$B;HMQ$5$l$k(B) $B%]!<%H$K(B stunnel $B$G%H%s%M%k$7$F$/$@$5$$!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
># /usr/local/sbin/stunnel -r ldap -d 636 -p /usr/local/ssl/certs/stunnel.pem</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>$B%G%P%C%0$N$?$a$K<!$N=q<0$G%U%)%"%0%i%&%s%I$K(B
<TT
CLASS="FILENAME"
>stunnel</TT
> $B$r5/F0$9$k$3$H$b$G$-$^$9!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
># /usr/local/sbin/stunnel -r ldap -d 636 -D 7 -f -p /usr/local/ssl/certs/stunnel.pem</PRE
></FONT
></TD
></TR
></TABLE
></P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN929"
>10.4. stunnel $B$r;H$C$F(B LDAP $B%/%i%$%"%s%H$K(B SSL $B$rDs6!$9$kJ}K!(B</A
></H2
><P
>$BB?$/$N(B LDAP $B%/%i%$%"%s%H$O(B SSL $BBP1~$G$O$"$j$^$;$s!#(B
$B$7$+$7(B stunnel $B$r%/%i%$%"%s%H%b!<%I$G;H$&$3$H$G!"(B
$B$3$l$i$N%/%i%$%"%s%H$K(B SSL $B$rDs6!$9$k$3$H$,2DG=$G$9!#(B</P
><P
>$B$3$l$OHs>o$K4JC1$G$9!#%/%i%$%"%s%H%[%9%H>e$G(B stunnel $B$r(B
$B<!$N$h$&$K5/F0$7$F!"(BLDAPS $B%]!<%H$KBP$9$kMW5a$r<B:]$N(B LDAP $B%5!<%P$K(B
$BE>Aw$9$k$h$&$K$7$F$/$@$5$$!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
># stunnel -c -d 636 -r ldapserver.yourorg.com:636</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>$B$3$N$H$-(B LDAP $B%/%i%$%"%s%H$O(B <TT
CLASS="FILENAME"
>localhost:636</TT
>
$B$r(B LDAPS $B%5!<%P$H$7$F;H$&$h$&@_Dj$5$l$J$/$F$O$J$j$^$;$s!#(B</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN937"
>10.5. stunnel $B$r;H$C$F(B slurpd $B%l%W%j%1!<%7%g%s$K(B SSL $B$rDs6!$9$kJ}K!(B</A
></H2
><P
>$B8=;~E@$G(B slurpd (slapd $B%l%W%j%1!<%7%g%s%G!<%b%s(B) $B$O(B SSL $B5!G=$r(B
$B;}$C$F$$$J$$$H$O$$$(!"(Bstunnel $B$r%/%i%$%"%s%H%b!<%I$G;H$C$F!"(B
$B$3$NLr3d$r$5$;$k$3$H$,$G$-$^$9!#(B</P
><P
>$B<!$N$h$&$K%^%9%?%5!<%P>e$G%/%i%$%"%s%H%b!<%I$N(B stunnel $B$r;H$$!"(B
$B%m!<%+%k%]!<%H$r%j%b!<%H%]!<%H$KE>Aw$7$F$/$@$5$$!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
># stunnel -c -d 9636 -r ldapreplica.yourorg.com:636</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>$B$=$7$F%^%9%?(B LDAP $B%5!<%P$N(B <TT
CLASS="FILENAME"
>slapd.conf</TT
>
$B$K<!$N5-=R$rF~$l$F$/$@$5$$!#(B</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>replica host=localhost:9636</PRE
></FONT
></TD
></TR
></TABLE
></P
></DIV
></DIV
><H3
CLASS="FOOTNOTES"
>Notes</H3
><TABLE
BORDER="0"
CLASS="FOOTNOTES"
WIDTH="100%"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.AEN882"
HREF="ssl.html#AEN882"
>[1]</A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
>$BLuCm!'Aw?.<T$K(B
$B$J$j$9$^$7$?Bh;0<T$,%G!<%?$r2~cb$9$k$J$I!#!VCf4V2pF~!W$H$bLu$9$=$&$G$9!#(B</P
></TD
></TR
></TABLE
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="certificates.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="security.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>LDAP $B$K$h$k%G%8%?%k>ZL@=q$NH/9T(B</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>$B%;%-%e%j%F%#4XO"(B</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>