<HTML ><HEAD ><TITLE >SSL/TLS $B$H!"(BSSL/TLS $B$N(B LDAP $BMQ%i%C%Q(B</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.54"><LINK REL="HOME" TITLE="LDAP Implementation HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="LDAP $B$K$h$k%G%8%?%k>ZL@=q$NH/9T(B" HREF="certificates.html"><LINK REL="NEXT" TITLE="$B%;%-%e%j%F%#4XO"(B" HREF="security.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" ><DIV CLASS="NAVHEADER" ><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >LDAP Implementation HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="certificates.html" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="security.html" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="SSL" >10. SSL/TLS $B$H!"(BSSL/TLS $B$N(B LDAP $BMQ%i%C%Q(B</A ></H1 ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN870" >10.1. SSL $B$N4JC1$J@bL@(B</A ></H2 ><P >Secure Socket Layer (SSL) $B$O%Q!<%F%#4V$N%;%-%e%"$J(B $BE>Aw7PO)$rDs6!$9$k%"%W%j%1!<%7%g%s%l%$%d%W%m%H%3%k$G$9!#(B HTTP, LDAP, SMTP $BEy!9$N%"%W%j%1!<%7%g%s%l%Y%k$N%W%m%H%3%k$H(B TCP/IP $B$H$N4V$r$H$j$b$D$b$N$G!"(B $B8x3+800E9f%7%9%F%`(B ($B<o!9$N0E9f2=J}K!$,MxMQ2DG=(B) $B$H(B X.509 $B>ZL@J}<0$K4p$E$$$F$$$^$9!#(B</P ><P >SSL $B$O$b$H$b$H(B Netscape $B$N%W%m%H%3%k$G$7$?$,!"(B $B=y!9$KI8=`E*$J$b$N$H$J$j!"(B $B:#$G$O(B TLS (Transmission Layer Security) $B$H8F$P$l$k$b$N$K$J$j$^$7$?!#(B $B0lHLE*$K(B SSL/TLS $B$H$7$F8@5Z$5$l$^$9!#(B</P ><P >SSL/TLS $B%W%m%H%3%k$O0J2<$N5!G=$rDs6!$7$^$9!#(B</P ><P ></P ><UL ><LI ><P >$B%G!<%?$N0E9f2=(B $B!=(B $B%/%i%$%"%s%H!?%5!<%P4V$N(B $B%;%C%7%g%s$,0E9f2=$5$l$^$9!#(B</P ></LI ><LI ><P >$B%5!<%PG'>Z(B $B!=(B $B%/%i%$%"%s%HB&$+$i!"%5!<%P$,(B $BK\J*$+$I$&$+$r8!>Z$9$k$3$H$,$G$-$^$9!#(B</P ></LI ><LI ><P >$B%a%C%;!<%840A4@-(B $B!=(B $B%G!<%?$OE>AwCf$K<j$r2C$($i$l$^$;$s!#(B $B$3$l$O!V(Bman in the middle$B!W967b(B<A NAME="AEN882" HREF="#FTN.AEN882" >[1]</A >$B$rKI;_$7$^$9!#(B </P ></LI ><LI ><P >$B%/%i%$%"%s%HG'>Z(B $B!=(B $B%5!<%P$O%/%i%$%"%s%H$,(B $BK\J*$+$I$&$+8!>Z$G$-$^$9!#(B</P ></LI ></UL ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN886" >10.2. OpenLDAP $B$N(B SSL/TLS $B%5%]!<%H(B</A ></H2 ><P >LDAP V3 $B$N%D!<%k%-%C%H$G$"$k(B OpenLDAP 2.0.x $B$+$i$O!"(B $B%5!<%P$K$h$C$F(B SSL/TLS $B%5%]!<%H$,Hw$($i$l$F$$$^$9!#(B $B$?$@$7(B SSL/TLS $B$rDI2C$9$k$?$a$K$O!"(BOpenLDAP 2.0.x $B$,(B OpenSSL $B$N%i%$%V%i%j$r;H$C$F%3%s%Q%$%k$5$l$kI,MW$,$"$j$^$9!#(B $B$^$?!"(B2.0.x $B$K$O(B Start-TLS $B$N%5%]!<%H$b$"$j$^$9!#(B</P ><DIV CLASS="NOTE" ><BLOCKQUOTE CLASS="NOTE" ><P ><B >Note: </B >Start-TLS $B$O!"%/%i%$%"%s%H$,MW5a$7$?$H$-$@$1(B TLS $B$rM-8z$K$9$k$3$H$,$G$-$k$h$&$K$7$^$9!#$3$NJ}K!$@$H!"C1FH$N(B LDAP $B%]!<%H$r%;%-%e%"$J@\B3$H$=$&$G$J$$@\B3$NN>J}$K;H$&$3$H$,2DG=$G$9!#(B</P ></BLOCKQUOTE ></DIV ><P >OpenLDAP 1.2.x $B$O$=$l$H$O0[$J$j(B LDAP V2 $B%W%m%H%3%k$K$h$k<BAu$G$"$j!"(BSSL/TLS $B$rHw$($F$$$^$;$s!#(B</P ><P >OpenLDAP 2.0.x $B>e$N(B SSL/TLS $B$K4X$7$F$O(B OpenLDAP $B$N%&%'%V%5%$%H$K(B $B2ACM$"$k>pJs$,$"$j$^$9$N$G!"$3$3$G$O(B SSL/TLS $B$KBP1~$7$F$$$J$$(B LDAP $B%Q!<%F%#$r(B SSL $B%H%s%M%k$r;H$C$F%;%-%e%"$K$9$kJ}K!$K>GE@$r9g$o$;$k$3$H$K$7$^$9!#(B</P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN893" >10.3. stunnel $B$r;H$C$F(B LDAP V2 $B%5!<%P$K(B SSL/TLS $B$rDs6!$9$kJ}K!(B</A ></H2 ><P >OpenLDAP 1.2.x $B$r;H$C$F$$$k$J$i$P!"%5!<%P$K(B SSL $B5!G=$r(B $BDI2C$9$k$?$a$K$OHFMQ(B SSL $B%i%C%Q$,I,MW$K$J$j$^$9!#(Bstunnel (<A HREF="http://www.stunnel.org" TARGET="_top" >www.stunnel.org</A >) $B$O(B $B0BDj$7$F$$$F!"$3$NL\E*$KE,$7$F$$$^$9!#(B</P ><P >stunnel $B$N%$%s%9%H!<%k$O$H$F$b4JC1$G$9$,!"$O$8$a$K(B OpenSSL (<A HREF="http://www.OpenSSL.org" TARGET="_top" >www.OpenSSL.org</A >) $B$r%$%s%9%H!<%k$7$F!"I,MW$J%i%$%V%i%j$H%D!<%k$rMQ0U$7$J$/$F$O$J$j$^$;$s!#(B</P ><P >OpenSSL $B$H$O(B SSL $B%W%m%H%3%k$N%*!<%W%s%=!<%9$K$h$k<BAu$G$"$j!"(B SSL $B$N%i%$%V%i%j$H0E9f%D!<%k0l<0$rHw$($F$$$^$9!#(B</P ><P >OpenSSL $B$r%$%s%9%H!<%k$9$k$K$O(B $B<!$N%3%^%s%I$rF~NO$7$J$/$F$O$J$j$^$;$s!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" >$ ./config $ make $ make test # make install</PRE ></FONT ></TD ></TR ></TABLE ></P ><P >$B$U$D$&$O!"$9$Y$F(B <TT CLASS="FILENAME" >/usr/local/ssl</TT > $BFb$K(B $B%$%s%9%H!<%k$5$l$k$3$H$K$J$j$^$9!#(B</P ><P >OpenSSL $B$,@5$7$/%$%s%9%H!<%k$5$l$F$$$l$P!"(Bstunnel $B$r%3%s%Q%$%k$7$F(B $B%$%s%9%H!<%k$9$k$?$a$KF~NO$,I,MW$J$N$O!"<!$N%3%^%s%I$@$1$G$9!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" >$ ./configure $ make # make install</PRE ></FONT ></TD ></TR ></TABLE ></P ><P >stunnel $B$O(B SSL $B$K%5!<%P>ZL@=q$r;H$$$^$9!#(B $B$3$l$O<+8J=pL>$N>ZL@=q(B (self signed certificate) $B$G$b$h$$$N$G$9$,!"(B $B$5$i$KNI$$$N$O<+J,$NG'>Z6I(B (Certification Authotrity) $B$K$h$C$F=pL>$5$l$?(B $B>ZL@=q$G$9(B (SSL $B%/%i%$%"%s%H$b$=$N(B CA $B$r?.MQ$7$F$$$J$/$F$O$J$j$^$;$s$,(B)$B!#(B</P ><P >$B$=$N$h$&$J>ZL@=q$N!"0lHLE*$KMQ$$$i$l$kJ]4I>l=j$O$3$3$G$9!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" >/usr/local/ssl/certs/stunnel.pem</PRE ></FONT ></TD ></TR ></TABLE ></P ><P >$B$b$7G'>Z6I$N(B $BM-L5$r5$$K$7$J$$$N$G$"$l$P!"(B OpenSSL $B%;%C%H$K$h$C$FDs6!$5$l$k%D!<%k$r;H$C$F!"(B $B<+8J=pL>$N>ZL@=q$r:n@.$G$-$^$9!#(B</P ><P >stunnel $B$N%G%#%l%/%H%jFb$N(B <TT CLASS="FILENAME" >stunnel.cnf</TT > $B$H$$$&@_Dj%U%!%$%k$r;H$&$?$a!"$=$N%G%#%l%/%H%j$G!"<!$N%3%^%s%I$r(B $BF~NO$7$F$/$@$5$$!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" >$ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem $ openssl gendh 512 >> stunnel.pem</PRE ></FONT ></TD ></TR ></TABLE ></P ><P >$B$3$l$K$h$C$F!"<+8J=pL>$K$h$k0lG/4VM-8z$J>ZL@=q$,(B <TT CLASS="FILENAME" >stunnel.pem</TT > $B%U%!%$%k$NCf$K:n@.$5$l$^$9!#(B</P ><P >stunnel $B$,%$%s%9%H!<%k$5$l$?$i!"$^$::G=i$K<!$N$h$&$K$7$F(B LDAP $B%5!<%P$r(B 389 $BHV$N%]!<%H(B ($B%G%U%)%k%H$N(B LDAP $B%]!<%H(B) $B>e$K(B $B5/F0$7$F$/$@$5$$!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" ># /usr/local/libexec/slapd</PRE ></FONT ></TD ></TR ></TABLE ></P ><P >$B$=$l$+$i<!$N$h$&$K(B 636 $BHV$N(B (LDAPS $B%/%i%$%"%s%H$K$h$C$F(B $B;HMQ$5$l$k(B) $B%]!<%H$K(B stunnel $B$G%H%s%M%k$7$F$/$@$5$$!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" ># /usr/local/sbin/stunnel -r ldap -d 636 -p /usr/local/ssl/certs/stunnel.pem</PRE ></FONT ></TD ></TR ></TABLE ></P ><P >$B%G%P%C%0$N$?$a$K<!$N=q<0$G%U%)%"%0%i%&%s%I$K(B <TT CLASS="FILENAME" >stunnel</TT > $B$r5/F0$9$k$3$H$b$G$-$^$9!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" ># /usr/local/sbin/stunnel -r ldap -d 636 -D 7 -f -p /usr/local/ssl/certs/stunnel.pem</PRE ></FONT ></TD ></TR ></TABLE ></P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN929" >10.4. stunnel $B$r;H$C$F(B LDAP $B%/%i%$%"%s%H$K(B SSL $B$rDs6!$9$kJ}K!(B</A ></H2 ><P >$BB?$/$N(B LDAP $B%/%i%$%"%s%H$O(B SSL $BBP1~$G$O$"$j$^$;$s!#(B $B$7$+$7(B stunnel $B$r%/%i%$%"%s%H%b!<%I$G;H$&$3$H$G!"(B $B$3$l$i$N%/%i%$%"%s%H$K(B SSL $B$rDs6!$9$k$3$H$,2DG=$G$9!#(B</P ><P >$B$3$l$OHs>o$K4JC1$G$9!#%/%i%$%"%s%H%[%9%H>e$G(B stunnel $B$r(B $B<!$N$h$&$K5/F0$7$F!"(BLDAPS $B%]!<%H$KBP$9$kMW5a$r<B:]$N(B LDAP $B%5!<%P$K(B $BE>Aw$9$k$h$&$K$7$F$/$@$5$$!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" ># stunnel -c -d 636 -r ldapserver.yourorg.com:636</PRE ></FONT ></TD ></TR ></TABLE ></P ><P >$B$3$N$H$-(B LDAP $B%/%i%$%"%s%H$O(B <TT CLASS="FILENAME" >localhost:636</TT > $B$r(B LDAPS $B%5!<%P$H$7$F;H$&$h$&@_Dj$5$l$J$/$F$O$J$j$^$;$s!#(B</P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN937" >10.5. stunnel $B$r;H$C$F(B slurpd $B%l%W%j%1!<%7%g%s$K(B SSL $B$rDs6!$9$kJ}K!(B</A ></H2 ><P >$B8=;~E@$G(B slurpd (slapd $B%l%W%j%1!<%7%g%s%G!<%b%s(B) $B$O(B SSL $B5!G=$r(B $B;}$C$F$$$J$$$H$O$$$(!"(Bstunnel $B$r%/%i%$%"%s%H%b!<%I$G;H$C$F!"(B $B$3$NLr3d$r$5$;$k$3$H$,$G$-$^$9!#(B</P ><P >$B<!$N$h$&$K%^%9%?%5!<%P>e$G%/%i%$%"%s%H%b!<%I$N(B stunnel $B$r;H$$!"(B $B%m!<%+%k%]!<%H$r%j%b!<%H%]!<%H$KE>Aw$7$F$/$@$5$$!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" ># stunnel -c -d 9636 -r ldapreplica.yourorg.com:636</PRE ></FONT ></TD ></TR ></TABLE ></P ><P >$B$=$7$F%^%9%?(B LDAP $B%5!<%P$N(B <TT CLASS="FILENAME" >slapd.conf</TT > $B$K<!$N5-=R$rF~$l$F$/$@$5$$!#(B</P ><P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" >replica host=localhost:9636</PRE ></FONT ></TD ></TR ></TABLE ></P ></DIV ></DIV ><H3 CLASS="FOOTNOTES" >Notes</H3 ><TABLE BORDER="0" CLASS="FOOTNOTES" WIDTH="100%" ><TR ><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="5%" ><A NAME="FTN.AEN882" HREF="ssl.html#AEN882" >[1]</A ></TD ><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="95%" ><P >$BLuCm!'Aw?.<T$K(B $B$J$j$9$^$7$?Bh;0<T$,%G!<%?$r2~cb$9$k$J$I!#!VCf4V2pF~!W$H$bLu$9$=$&$G$9!#(B</P ></TD ></TR ></TABLE ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="certificates.html" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="security.html" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >LDAP $B$K$h$k%G%8%?%k>ZL@=q$NH/9T(B</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >$B%;%-%e%j%F%#4XO"(B</TD ></TR ></TABLE ></DIV ></BODY ></HTML >