LDAP 在我的计算机上运行良好,但 LDAPS 似乎不起作用。尝试/etc/ldap.conf
使用/etc/ldap/ldap.conf
多个论坛中提到的 TLS_CACERTFILE 和 TLS_CACERT 指定证书名称,但这似乎无法解决问题。我在其他 Linux 服务器(CentOS、Scientific、RHEL)上测试了相同的 CA 证书,它们都使用给定的证书通过 LDAPS 进行身份验证并绑定。
故障日志
04:22:57 nscd: nss_ldap: could not connect to any LDAP server as <bind account> - Can't contact LDAP server
04:22:57 nscd: nss_ldap: failed to bind to LDAP server ldaps://example:636: Can't contact LDAP server
04:22:57 nscd: nss_ldap: reconnecting to LDAP server...
04:22:57 nscd: nss_ldap: could not connect to any LDAP server as <bind account> - Can't contact LDAP server
04:22:57 nscd: nss_ldap: failed to bind to LDAP server ldaps://example:636: Can't contact LDAP server
04:22:57 nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
04:22:58 nscd: nss_ldap: could not connect to any LDAP server as <bind account> - Can't contact LDAP server
04:22:58 nscd: nss_ldap: failed to bind to LDAP server ldaps://example:636: Can't contact LDAP server
04:22:58 nscd: nss_ldap: could not search LDAP server - Server is unavailable
从评论:
# ldapsearch -x -d5 -H ldaps://example
ldap_url_parse_ext(ldaps://example)
ldap_create
ldap_url_parse_ext(ldaps://example:636/??base) ...............
ldap_int_open_connection
ldap_connect_to_host: TCP example:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying <IP Address>:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0 attempting to connect: connect success TLS: peer cert untrusted or revoked (0x142) TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
LDAP 配置
# cat /etc/ldap.conf
base o=example.com
uri ldaps://example:636
ldap_version 3
binddn bind account
bindpw bind passwd
pam_password md5
nss_base_passwd
nss_base_shadow
nss_base_group
nss_base_networks
nss_base_netgroup
ssl on
TLS_CACERTFILE /etc/ldap/cacerts/cacert.pem
DEBUG 1
TLS_REQCERT demand
# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/cacerts/cacert.pem
TLS_REQCERT demand
BASE o=example.com
URI ldaps://example