ldaps://<server_name>:<port>我正在尝试通过 TLS对各种应用程序(例如 Gitlab)使用安全的 LDAP 连接。但是,由于 LDAP 管理员使用自签名证书,连接会引发证书错误。
这是我尝试过的:
curl "ldap://ldapserver.example.com:389/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)" -u [email protected]
按预期工作并返回所需的查询结果,但显然不安全。
当我尝试时:
curl -v "ldaps://ldapserver.example.com:636/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)" -u [email protected]
我有:
* About to connect() to ldapserver.example.com port 636 (#0)
* Trying 10.10.10.10...
* Connected to ldapserver.example.com (10.10.10.10) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=ldapserver.example.com
* start date: Jan 14 15:00:00 2018 GMT
* expire date: Dec 24 14:59:59 2019 GMT
* common name: ldapserver.example.com
* issuer: O=EXAMPLE,C=UK
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
使用该标志尝试相同的命令,--insecure然后连接到 LDAP 服务器,但不返回结果:
* About to connect() to ldapserver.example.com port 636 (#0)
* Trying 10.10.10.10...
* Connected to ldapserver.example.com (10.10.10.10) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=ldapserver.example.com
* start date: Jan 14 15:00:00 2018 GMT
* expire date: Dec 24 14:59:59 2019 GMT
* common name: ldapserver.example.com
* issuer: O=EXAMPLE,C=UK
* LDAP local: ldaps://ldapserver.example.com:636/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)
好吧,我现在已经尝试过ldapsearch:
ldapsearch -x -b 'dc=example,dc=com' -D '[email protected]' -H "ldaps://ldapserver.example.com:636" -W '(memberOf=CN=custom-group,DC=example,DC=com)'
并得到:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
在执行export LDAPTLS_REQCERT=never并发出与上面相同的 ldapsearch 命令后,查询返回了结果。
禁用证书验证显然不是一个好的选择,特别是如果在 Gitlab 中使用 LDAP 身份验证。
我尝试通过以下方式获取证书,将 LDAP 服务器的证书添加到受信任的证书中:
echo -n | openssl s_client -connect ldapserver.example.com:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.example.com.pem
然后我将其放入/etc/pki/ca-trust/source/anchors/并更新了 ca-trust
cp ldapserver.example.com.pem /etc/pki/ca-trust/source/anchors/ldapserver.example.com.crt
update-ca-trust extract
然而,上面的命令返回了相同的结果。
我想我可能需要添加 CA 链,该链实际上仅包含该证书:
openssl s_client -showcerts -verify -connect ldapserver.example.com:636 < /dev/null
verify depth is 5
CONNECTED(00000003)
depth=0 CN = ldapserver.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ldapserver.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=ldapserver.example.com
i:/C=UK/O=EXAMPLE
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ldapserver.example.com
issuer=/C=UK/O=EXAMPLE
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 1666 bytes and written 563 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 12345678912345678912345791234567891234567891234579
Session-ID-ctx:
Master-Key: 123456789123456789123457912345678912345678912345791234567891234567891234579
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1540914932
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
所以我的问题是:如何以证书验证有效的方式添加证书?我可以这样做吗?或者我是否必须联系我们的 LDAP 管理员来为我提供相关信息?
以下是有关系统和工具的一些信息:
RHEL 7.5
ldapsearch -V -v
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.44 (Apr 3 2018 08:03:33) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/clients/tools
(LDAP library: OpenLDAP 20444)
ldap_initialize( <DEFAULT> )
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
curl -V -v
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.28.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
答案1
虽然距离最初的问题已经过去了很多年,但我还是想回答这个问题,以帮助那些可能处于类似情况的失落灵魂。
LDAP 系统实际上是一个活动目录并且无法通过网络获取CA证书(至少我还没有找到方法)。于是,我们询问了Windows团队,联系了负责的管理员,询问他是否可以给我们CA证书。管理员导出了它,我们只需将其转换为 PEM 文件,将其放在相应的目录中,然后发出命令update-ca-trust。
像这样的东西:
openssl x509 -inform der -in ca.example.com.cer -out ca.example.com.pem
cp ca.example.com.pem /etc/pki/ca-trust/source/anchors/ca.example.com.pem
update-ca-trust
证书问题已解决,我们使用了ldapsearchonward 而不是curl,因为我们遇到了其他有关 curl 的问题,例如仅检索部分结果。