我运行两台带有 MIT Kerberos 和 OpenLDAP 后端的 Debian 服务器。我想强制执行 TLS 并加密复制。所以我创建并添加了证书......
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ca.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/server1.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/server1.key
……并强制执行STARTTLS
dn: olcDatabase={1}mdb,cn=config
changeType: modify
add: olcSecurity
olcSecurity: tls=1
经过一番摆弄,我发现这也适用于 IPC ( ldapi),并且所有守护进程都需要访问根证书。例如/etc/nslcd.conf:
ssl start_tls
tls_cacertfile /etc/ssl/ca.crt
而且当然/etc/ldap/ldap.conf:
TLS_CACERT /etc/ssl/ca.crt
Kerberos 除外。我找不到告诉他根证书位置的选项。我希望它在/etc/krb5.conf:
[dbmodules]
LDAP = {
db_library = kldap
ldap_kdc_dn = cn=kdc,ou=daemons,dc=example,dc=com
ldap_kadmind_dn = cn=adm,ou=daemons,dc=example,dc=com
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldapi:///
ldap_conns_per_server = 5
}
因此,它抱怨:
kadmind: connection with LDAP-server »ldapi:///«
as »cn=adm,ou=daemons,dc=example,dc=com« can not be established:
Confidentiality required
那么,我如何告诉 Kerberos 在哪里可以找到根证书呢?