我徒劳地尝试使用 TLS 将 LDAP 从基于 Linux 的设备绑定到 LDAP 服务器。服务器支持简单认证和TLS认证。首先,我使用以下 ldapsearch 命令在没有 TLS 的情况下成功绑定:
ldapsearch -x -b "dc=lab,dc=local" \
-H ldap://[SERVER.IP.ADDRESS] \
-D "uid=myuser,cn=users,cn=accounts,dc=lab,dc=local" \
-W "uid=myuser"
它提示输入用户密码,并成功验证用户身份。当我尝试使用 TLS 与以下内容进行绑定时:
LDAPTLS_REQCERT=never ldapsearch \
-x -ZZ -b "dc=lab,dc=local" \
-H ldap://[SERVER.IP.ADDRESS] \
-D "uid=myuser,cn=users,cn=accounts,dc=lab,dc=local" \
-W "uid=myuser" cn uid
系统不会提示我输入密码,因此我添加了一个-d 1
选项来显示更多调试消息。在这种情况下,我有以下输出:
ldap_url_parse_ext(ldap://nodo-1.labsecurity.local)
ldap_create
ldap_url_parse_ext(ldap://nodo-1.labsecurity.local:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP nodo-1.labsecurity.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.5.214:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x1005c038 msgid 1
wait4msg ld 0x1005c038 msgid 1 (infinite timeout)
wait4msg continue ld 0x1005c038 msgid 1 all 1
** ld 0x1005c038 Connections:
* host: nodo-1.labsecurity.local port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 1 00:49:07 1970
** ld 0x1005c038 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1005c038 request count 1 (abandoned 0)
** ld 0x1005c038 Response Queue:
Empty
ld 0x1005c038 response count 0
ldap_chkResponseList ld 0x1005c038 msgid 1 all 1
ldap_chkResponseList returns ld 0x1005c038 NULL
ldap_int_select
read1msg: ld 0x1005c038 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 95 contents:
read1msg: ld 0x1005c038 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1005c038 0 new referrals
read1msg: mark request completed, ld 0x1005c038 msgid 1
request done: ld 0x1005c038 msgid 1
res_errno: 0, res_error: <Start TLS request accepted.Server willing to negotiate SSL.>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
似乎连接已建立,但在某个时刻它会停止并且不再继续。请注意,我使用了 LDAPTLS_REQCERT=never,这应该意味着不需要 CA 证书。谁能帮助我更好地理解为什么 LDAP 与 TLS 绑定不起作用?谢谢。