升级到 Open Directory Master 10.6 后 TLS (STARTTLS) 失败

升级到 Open Directory Master 10.6 后 TLS (STARTTLS) 失败

环境:Mac OS X 10.6.3 安装/导入 MacOS X 10.5.8 Open Directory Master 服务器。升级后,LDAP+TLS 在我们的 MacOS X 10.5、10.6、CentOS、Debian 和 FreeBSD 客户端(Apache2 和 PAM)上失败。

使用 ldapsearch 进行测试:

ldapsearch -ZZ -H ldap://gnome.darkhorse.com -v -x -b "dc=darkhorse,dc=com" '(uid=donaldr)' uid

...失败:

ldap_start_tls: Protocol error (2)

测试添加“-d 9”失败,原因如下:

res_errno: 2, res_error: <unsupported extended operation>, res_matched: <>

无需 STARTTLS 或使用 LDAPS 进行测试:

ldapsearch -H ldap://gnome.darkhorse.com -v -x -b "dc=darkhorse,dc=com" '(uid=donaldr)' uid
ldapsearch -H ldaps://gnome.darkhorse.com -v -x -b "dc=darkhorse,dc=com" '(uid=donaldr)' uid

... 成功:

# donaldr, users, darkhorse.com
dn: uid=donaldr,cn=users,dc=darkhorse,dc=com
uid: donaldr
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
result: 0 Success

(我们在 /etc/openldap/ldap.conf 中指定“TLS_REQCERT never”)

使用 openssl 测试:

openssl s_client -connect gnome.darkhorse.com:636 -showcerts -state

...成功:

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=MIS/CN=gnome.darkhorse.com
  i:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department
1 s:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department
  i:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department
---
Server certificate
-----BEGIN CERTIFICATE-----
<deleted for brevity>
-----END CERTIFICATE-----
subject=/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=MIS/CN=gnome.darkhorse.com
issuer=/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department
---
No client certificate CA names sent
---
SSL handshake has read 2640 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1
   Cipher    : AES256-SHA
   Session-ID: D3F9536D3C64BAAB9424193F81F09D5C53B7D8E7CB5A9000C58E43285D983851
   Session-ID-ctx: 
   Master-Key: E224CC065924DDA6FABB89DBCC3E6BF89BEF6C0BD6E5D0B3C79E7DE927D6E97BF12219053BA2BB5B96EA2F6A44E934D3
   Key-Arg   : None
   Start Time: 1271202435
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)

因此我们相信 slapd 守护进程正在读取我们的证书并将其写入 LDAP 客户端。

在 Open Directory 服务的 LDAP 部分启用 SSL 时,Apple Server Admin 会将 ProgramArguments(“-h ldaps:///”)添加到 /System/Library/LaunchDaemons/org.openldap.slapd.plist,并将 TLSCertificateFile、TLSCertificateKeyFile、TLSCACertificateFile 和 TLSCertificatePassphraseTool 添加到 /etc/openldap/slapd_macosxserver.conf。虽然这对于 LDAPS 来说似乎足够了,但对于 TLS 来说似乎还不够。比较我们的 10.6 和 10.5 slapd.conf 和 slapd_macosxserver.conf 配置文件没有发现任何线索。将我们的证书(使用自签名 ca 生成)替换为 Apple Server Admin 生成的自签名证书不会导致 ldapsearch 结果发生变化。

在 /System/Library/LaunchDaemons/org.openldap.slapd.plist 日志中将 -d 设置为 256:

4/13/10 5:23:35 PM org.openldap.slapd[82162] conn=384 op=0 EXT oid=1.3.6.1.4.1.1466.20037
4/13/10 5:23:35 PM org.openldap.slapd[82162] conn=384 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"
4/13/10 5:23:35 PM org.openldap.slapd[82162] conn=384 op=0 RESULT tag=120 err=2 text=unsupported extended operation

非常感谢任何调试建议。

— 汤姆·基舍尔

附言

来自 Apple 的电子邮件确认他们可以重现此问题(LDAP+STARTLS 失败但 LDAPS 在 10.6 上成功,但在 10.5 上两者均可运行)并已打开内部错误报告。

相关内容