我正在尝试让我的 CentOS 服务器信任我从活动目录服务器安装的证书(我之前将 .cer 转换为 .pem。)
当我尝试连接时,调试信息是:
[root@web1 cacerts]# ldapsearch -d1 -v -D SOMEDN\pretenduser01 -w SOMEPASSWORD -H ldaps://1.2.3.4:636 -x
ldap_url_parse_ext(ldaps://1.2.3.4:636)
ldap_initialize( ldaps://1.2.3.4/??base )
ldap_create
ldap_url_parse_ext(ldaps://1.2.3.4:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 1.2.3.4:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/cacerts prefix .
TLS: loaded CA certificate file /etc/openldap/cacerts/some_pem_file.pem.
TLS: certificate [CN=SRV-DC3-RG.hiddendomain.co.uk] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
我真的不知道解决这个问题的下一步是什么。我可以在没有 SSL 的情况下正常连接,但那真的不是很好 :)
答案1
您需要信任向您提供的证书的签名证书。通常,这将是信任根(CA 证书),您可以从运行 AD CS 的计算机的证书存储中获取它,但它也可能是中间证书(在这种情况下,应该提供整个链,因此信任根仍然是值得信任的)。您应该能够简单地将证书连接到证书的末尾,/etc/openldap/cacerts/some_pem_file.pem
然后一切就可以正常工作了。