我阅读了来自这个论坛和其他许多论坛的一些建议,并尝试自己解决问题,但没有结果。我需要将证书添加到 ldap,但它总是返回错误 80。
我正在使用 ldap 向文件夹添加权限:
ls -la /etc/apache2/ssl/
razem 16
drwxrwxr-- 2 root root 4096 cze 29 12:52 .
drwxr-xr-x 9 root root 4096 lip 2 10:33 ..
-rwxrwxr-- 1 root root 1545 gru 22 2017 od.censored.pl.crt
-rwxrwxr-- 1 root root 1704 gru 22 2017 od.censored.pl.key
我正在检查临时目录的权限:
ls -la /var/lib/lda*
razem 708
drwxr-xr-x 2 openldap openldap 4096 lip 2 10:39 .
drwxr-xr-x 79 root root 4096 cze 30 09:06 ..
-rw-r--r-- 1 openldap openldap 4096 cze 29 13:50 alock
-rw------- 1 openldap openldap 8192 kwi 13 11:12 cn.bdb
-rw------- 1 openldap openldap 548863 cze 29 14:20 __db.001
-rw------- 1 openldap openldap 147455 lip 2 10:50 __db.002
-rw------- 1 openldap openldap 114687 cze 29 13:50 __db.003
-rw-r--r-- 1 openldap openldap 96 kwi 13 11:12 DB_CONFIG
-rw------- 1 openldap openldap 8192 kwi 13 11:12 dn2id.bdb
-rw------- 1 openldap openldap 32768 kwi 13 12:12 id2entry.bdb
-rw------- 1 openldap openldap 10485759 cze 29 14:20 log.0000000001
-rw------- 1 openldap openldap 8192 kwi 13 11:12 objectClass.bdb
certs.ldif 看起来:
cat -n certs.ldif
1 dn: cn=config
2 changetype: modify
3 replace: olcTLSCertificateFile
4 olcTLSCertificateFile: /etc/apache2/ssl/od.censored.pl.crt
5
6 dn: cn=config
7 changetype: modify
8 replace: olcTLSCertificateKeyFile
9 olcTLSCertificateKeyFile: /etc/apache2/ssl/od.censored.pl.key
但我一次又一次地看到错误:
ldapmodify -Y EXTERNAL -H ldapi:/// -vvv -f certs.ldif
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
replace olcTLSCertificateFile:
/etc/apache2/ssl/od.censored.pl.crt
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
添加尝试后的日志:
195 Jul 4 12:50:49 odps02 slapd[18075]: conn=1005 op=1 RESULT tag=103 err=0 text=
196 Jul 4 12:50:49 odps02 slapd[18075]: conn=1005 op=2 UNBIND
197 Jul 4 12:50:49 odps02 slapd[18075]: conn=1005 fd=18 closed
198 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 fd=18 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
199 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND dn="" method=163
200 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
201 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
202 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 RESULT tag=97 err=0 text=
203 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 MOD dn="cn=config"
204 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 MOD attr=olcTLSCertificateFile
205 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 RESULT tag=103 err=80 text=
206 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=2 UNBIND
207 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 fd=18 closed
调试导入尝试:
ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/slapd/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=odps02
SASL/EXTERNAL authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x55ab9f63d3f0 ptr=0x55ab9f63d3f0 end=0x55ab9f63d40a len=26
0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`..........
0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL..
ber_scanf fmt ({i) ber:
ber_dump: buf=0x55ab9f63d3f0 ptr=0x55ab9f63d3f5 end=0x55ab9f63d40a len=21
0000: 60 13 02 01 03 04 00 a3 0c 04 08 45 58 54 45 52 `..........EXTER
0010: 4e 41 4c 04 00 NAL..
ber_flush2: 26 bytes to sd 4
0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`..........
0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL..
ldap_write: want=26, written=26
0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`..........
0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL..
ldap_msgfree
ldap_result ld 0x55ab9f63b260 msgid 1
wait4msg ld 0x55ab9f63b260 msgid 1 (infinite timeout)
wait4msg continue ld 0x55ab9f63b260 msgid 1 all 1
** ld 0x55ab9f63b260 Connections:
* host: (null) port: 0 (default)
refcnt: 2 status: Connected
last used: Fri Jul 6 15:04:50 2018
** ld 0x55ab9f63b260 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x55ab9f63b260 request count 1 (abandoned 0)
** ld 0x55ab9f63b260 Response Queue:
Empty
ld 0x55ab9f63b260 response count 0
ldap_chkResponseList ld 0x55ab9f63b260 msgid 1 all 1
ldap_chkResponseList returns ld 0x55ab9f63b260 NULL
ldap_int_select
read1msg: ld 0x55ab9f63b260 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d990 end=0x55ab9f61d99c len=12
0000: 02 01 01 61 07 0a 01 00 04 00 04 00 ...a........
read1msg: ld 0x55ab9f63b260 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9
0000: 61 07 0a 01 00 04 00 04 00 a........
read1msg: ld 0x55ab9f63b260 0 new referrals
read1msg: mark request completed, ld 0x55ab9f63b260 msgid 1
request done: ld 0x55ab9f63b260 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: EXTERNAL
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9
0000: 61 07 0a 01 00 04 00 04 00 a........
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9
0000: 61 07 0a 01 00 04 00 04 00 a........
ber_scanf fmt (}) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d99c end=0x55ab9f61d99c len=0
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_msgfree
modifying entry "cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x55ab9f640b00 ptr=0x55ab9f640b00 end=0x55ab9f640b58 len=88
0000: 30 56 02 01 02 66 51 04 09 63 6e 3d 63 6f 6e 66 0V...fQ..cn=conf
0010: 69 67 30 44 30 42 0a 01 02 30 3d 04 17 6f 6c 63 ig0D0B...0=..olc
0020: 54 4c 53 43 41 43 65 72 74 69 66 69 63 61 74 65 TLSCACertificate
0030: 46 69 6c 65 31 22 04 20 2f 65 74 63 2f 61 70 61 File1". /etc/apa
0040: 63 68 65 32 2f 73 73 6c 2f 6f 64 2e 70 67 6e 69 che2/ssl/od.pgni
0050: 67 2e 70 6c 2e 63 73 72 g.pl.csr
ber_scanf fmt ({) ber:
ber_dump: buf=0x55ab9f640b00 ptr=0x55ab9f640b05 end=0x55ab9f640b58 len=83
0000: 66 51 04 09 63 6e 3d 63 6f 6e 66 69 67 30 44 30 fQ..cn=config0D0
0010: 42 0a 01 02 30 3d 04 17 6f 6c 63 54 4c 53 43 41 B...0=..olcTLSCA
0020: 43 65 72 74 69 66 69 63 61 74 65 46 69 6c 65 31 CertificateFile1
0030: 22 04 20 2f 65 74 63 2f 61 70 61 63 68 65 32 2f ". /etc/apache2/
0040: 73 73 6c 2f 6f 64 2e 70 67 6e 69 67 2e 70 6c 2e ssl/od.censored.pl.
0050: 63 73 72 csr
ber_flush2: 88 bytes to sd 4
0000: 30 56 02 01 02 66 51 04 09 63 6e 3d 63 6f 6e 66 0V...fQ..cn=conf
0010: 69 67 30 44 30 42 0a 01 02 30 3d 04 17 6f 6c 63 ig0D0B...0=..olc
0020: 54 4c 53 43 41 43 65 72 74 69 66 69 63 61 74 65 TLSCACertificate
0030: 46 69 6c 65 31 22 04 20 2f 65 74 63 2f 61 70 61 File1". /etc/apa
0040: 63 68 65 32 2f 73 73 6c 2f 6f 64 2e 70 67 6e 69 che2/ssl/od.pgni
0050: 67 2e 70 6c 2e 63 73 72 g.pl.csr
ldap_write: want=88, written=88
0000: 30 56 02 01 02 66 51 04 09 63 6e 3d 63 6f 6e 66 0V...fQ..cn=conf
0010: 69 67 30 44 30 42 0a 01 02 30 3d 04 17 6f 6c 63 ig0D0B...0=..olc
0020: 54 4c 53 43 41 43 65 72 74 69 66 69 63 61 74 65 TLSCACertificate
0030: 46 69 6c 65 31 22 04 20 2f 65 74 63 2f 61 70 61 File1". /etc/apa
0040: 63 68 65 32 2f 73 73 6c 2f 6f 64 2e 70 67 6e 69 che2/ssl/od.pgni
0050: 67 2e 70 6c 2e 63 73 72 g.pl.csr
ldap_result ld 0x55ab9f63b260 msgid 2
wait4msg ld 0x55ab9f63b260 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x55ab9f63b260 msgid 2 all 1
** ld 0x55ab9f63b260 Connections:
* host: (null) port: 0 (default)
refcnt: 2 status: Connected
last used: Fri Jul 6 15:04:50 2018
** ld 0x55ab9f63b260 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x55ab9f63b260 request count 1 (abandoned 0)
** ld 0x55ab9f63b260 Response Queue:
Empty
ld 0x55ab9f63b260 response count 0
ldap_chkResponseList ld 0x55ab9f63b260 msgid 2 all 1
ldap_chkResponseList returns ld 0x55ab9f63b260 NULL
ldap_int_select
read1msg: ld 0x55ab9f63b260 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 02 67 07 0a 0....g..
ldap_read: want=6, got=6
0000: 01 50 04 00 04 00 .P....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c910 end=0x55ab9f61c91c len=12
0000: 02 01 02 67 07 0a 01 50 04 00 04 00 ...g...P....
read1msg: ld 0x55ab9f63b260 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c913 end=0x55ab9f61c91c len=9
0000: 67 07 0a 01 50 04 00 04 00 g...P....
read1msg: ld 0x55ab9f63b260 0 new referrals
read1msg: mark request completed, ld 0x55ab9f63b260 msgid 2
request done: ld 0x55ab9f63b260 msgid 2
res_errno: 80, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c913 end=0x55ab9f61c91c len=9
0000: 67 07 0a 01 50 04 00 04 00 g...P....
ber_scanf fmt (}) ber:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c91c end=0x55ab9f61c91c len=0
ldap_msgfree
ldap_err2string
ldap_modify: Other (e.g., implementation specific) error (80)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
0000: 30 05 02 01 03 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 03 42 00 0....B.
ldap_free_connection: actually freed
请提供任何关于如何修复它的建议。
这个问题对我来说是个大问题,因为我无法完成必要的服务器配置,请帮忙。
答案1
如果开放LDAP是运行 OpenLDAP 的 slapd 的系统用户,您在问题中列出的所有权/权限不允许 slap 读取服务器证书和私钥:
ls -la /etc/apache2/ssl/
razem 16
drwxrwxr-- 2 root root 4096 cze 29 12:52 .
drwxr-xr-x 9 root root 4096 lip 2 10:33 ..
-rwxrwxr-- 1 root root 1545 gru 22 2017 od.censored.pl.crt
-rwxrwxr-- 1 root root 1704 gru 22 2017 od.censored.pl.key
与 Apache 相反拍打初始化SSL上下文即使使用静态配置文件,调用后setuid()也是如此。而对于动态配置 (cn=config),它无论如何都必须在处理 LDAP 修改期间读取文件。
因此,请尝试以下方法来修复群组所有权:
chgrp -R openldap /etc/apache2/ssl
并且删除不需要的执行权限:
chmod 0640 /etc/apache2/ssl/od.censored.pl.crt /etc/apache2/ssl/od.censored.pl.key
答案2
Ubuntu 16.04 - apparmor 不喜欢将证书放在 slapd 的其他地方
来自我们的日志
audit: type=1400 audit(1576557786.149:51): apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/usr/local/etc/ssl_certs/our.pri_key" pid=15900 comm="slapd" requested_mask="r" denied_mask="r" fsuid=114 ouid=0
通过禁用 slapd 的 apparmor 并重新启动来修复
root@alc-jw-test5:~# ls -l /etc/apparmor.d/disable/usr.sbin.slapd
lrwxrwxrwx 1 root root 30 Dec 17 15:43 /etc/apparmor.d/disable/usr.sbin.slapd -> /etc/apparmor.d/usr.sbin.slapd
答案3
我解决了这个问题,只需按正确的顺序先使用密钥,然后使用证书即可。对我来说,这很有效。
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.kart.com.key
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/myldap.kart.com.cert
答案4
我遇到了这个问题,尝试了很多解决方案,最终得出结论,这是一个 apparmor 问题。我通过安装重新配置 slapd 配置文件解决了这个问题。
所以首先我必须安装 app-armor 配置文件
apt install apparmor-profiles
其次,我必须重新配置配置文件。因此,您要么需要打开两个 ssh 会话,要么在 screen 会话中执行此操作,其中一个会话运行 ldap 命令,另一个会话运行 aa-genprof。
因此在一次会话中运行
aa-genprof slapd
您将会看到类似这样的内容 > Profiling: /usr/sbin/slapd
请在另一个窗口中启动要分析的应用程序并立即使用其功能。
完成后,选择下面的“扫描”选项以
扫描系统日志中的 AppArmor 事件。
对于每个 AppArmor 事件,您将有机会
选择是否允许或拒绝访问
。
[(S)扫描系统日志中的 AppArmor 事件] / (F)完成
现在..在您的其他会话中运行您的 ldif 脚本或 ldapmodify 中的命令。
在 genprof 会话中,您将扫描系统日志以查找 AppArmor 事件,并且您将获得允许该操作的选项....所以简单地允许它,当您完成后完成并保存新的配置文件..Wooola!