在 Ubuntu 16.04.5 LTS 上的 openLDAP 2.4 中启用 SSL/LDAPS - ldap_result:无法联系 LDAP 服务器(-1)

在 Ubuntu 16.04.5 LTS 上的 openLDAP 2.4 中启用 SSL/LDAPS - ldap_result:无法联系 LDAP 服务器(-1)

我遇到了以下问题,并在 Google 上搜索了数周。因为我真的不知道问题出在哪里,所以我在这里提问,希望能找到一些 ldap 或 ssl 天才 :)

我有一个运行良好的 openLdap 服务器和一个独立的客户端机器(均运行 Linux Ubuntu 16.04.5)。连接正常。现在我想使用 ldaps 保护连接。

首先,我改变了 SLAPD_SERVICES

/etc/默认/slapd

ldap:/// ldapi:///ldap:/// ldaps:/// ldapi:///

然后我创建了一个自己的 CA,它具有自签名证书和 ldap 服务器密钥、csr 和 crt(由我构建的 CA 签名)。

我已将自己的 ca.crt 复制到受信任的证书中

在 /usr/local/share/ca-证书/

并执行此命令:

sudo 更新 ca 证书

我已将 ca.crt、ldap.key 和 ldap.crt 复制到 openldap/etc/ldap/ssl/files并使其归属于 openldap (chown & chgrp)

完成此操作后,我按照教程进行操作(https://www.server-world.info/en/note?os=Debian_9&p=openldap&f=4)创建 mod_ssl.ldif

#

修改 SSL 配置文件

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/files/ca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/files/ldap.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/files/ldap.key
#

创建 ldif 后,我想使用此命令将其添加到我的配置中

ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif

该命令的输出是:

root@ldap-server:/etc/ldap/schema# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif SASL/EXTERNAL 身份验证已启动 SASL 用户名:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF:0 修改条目“cn=config” ldap_result:无法联系 LDAP 服务器(-1)

#

执行此命令后,我的 slapd 就死了。(--> 在执行此命令之前netstat -tulpan和之后检查了开放端口。)

使用以下命令重启 slapd/etc/init.d/slapd restart

我使用 loglevel -1 启用了 slapd 的日志记录

据我了解,日志完全干净,没有任何问题。

尾部-f / var / log / syslog

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: slap_listener_activate(11):

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 busy

Oct 19 08:59:17 ldap-server slapd[1464]: >>> slap_listener(ldapi:///)

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: listen=11, new connection on 16

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: added 16r (active) listener=(nil)

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 fd=16 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 2 descriptors

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]:  16r

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: read active on 16

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 
active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16)

Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16): got connid=1001

Oct 19 08:59:17 ldap-server slapd[1464]: connection_read(16): checking for input on id=1001

Oct 19 08:59:17 ldap-server slapd[1464]: op tag 0x60, time 1539932357

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 do_bind

Oct 19 08:59:17 ldap-server slapd[1464]: >>> dnPrettyNormal: <>

Oct 19 08:59:17 ldap-server slapd[1464]: <<< dnPrettyNormal: <>, <>

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 BIND dn="" method=163

Oct 19 08:59:17 ldap-server slapd[1464]: do_bind: dn () SASL mech EXTERNAL

Oct 19 08:59:17 ldap-server slapd[1464]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0

Oct 19 08:59:17 ldap-server slapd[1464]: SASL Canonicalize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

Oct 19 08:59:17 ldap-server slapd[1464]: slap_sasl_getdn: conn 1001 id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55]

Oct 19 08:59:17 ldap-server slapd[1464]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN

Oct 19 08:59:17 ldap-server slapd[1464]: <==slap_sasl2dn: Converted SASL name to <nothing>

Oct 19 08:59:17 ldap-server slapd[1464]: SASL Canonicalize [conn=1001]: slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

Oct 19 08:59:17 ldap-server slapd[1464]: SASL proxy authorize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

Oct 19 08:59:17 ldap-server slapd[1464]: SASL Authorize [conn=1001]:  proxy authorization allowed authzDN=""

Oct 19 08:59:17 ldap-server slapd[1464]: send_ldap_sasl: err=0 len=-1

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71

Oct 19 08:59:17 ldap-server slapd[1464]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0

Oct 19 08:59:17 ldap-server slapd[1464]: send_ldap_response: msgid=1 tag=97 err=0

Oct 19 08:59:17 ldap-server kernel: [ 1801.480222] slapd[1468]: segfault at 35 ip 00007f1093e55360 sp 00007f104bffc268 error 4 in libgmp.so.10.3.0[7f1093e41000+7f000]

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 RESULT tag=97 err=0 text=

Oct 19 08:59:17 ldap-server slapd[1464]: <== slap_sasl_bind: rc=0

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]:  16r

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: read active on 16

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16)

Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16): got connid=1001

Oct 19 08:59:17 ldap-server slapd[1464]: connection_read(16): checking for input on id=1001

Oct 19 08:59:17 ldap-server slapd[1464]: op tag 0x66, time 1539932357

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 do_modify

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 do_modify: dn (cn=config)

Oct 19 08:59:17 ldap-server slapd[1464]: >>> dnPrettyNormal: <cn=config>

Oct 19 08:59:17 ldap-server slapd[1464]: <<< dnPrettyNormal: <cn=config>, <cn=config>

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 modifications:

Oct 19 08:59:17 ldap-server slapd[1464]: #011add: olcTLSCACertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: #011#011one value, length 33

Oct 19 08:59:17 ldap-server slapd[1464]: #011replace: olcTLSCertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: #011#011one value, length 35

Oct 19 08:59:17 ldap-server slapd[1464]: #011replace: olcTLSCertificateKeyFile

Oct 19 08:59:17 ldap-server slapd[1464]: #011#011one value, length 35

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 MOD dn="cn=config"

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCACertificateFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCACertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in 
cache (olcTLSCertificateFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access to "cn=config" "olcTLSCertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to all values by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: delete access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateKeyFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access to "cn=config" "olcTLSCertificateKeyFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateKeyFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to all values by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying 
manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: delete access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateKeyFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateKeyFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: slap_queue_csn: queueing 0x7f104bffc340 20181019065917.048487Z#000000#000#000000

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_required entry (cn=config), objectClass "olcGlobal"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "objectClass"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "cn"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcArgsFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcLogLevel"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type 
"olcPidFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcToolThreads"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "structuralObjectClass"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "entryUUID"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "creatorsName"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "createTimestamp"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcTLSCACertificateFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcTLSCertificateFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcTLSCertificateKeyFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "entryCSN"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "modifiersName"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "modifyTimestamp"

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

最后但并非最不重要的一点是,这是我的输出

网络状态-tulpan

Proto Recv-Q Send-Q 本地地址 外部地址 状态 PID/程序名称

tcp 0 0 0.0.0.0:22 0.0.0.0:* 监听
992/sshd

tcp 0 0 0.0.0.0:636 0.0.0.0:* 侦听 1535/slapd

tcp 0 0 0.0.0.0:389 0.0.0.0:* 侦听 1535/slapd

更新:我已将我的 ldap-client 机器配置为使用 ldaps(在配置 ldaps 之前,通过 ldap 一切都运行正常:389)

  1. 从 ldap 服务器添加了 CA.crt,并像上面描述的那样信任它
  2. 更改/etc/ldap/ldap.conf并添加新受信任 CA.crt 的路径
  3. 更改/etc/ldap.conf为使用 ldaps 并取消注释 ssl start_tls 行
  4. 执行命令后更改了 ldap urisudo dpkg-reconfigure ldap-auth-config

我重新启动了客户端机器,并在我的 ldap 服务器上打开了 tcpdump,监听客户端的 ip 和端口范围 389-636 的所有连接

10:00:27.149772 IP ldap-client.52803 > ldap-server.ldaps: Flags [S], seq 1684570111, win 29200, options [mss 1460,sackOK,TS val 4294902186 ecr 0,nop,wscale 7], length 0

10:00:27.149813 IP ldap-server.ldaps > ldap-client.52803: Flags [S.], seq 3586026827, ack 1684570112, win 28960, options [mss 1460,sackOK,TS val 1292850 ecr 4294902186,nop,wscale 7], length 0

10:00:27.149924 IP ldap-client.52803 > ldap-server.ldaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294902186 ecr 1292850], length 0

10:00:27.151549 IP ldap-client.52803 > ldap-server.ldaps: Flags [P.], seq 1:118, ack 1, win 229, options [nop,nop,TS val 4294902186 ecr 1292850], length 117

10:00:27.151567 IP ldap-server.ldaps > ldap-client.52803: Flags [.], ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902186], length 0

10:00:27.151949 IP ldap-server.ldaps > ldap-client.52803: Flags [F.], seq 1, ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902186], length 0

10:00:27.152095 IP ldap-client.52803 > ldap-server.ldaps: Flags [.], ack 2, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0

10:00:27.152157 IP ldap-client.52803 > ldap-server.ldaps: Flags [F.], seq 118, ack 2, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0

10:00:27.152174 IP ldap-server.ldaps > ldap-client.52803: Flags [.], ack 119, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0

10:00:27.152288 IP ldap-client.52804 > ldap-server.ldaps: Flags [S], seq 1697088540, win 29200, options [mss 1460,sackOK,TS val 4294902187 ecr 0,nop,wscale 7], length 0

10:00:27.152305 IP ldap-server.ldaps > ldap-client.52804: Flags [S.], seq 2792459463, ack 1697088541, win 28960, options [mss 1460,sackOK,TS val 1292850 ecr 4294902187,nop,wscale 7], length 0

10:00:27.152360 IP ldap-client.52804 > ldap-server.ldaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0

10:00:27.152502 IP ldap-client.52804 > ldap-server.ldaps: Flags [P.], seq 1:118, ack 1, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 117

10:00:27.152512 IP ldap-server.ldaps > ldap-client.52804: Flags [.], ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0

10:00:27.152909 IP ldap-server.ldaps > ldap-client.52804: Flags [F.], seq 1, ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0

10:00:27.152998 IP ldap-client.52804 > ldap-server.ldaps: Flags [F.], seq 118, ack 2, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0

10:00:27.153010 IP ldap-server.ldaps > ldap-client.52804: Flags [.], ack 119, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0

10:00:28.153396 IP ldap-client.52805 > ldap-server.ldaps: Flags [S], seq 592612370, win 29200, options [mss 1460,sackOK,TS val 4294902437 ecr 0,nop,wscale 7], length 0

10:00:28.153437 IP ldap-server.ldaps > ldap-client.52805: Flags [S.], seq 1983710944, ack 592612371, win 28960, options [mss 1460,sackOK,TS val 1293101 ecr 4294902437,nop,wscale 7], length 0

10:00:28.153580 IP ldap-client.52805 > ldap-server.ldaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294902437 ecr 1293101], length 0

10:00:28.153759 IP ldap-client.52805 > ldap-server.ldaps: Flags [P.], seq 1:118, ack 1, win 229, options [nop,nop,TS val 4294902437 ecr 1293101], length 117

10:00:28.153767 IP ldap-server.ldaps > ldap-client.52805: Flags [.], ack 118, win 227, options [nop,nop,TS val 1293101 ecr 4294902437], length 0

10:00:28.154285 IP ldap-server.ldaps > ldap-client.52805: Flags [F.], seq 1, ack 118, win 227, options [nop,nop,TS val 1293101 ecr 4294902437], length 0

10:00:28.154413 IP ldap-client.52805 > ldap-server.ldaps: Flags [F.], seq 118, ack 2, win 229, options [nop,nop,TS val 4294902437 ecr 1293101], length 0

10:00:28.154423 IP ldap-server.ldaps > ldap-client.52805: Flags [.], ack 119, win 227, options [nop,nop,TS val 1293101 ecr 4294902437], length 0

^C

513 packets captured
513 packets received by filter
0 packets dropped by kernel
61 packets dropped by interface

我希望有人知道我的问题并能帮助我:) 问候 Tabby

答案1

这是不是真正的答案,但我缺少 50 点声望点来添加评论:

如果您使用以下命令从客户端角度进行调试,您可能会深入了解错误:

ldapsearch -x -LLL -ZZ -d 1

/etc/ldap/ssl/files我怀疑这可能会泄露有关证书错误的信息。另外,由于您使用的是 Ubuntu,请在末尾添加以下内容,以确保 AppArmor 不会阻止对证书的访问:

  /etc/ldap/ssl/files/ r,
  /etc/ldap/ssl/files/* r,

您可以通过 检查 AppArmor 错误journalctl -xaeu apparmor

您可以openldap通过以下命令检查用户是否确实可以读取身份验证所需的文件:

sudo -u openldap head -1 /etc/ldap/ssl/files/*

另外,您永远不应该使用 LDAPS,而应该使用 LDAP+STARTTLS,如LDAP 安全性的最佳实践作者:安德鲁·芬德利(Andrew Findlay)。

另外,请尝试在要显示为等宽字体的文本前添加 4 个空格,以使您的帖子更具可读性。

答案2

终于我成功了。我在这篇博客中找到了答案https://web.archive.org/web/20150530064010/http://rogermoffatt.com/2011/08/24/ubuntu-openldap-with-ssltls/

为密钥和证书创建这 2 个 .pem 文件后,我关注了博客,更改了 .pem 文件的所有权并创建了 ldif 文件。

此外,我已将证书添加到受信任的证书中,并将路径添加到 /etc/ldap/ldap.conf,并在其中添加新行 TLS_REQCERT never。

在客户端,我复制了 certificate.pem 并将其转换为 .crt 文件,然后我将 bpth 文件添加到受信任的证书并对其进行了更新

我已从 /etc/ldap.conf 中取消注释 ssl start_tls ssl on 行,并在同一文件中将 uri 从 ldap:// 设置为 ldaps://

对于使用 ssh 脚本从 ldap 服务器获取 ssh 密钥的用户,需要调整脚本中的 uri

就是这样!

相关内容