我在使用 SSL 上的 LDAP 时遇到了一些问题。我为服务器和客户端生成了证书。验证没有问题:
openssl s_client -connect odps03:636 -showcerts -state -CAfile /etc/ssl/certs/cacert.pem
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=1 CN = Example Comapny
verify return:1
depth=0 CN = odps03, O = Example Comapny
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
---
Certificate chain
0 s:CN = odps03, O = Example Comapny
i:CN = Example Comapny
-----BEGIN CERTIFICATE-----
MIIDZDCCAcygAwIBAgIMXSR3ljZZEpjKqMTvMA0GCSqGSIb3DQEBCwUAMC8xLTAr
BgNVBAMTJFBHTmlHIE9EIE9icm90IERldGFsaWN6bnkgU3AuIHogby5vLjAeFw0x
OTA3MDkxMTE2MzhaFw0yMDA3MDgxMTE2MzhaMD0xDzANBgNVBAMTBm9kcHMwMzEq
MCgGA1UEChMhUEdOaUcgT2Jyb3QgRGV0YWxpY3pueSBTcC4geiBvLm8uMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/WXWNYXoTjwU5ZkNo9wjWf0OqdlkB0fat
mlX3dx167mDPRI0yF5wIjh7uj1L6DTcjVTL8+p7EYS0Bf98AumTZVVBj7k9U2QZO
zeFThoc+SmabLqd92o3nrzBOwyEigBV18MZGr3IfmUgbRy6VseqU67a9BBhcl0+3
uGmXm1P0sQIDAQABo3YwdDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFC2dY36t5OaMfplyaljU8asy
qxupMB8GA1UdIwQYMBaAFHKlhTlGegvaf5tc7ierwq2cQDXlMA0GCSqGSIb3DQEB
CwUAA4IBgQAMdXt0aeLt6KwTAsWCre855+4aS26W67Dv27jXlKpyyTR+xAS567AO
wUXoPwVDAZ+XYgmO5h8guGQcfUI9imIpPCJUQJKSu6Fsz3/hSx+w5PnK9Tk3HMMs
ZeW4WLP1n7bOp8rJS7a3pQcW3yFzpffyq5LH4MP5dAEsKEaivyaOAEfuWJ348dRo
uqpPY4FcNlLc1HYIxfixwtf8XohdkRgEIrDi/QmPGfYsm76K3eFBPIHRtFhvBnmP
kRWGxeoInUgcWgns/G/WDwB2y3Fw5zcf0KYVdDvBFagBEAFc8JAJTyAYDVputX1I
KnsUXRY5/PqXflwWQnfb8kuRcxpOHtEtQN49gPpigmH+zpt7vN2UM0skaa0Fou88
X6i/kGVU8XPxEWLdP91HGjKVlw7cxADfj+O8CMAmjxqDOxInkX4uFXJHoxBHb9LQ
8O+C4WhGTvt66VQDxOXZ+wVCrS2TK0Ug8xKmaTpBQAhlCcNWMWoyW7EorbFxJedo
KrsPfZiWmHU=
-----END CERTIFICATE-----
1 s:CN = Example Comapny
i:CN = Example Comapny
-----BEGIN CERTIFICATE-----
MIIEJzCCAo+gAwIBAgIMW/Z8+RnPzxfpb3SDMA0GCSqGSIb3DQEBCwUAMC8xLTAr
BgNVBAMTJFBHTmlHIE9EIE9icm90IERldGFsaWN6bnkgU3AuIHogby5vLjAeFw0x
ODExMjIwOTU1MDVaFw0xOTExMjIwOTU1MDVaMC8xLTArBgNVBAMTJFBHTmlHIE9E
IE9icm90IERldGFsaWN6bnkgU3AuIHogby5vLjCCAaIwDQYJKoZIhvcNAQEBBQAD
ggGPADCCAYoCggGBANypN6Uq9ol8MULj0ErS1Pii8/GLTUcjXJW6zaS/VTl7dUiG
dl+am2IQSozVIIfnvtoSrCIjebQm2PcW82Cprq9vz7p4rivHO2HQ3WjvSDmXBI1G
7tFe4xnrZYOscvoaf4IRc0okOQgI8h2B9rJWyppB6qFW55QRUStvhrW7EgVqWrWF
5NCtBMG2ThjO3nXOWbv8ApXklp3lW/JU1yf7H+XvHgjLs48QUyrsFElCS+Ve0Kve
lSYaZccqhGbLGROTPO02boiIoT7kfMPykjV/h9B9oxAUw4lP1degk74k/MVML68U
OBbY8uaO6SktxvLVQhmnk/u7jmF2qdMNy7H0magjEies/ctqd+QV7OP3rUxpAQsO
K/PtWqtqiSt/ppeMbAvSzR5wsv1W0z1rW/EZHzaNKU5XkWfhJ9apeCRRR3niExk/
d57F1PofgK5ZsV6TOx9kfdVBlVtxroRoKEa7fCTKFq5XtX617W7sbuE3LpUtsdcN
ifYJ1RU/Ta2/SGQWOQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB
/wQFAwMHBAAwHQYDVR0OBBYEFHKlhTlGegvaf5tc7ierwq2cQDXlMA0GCSqGSIb3
DQEBCwUAA4IBgQBy0fuBros12hM/16tlyqMXWQp9yeZ7rBCVXR1Rr9NVhLOK2Pny
29LHrcXMxcWTtgqrmmozgxLPZ0rNwNQtBO3KF1plKHjD9HkQbVK26ghW0+oKb7qA
TlWvF3bqmbQg2zaECaFGkadWuNKwgbdUi3JuIsL7Zy0JJp6a2P/wqzjV2io06vqB
5yWVoiyMvakR7qKyz8VKmFobmWfHrzvXW6Igl4x9KUZCn8SbcmX7wbNqTHEt7I04
jbjkH+/PusIifi581N26Od7mW1gq37nKJl5J1Rm5IgrwRS14nzSnX7oOyUwIad67
GkE0AhHTi2FHqKru0GyH9XIPFdWt0oY3mqdJxnVJQ+m6woyNu48kV5UeIMbqZoJ3
Qzgo+XAjqMtulh7tJnyQ6NkebRpAcbQNJAl/ojIeK6wQtxh7SLrLE6dV8052Hwhz
FuxcECpGMosPyrARDplgMQWpa0iL9cgMI2nZCDDXtevqDQHIKNYOeMabRaLY0pyn
B0L3Zy0ccHc4u7o=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = odps03, O = Example Comapny
issuer=CN = Example Comapny
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2323 bytes and written 437 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: F2623A750CED893A63D3342B002F4AD963198DCA19BFC9740E0C4B6FD473BAE8
Session-ID-ctx:
Master-Key: B86C77D94565AC82396FAB12648AC5ACF4A0F707506C09DD7D8EE7A7D8ED61870E33E0C858A43DFCB219F78FEB388D9D
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1562933947
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
但是当我尝试使用连接时,ldapsearch
我收到一个指定的错误:
ldapsearch -Z -H "ldaps://odps03:636" -D "cn=admin,dc=od,dc=pgnig,dc=pl" -d-1 "givenName=*"
ldap_url_parse_ext(ldaps://odps03:636)
ldap_create
ldap_url_parse_ext(ldaps://odps03:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP odps03:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.66.64.11:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
我查看并尝试了很多方法来解决问题,但谷歌显示的方法都不起作用。
答案1
我自己修复了这个问题。也许有人想更好地调试类似的问题,所以:
我首先使用以下方法开始低级调试:
gdb ldapsearch
set args -Z -LLL -H "ldaps://odps03:636" -D "cn=admin,dc=example.com" -b "cn=Users,dc=example,dc=com" -d -1 -W
run
这是返回代码:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[Inferior 1 (process 4388) exited with code 0377]
但这无助于发现问题,因此下一步我使用:
strace -f -o /tmp/lddapsearch.log ldapsearch -x -Z -H "ldaps://odps03:636" -D "cn=admin,dc=example,dc=com" -b "cn=Users,dc=example,dc=com" -d-1 -W
这非常有帮助。在日志文件中最重要的是:
12773 openat(AT_FDCWD, "/etc/ssl/certs/cacert.pem #ca-certificate.crt", O_RDONLY) = 2
这意味着导入 RootCert 时出错,因为不幸的是我使用 # 来注释,但 DP 实用程序读取了一行。