问题
当我运行 ldapsearch 时,我获得已连接状态,随后出现错误“无法联系 LDAP 服务器 (-1)”
ldapsearch -x -H ldap://localhost:636 -d 1 -ZZ
无法联系 LDAP 服务器 (-1)
ldap_url_parse_ext(ldap://localhost:636)
ldap_create
ldap_url_parse_ext(ldap://localhost:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x55a5634972a0 msgid 1
wait4msg ld 0x55a5634972a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x55a5634972a0 msgid 1 all 1
** ld 0x55a5634972a0 Connections:
* host: localhost port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Jun 4 04:39:35 2020
** ld 0x55a5634972a0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x55a5634972a0 request count 1 (abandoned 0)
** ld 0x55a5634972a0 Response Queue:
Empty
ld 0x55a5634972a0 response count 0
ldap_chkResponseList ld 0x55a5634972a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x55a5634972a0 NULL
ldap_int_select
read1msg: ld 0x55a5634972a0 msgid 1 all 1
ber_get_next
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed
- 我已经尝试过 ldap:// 和 ldaps://
- 重新创建密钥,如下所示,既作为 CA,又用于签署服务器密钥。我尝试添加 CA 密钥和服务器密钥,两者的通用名称均与 LDAP 服务器的主机名匹配。
我已按照建议的解决方案解决此类似错误......有些系统无法通过 ldaps 连接到 ldap,但其他系统可以,这是通配符证书吗?
- 我正在运行并连接到 Ubuntu 18.04.4 的 docker 容器
证书
创建带有和不带有 -des3 的密钥
openssl genrsa -des3 -out root.key 4096
创建无需密码的证书请求。
openssl req -new -days 365 -key root.key -out root.csr
签署证书
openssl x509 -in root.csr -req -signkey root.key -out root.crt -days 365
添加到Dockerfile中存储并指定路径
sudo dpkg-重新配置 ca 证书
运行服务器时,密钥会正确显示在服务器上的证书文件夹中。
文件
Docker 文件
FROM osixia/openldap:1.3.0
MAINTAINER [email protected]
ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD certs /container/service/slapd/assets/certs
ADD environment /container/environment/01-custom
我已经创建了自己的密钥,并且在构建图像时将证书复制到了证书目录中。
docker-compose.yaml
version: '3'
services:
ldap_jtc:
build: ./build
image: osixia/openldap:1.3.0
container_name: ldap_jtc
command: --loglevel debug --copy-service
environment:
LDAP_LOG_LEVEL: 256
LDAP_ORGANISATION: "JTC Ltd"
LDAP_DOMAIN: ldap_jtc
LDAP_BASE_DN: ldap_jtc
LDAP_ADMIN_PASSWORD: admin
LDAP_CONFIG_PASSWORD: config
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: mdb
LDAP_TLS: "false"
LDAP_TLS_CRT_FILENAME: root.crt
LDAP_TLS_KEY_FILENAME: root.key
LDAP_TLS_CA_CRT_FILENAME: root.crt
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_PROTOCOL_MIN: 3.1
LDAP_TLS_VERIFY_CLIENT: try
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: ldap
tty: true
stdin_open: true
volumes:
- "ldap_data:/var/lib/ldap"
- "ldap_conf:/etc/ldap/slapd.d"
- "ldap_cert:/container/service/slapd/assets/certs/"
ports:
- "389:389"
- "636:636"
domainname: "ldap_jtc" # important: same as hostname
hostname: "ldap_jtc"
volumes:
ldap_data:
ldap_conf:
ldap_cert:
故障排除
调试 Docker Compose 构建并运行
跑步之前....
- 已删除容器、图像和卷。
- 通过设置命令在docker-compose中设置调试输出和复制服务:--loglevel debug --copy-service
输入
docker-compose up --build
输出
Creating volume "ldap_ldap_conf" with default driver
Creating volume "ldap_ldap_cert" with default driver
Creating volume "ldap_ldap_data" with default driver
Building ldap_jtc
Step 1/5 : FROM osixia/openldap:1.3.0
1.3.0: Pulling from osixia/openldap
8d691f585fa8: Pull complete
a5325a759667: Pull complete
21608ed88645: Pull complete
43c68a1f13be: Pull complete
24b4bb91f7a0: Pull complete
0e00059d443d: Pull complete
cb38955b6eb8: Pull complete
e930e18e9ac7: Pull complete
96d76b6db5da: Pull complete
Digest: sha256:66bf8dafc3c47a387dfa9d87425acab96acd8a3f2a62a8f6393584c27777cb41
Status: Downloaded newer image for osixia/openldap:1.3.0
---> faac9bb59f83
Step 2/5 : MAINTAINER [email protected]
---> Running in 59d607b56ded
Removing intermediate container 59d607b56ded
---> 7645d9e22e7a
Step 3/5 : ADD bootstrap /container/service/slapd/assets/config/bootstrap
---> f663d14466cb
Step 4/5 : ADD certs /container/service/slapd/assets/certs
---> de1da8d9d6f0
Step 5/5 : ADD environment /container/environment/01-custom
---> 2426482381ee
Successfully built 2426482381ee
Successfully tagged osixia/openldap:1.3.0
Creating ldap_jtc ...
Creating ldap_jtc ... done
Attaching to ldap_jtc
ldap_jtc | *** CONTAINER_LOG_LEVEL = 4 (debug)
ldap_jtc | *** Copy /container/service to /container/run/service
ldap_jtc | *** Search service in CONTAINER_SERVICE_DIR = /container/run/service :
ldap_jtc | *** link /container/run/service/:ssl-tools/startup.sh to /container/run/startup/:ssl-tools
ldap_jtc | *** link /container/run/service/slapd/startup.sh to /container/run/startup/slapd
ldap_jtc | *** link /container/run/service/slapd/process.sh to /container/run/process/slapd/run
ldap_jtc | *** Set environment for startup files
ldap_jtc | *** ignore : LANG = en_US.UTF-8 (keep LANG = en_US.UTF-8 )
ldap_jtc | *** ignore : LANGUAGE = en_US.UTF-8 (keep LANGUAGE = en_US:en )
ldap_jtc | *** Environment files will be proccessed in this order :
ldap_jtc | Caution: previously defined variables will not be overriden.
ldap_jtc | /container/environment/99-default/default.startup.yaml
ldap_jtc | /container/environment/99-default/default.yaml
ldap_jtc |
ldap_jtc | *** --- process file : /container/environment/99-default/default.startup.yaml ---
ldap_jtc | *** ignore : LDAP_ORGANISATION = Example Inc. (keep LDAP_ORGANISATION = JTC Ltd )
ldap_jtc | *** ignore : LDAP_DOMAIN = example.org (keep LDAP_DOMAIN = ldap_jtc )
ldap_jtc | *** ignore : LDAP_BASE_DN = (keep LDAP_BASE_DN = ldap_jtc )
ldap_jtc | *** ignore : LDAP_ADMIN_PASSWORD = admin (keep LDAP_ADMIN_PASSWORD = admin )
ldap_jtc | *** ignore : LDAP_CONFIG_PASSWORD = config (keep LDAP_CONFIG_PASSWORD = config )
ldap_jtc | *** ignore : LDAP_READONLY_USER = False (keep LDAP_READONLY_USER = false )
ldap_jtc | *** ignore : LDAP_RFC2307BIS_SCHEMA = False (keep LDAP_RFC2307BIS_SCHEMA = false )
ldap_jtc | *** ignore : LDAP_BACKEND = mdb (keep LDAP_BACKEND = mdb )
ldap_jtc | *** ignore : LDAP_TLS = True (keep LDAP_TLS = false )
ldap_jtc | *** ignore : LDAP_TLS_CRT_FILENAME = ldap.crt (keep LDAP_TLS_CRT_FILENAME = ldap_jtc.crt )
ldap_jtc | *** ignore : LDAP_TLS_KEY_FILENAME = ldap.key (keep LDAP_TLS_KEY_FILENAME = ldap_jtc.key )
ldap_jtc | *** ignore : LDAP_TLS_DH_PARAM_FILENAME = dhparam.pem (keep LDAP_TLS_DH_PARAM_FILENAME = ldap_jtc.csr )
ldap_jtc | *** ignore : LDAP_TLS_CA_CRT_FILENAME = ca.crt (keep LDAP_TLS_CA_CRT_FILENAME = root_jtc.crt )
ldap_jtc | *** ignore : LDAP_TLS_ENFORCE = False (keep LDAP_TLS_ENFORCE = false )
ldap_jtc | *** ignore : LDAP_TLS_CIPHER_SUITE = SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC (keep LDAP_TLS_CIPHER_SUITE = SECURE256:-VERS-SSL3.0 )
ldap_jtc | *** ignore : LDAP_TLS_VERIFY_CLIENT = demand (keep LDAP_TLS_VERIFY_CLIENT = demand )
ldap_jtc | *** ignore : LDAP_REPLICATION = False (keep LDAP_REPLICATION = false )
ldap_jtc | *** ignore : KEEP_EXISTING_CONFIG = False (keep KEEP_EXISTING_CONFIG = false )
ldap_jtc | *** ignore : LDAP_REMOVE_CONFIG_AFTER_SETUP = True (keep LDAP_REMOVE_CONFIG_AFTER_SETUP = true )
ldap_jtc | *** ignore : LDAP_SSL_HELPER_PREFIX = ldap (keep LDAP_SSL_HELPER_PREFIX = ldap )
ldap_jtc | *** --- process file : /container/environment/99-default/default.yaml ---
ldap_jtc | *** ignore : LDAP_LOG_LEVEL = 256 (keep LDAP_LOG_LEVEL = 256 )
ldap_jtc | *** Run commands before startup...
ldap_jtc | *** Running /container/run/startup/:ssl-tools...
ldap_jtc | *** ------------ Environment dump ------------
ldap_jtc | *** PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ldap_jtc | *** HOSTNAME = ldap_jtc
ldap_jtc | *** TERM = xterm
ldap_jtc | *** LDAP_LOG_LEVEL = 256
ldap_jtc | *** LDAP_REPLICATION = false
ldap_jtc | *** LDAP_TLS_VERIFY_CLIENT = demand
ldap_jtc | *** LDAP_TLS_CRT_FILENAME = ldap_jtc.crt
ldap_jtc | *** LDAP_TLS = false
ldap_jtc | *** LDAP_TLS_PROTOCOL_MIN = 3.1
ldap_jtc | *** LDAP_ORGANISATION = JTC Ltd
ldap_jtc | *** LDAP_ADMIN_PASSWORD = admin
ldap_jtc | *** LDAP_DOMAIN = ldap_jtc
ldap_jtc | *** LDAP_TLS_DH_PARAM_FILENAME = ldap_jtc.csr
ldap_jtc | *** KEEP_EXISTING_CONFIG = false
ldap_jtc | *** LDAP_SSL_HELPER_PREFIX = ldap
ldap_jtc | *** LDAP_BASE_DN = ldap_jtc
ldap_jtc | *** LDAP_TLS_CA_CRT_FILENAME = root_jtc.crt
ldap_jtc | *** LDAP_TLS_ENFORCE = false
ldap_jtc | *** LDAP_READONLY_USER = false
ldap_jtc | *** LDAP_TLS_KEY_FILENAME = ldap_jtc.key
ldap_jtc | *** LDAP_CONFIG_PASSWORD = config
ldap_jtc | *** LDAP_REMOVE_CONFIG_AFTER_SETUP = true
ldap_jtc | *** LDAP_TLS_CIPHER_SUITE = SECURE256:-VERS-SSL3.0
ldap_jtc | *** LDAP_BACKEND = mdb
ldap_jtc | *** LDAP_RFC2307BIS_SCHEMA = false
ldap_jtc | *** LANG = en_US.UTF-8
ldap_jtc | *** LANGUAGE = en_US:en
ldap_jtc | *** LC_ALL = en_US.UTF-8
ldap_jtc | *** HOME = /root
ldap_jtc | *** CONTAINER_SERVICE_DIR = /container/run/service
ldap_jtc | *** CONTAINER_STATE_DIR = /container/run/state
ldap_jtc | *** CONTAINER_LOG_LEVEL = 4
ldap_jtc | *** INITRD = no
ldap_jtc | *** LC_CTYPE = en_US.UTF-8
ldap_jtc | *** LDAP_READONLY_USER_USERNAME = readonly
ldap_jtc | *** LDAP_READONLY_USER_PASSWORD = readonly
ldap_jtc | *** LDAP_REPLICATION_CONFIG_SYNCPROV = binddn="cn=admin,cn=config" bindmethod=simple credentials="$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
ldap_jtc | *** LDAP_REPLICATION_DB_SYNCPROV = binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials="$LDAP_ADMIN_PASSWORD" searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
ldap_jtc | *** LDAP_REPLICATION_HOSTS = #COMPLEX_BASH_ENV:TABLE: LDAP_REPLICATION_HOSTS_ROW_1 LDAP_REPLICATION_HOSTS_ROW_2
ldap_jtc | *** SSL_HELPER_AUTO_RENEW_SERVICES_IMPACTED = slapd
ldap_jtc | *** LDAP_NOFILE = 1024
ldap_jtc | *** DISABLE_CHOWN = False
ldap_jtc | *** LDAP_REPLICATION_HOSTS_ROW_1 = ldap://ldap.example.org
ldap_jtc | *** LDAP_REPLICATION_HOSTS_ROW_2 = ldap://ldap2.example.org
ldap_jtc | *** ------------------------------------------
ldap_jtc | *** Running /container/run/startup/slapd...
ldap_jtc | *** ------------ Environment dump ------------
ldap_jtc | *** CONTAINER_LOG_LEVEL = 4
ldap_jtc | *** CONTAINER_SERVICE_DIR = /container/run/service
ldap_jtc | *** CONTAINER_STATE_DIR = /container/run/state
ldap_jtc | *** DISABLE_CHOWN = False
ldap_jtc | *** HOME = /root
ldap_jtc | *** HOSTNAME = ldap_jtc
ldap_jtc | *** INITRD = no
ldap_jtc | *** KEEP_EXISTING_CONFIG = false
ldap_jtc | *** LANG = en_US.UTF-8
ldap_jtc | *** LANGUAGE = en_US:en
ldap_jtc | *** LC_ALL = en_US.UTF-8
ldap_jtc | *** LC_CTYPE = en_US.UTF-8
ldap_jtc | *** LDAP_ADMIN_PASSWORD = admin
ldap_jtc | *** LDAP_BACKEND = mdb
ldap_jtc | *** LDAP_BASE_DN = ldap_jtc
ldap_jtc | *** LDAP_CONFIG_PASSWORD = config
ldap_jtc | *** LDAP_DOMAIN = ldap_jtc
ldap_jtc | *** LDAP_LOG_LEVEL = 256
ldap_jtc | *** LDAP_NOFILE = 1024
ldap_jtc | *** LDAP_ORGANISATION = JTC Ltd
ldap_jtc | *** LDAP_READONLY_USER = false
ldap_jtc | *** LDAP_READONLY_USER_PASSWORD = readonly
ldap_jtc | *** LDAP_READONLY_USER_USERNAME = readonly
ldap_jtc | *** LDAP_REMOVE_CONFIG_AFTER_SETUP = true
ldap_jtc | *** LDAP_REPLICATION = false
ldap_jtc | *** LDAP_REPLICATION_CONFIG_SYNCPROV = binddn="cn=admin,cn=config" bindmethod=simple credentials="$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
ldap_jtc | *** LDAP_REPLICATION_DB_SYNCPROV = binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials="$LDAP_ADMIN_PASSWORD" searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
ldap_jtc | *** LDAP_REPLICATION_HOSTS = #COMPLEX_BASH_ENV:TABLE: LDAP_REPLICATION_HOSTS_ROW_1 LDAP_REPLICATION_HOSTS_ROW_2
ldap_jtc | *** LDAP_REPLICATION_HOSTS_ROW_1 = ldap://ldap.example.org
ldap_jtc | *** LDAP_REPLICATION_HOSTS_ROW_2 = ldap://ldap2.example.org
ldap_jtc | *** LDAP_RFC2307BIS_SCHEMA = false
ldap_jtc | *** LDAP_SSL_HELPER_PREFIX = ldap
ldap_jtc | *** LDAP_TLS = false
ldap_jtc | *** LDAP_TLS_CA_CRT_FILENAME = root_jtc.crt
ldap_jtc | *** LDAP_TLS_CIPHER_SUITE = SECURE256:-VERS-SSL3.0
ldap_jtc | *** LDAP_TLS_CRT_FILENAME = ldap_jtc.crt
ldap_jtc | *** LDAP_TLS_DH_PARAM_FILENAME = ldap_jtc.csr
ldap_jtc | *** LDAP_TLS_ENFORCE = false
ldap_jtc | *** LDAP_TLS_KEY_FILENAME = ldap_jtc.key
ldap_jtc | *** LDAP_TLS_PROTOCOL_MIN = 3.1
ldap_jtc | *** LDAP_TLS_VERIFY_CLIENT = demand
ldap_jtc | *** PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ldap_jtc | *** SSL_HELPER_AUTO_RENEW_SERVICES_IMPACTED = slapd
ldap_jtc | *** TERM = xterm
ldap_jtc | *** ------------------------------------------
ldap_jtc | Database and config directory are empty...
ldap_jtc | Init new ldap server...
显示证书
A. 从主机运行
输入
openssl s_client -showcerts -connect localhost:636
输出
CONNECTED(00000005)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 311 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
b. 从容器运行
输入
sudo docker exec -it ldap_jtc bash
正在容器中运行...
root@ldap_jtc:/# openssl s_client -showcerts -connect 127.0.0.1:636
输出
139636822721664:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139636822721664:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111