最近我配置了我的 openldap 服务器以使用证书。但在此过程中也弄乱了不安全的端口。现在,身份验证对任何用户都不起作用。我正在使用 python-ldap 客户端来创建连接。
import ldap
import os
l = ldap.initialize('ldap://<ip>:1389')
l.set_option(ldap.OPT_REFERRALS, 0)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
l.simple_bind_s('uid=myuser,ou=People,ou=myorg,dc=my,dc=com', 'mypasspw')
我正在获取ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}所有用户的请求。
我以调试模式启动了 ldap 服务器,以下是日志。
6021594b connection_read(12): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
0000: 30 46 02 01 01 60 41 02 0F...`A.
ldap_read: want=64, got=64
0000: 01 03 04 32 75 69 64 3d 73 62 61 74 72 61 2c 6f ...2uid=myuser,o
0010: 75 3d 50 65 6f 70 6c 65 2c 6f 75 3d 62 6c 75 65 u=People,ou=myo
0020: 70 6c 61 6e 65 74 2c 64 63 3d 63 69 65 6e 61 2c rg,dc=my,
0030: 64 63 3d 63 6f 6d 80 08 73 62 61 74 72 61 70 77 dc=com..mypasspw
ber_get_next: tag 0x30 len 70 contents:
ber_dump: buf=0x7f5f1c2fe390 ptr=0x7f5f1c2fe390 end=0x7f5f1c2fe3d6 len=70
0000: 02 01 01 60 41 02 01 03 04 32 75 69 64 3d 73 62 ...`A....2uid=my
0010: 61 74 72 61 2c 6f 75 3d 50 65 6f 70 6c 65 2c 6f user,ou=People,o
0020: 75 3d 62 6c 75 65 70 6c 61 6e 65 74 2c 64 63 3d u=myorg,dc=
0030: 63 69 65 6e 61 2c 64 63 3d 63 6f 6d 80 08 73 62 my,dc=com..my
0040: 61 74 72 61 70 77 passpw
6021594b op tag 0x60, time 1612798283
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
6021594b conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f5f1c2fe390 ptr=0x7f5f1c2fe393 end=0x7f5f1c2fe3d6 len=67
0000: 60 41 02 01 03 04 32 75 69 64 3d 73 62 61 74 72 `A....2uid=myuse
6021594b daemon: activity on 1 descriptor
6021594b daemon: activity on:
6021594b daemon: epoll: listen=7 active_threads=0 tvp=zero
6021594b daemon: epoll: listen=8 active_threads=0 tvp=zero
0010: 61 2c 6f 75 3d 50 65 6f 70 6c 65 2c 6f 75 3d 62 a,ou=People,ou=
0020: 6c 75 65 70 6c 61 6e 65 74 2c 64 63 3d 63 69 65 myorg,dc=my
0030: 6e 61 2c 64 63 3d 63 6f 6d 80 08 73 62 61 74 72 ,dc=com..mypas
0040: 61 70 77 spw
ber_scanf fmt (m}) ber:
ber_dump: buf=0x7f5f1c2fe390 ptr=0x7f5f1c2fe3cc end=0x7f5f1c2fe3d6 len=10
0000: 00 08 73 62 61 74 72 61 70 77 ..mypasspw
6021594b >>> dnPrettyNormal: <uid=myuser,ou=People,ou=myorg,dc=my,dc=com>
=> ldap_bv2dn(uid=myuser,ou=People,ou=myorg,dc=my,dc=com,0)
<= ldap_bv2dn(uid=myuser,ou=People,ou=myorg,dc=my,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=myuser,ou=People,ou=myorg,dc=my,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=myuser,ou=people,ou=myorg,dc=my,dc=com)=0
6021594b <<< dnPrettyNormal: <uid=myuser,ou=People,ou=myorg,dc=my,dc=com>, <uid=myuser,ou=people,ou=myorg,dc=my,dc=com>
6021594b do_bind: version=3 dn="uid=myuser,ou=People,ou=myorg,dc=my,dc=com" method=128
6021594b ==> mdb_bind: dn: uid=myuser,ou=People,ou=myorg,dc=my,dc=com
6021594b mdb_dn2entry("uid=myuser,ou=people,ou=myorg,dc=my,dc=com")
6021594b => mdb_dn2id("uid=myuser,ou=people,ou=myorg,dc=my,dc=com")
6021594b <= mdb_dn2id: got id=0xb
6021594b => mdb_entry_decode:
6021594b <= mdb_entry_decode
6021594b => access_allowed: result not in cache (userPassword)
6021594b => access_allowed: auth access to "uid=myuser,ou=People,ou=myorg,dc=my,dc=com" "userPassword" requested
6021594b => dn: [1]
6021594b => dn: [2] cn=subschema
6021594b => acl_get: [3] attr userPassword
6021594b => acl_mask: access to entry "uid=myuser,ou=People,ou=myorg,dc=my,dc=com", attr "userPassword" requested
6021594b => acl_mask: to value by "", (=0)
6021594b <= check a_dn_pat: cn=webadm,dc=webadm
6021594b <= acl_mask: no more <who> clauses, returning =0 (stop)
6021594b => slap_access_allowed: auth access denied by =0
6021594b => access_allowed: no more rules
6021594b send_ldap_result: conn=1000 op=0 p=3
6021594b send_ldap_result: err=49 matched="" text=""
6021594b send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 12
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
^C6021594f daemon: shutdown requested and initiated.
6021594f daemon: closing 7
6021594f daemon: closing 8
6021594f connection_closing: readying conn=1000 sd=12 for close
6021594f connection_close: conn=1000 sd=12
6021594f daemon: removing 12
6021594f slapd shutdown: waiting for 0 operations/tasks to finish
6021594f slapd shutdown: initiated
6021594f slapd destroy: freeing system resources.
6021594f syncinfo_free: rid=011
6021594f slapd stopped.
我怀疑是某些东西不允许访问 userPassword,但我不知道是什么。我没有触碰 olcAccess 配置,它们是:
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * by dn="cn=webadm,dc=webADM" write
olcAccess: to * by self write by users read by anonymous auth
我可以在哪里进一步了解?现在有点不知所措。
答案1
首先,看起来你正在以明文形式通过网络发送密码。不要这样做。要么启动某种 TLSstarttls 或 LDAPS。
此外,dn.base=""和dn.base="cn=Subschema"通常由与您将应用 ACL 的后端不同的后端控制,因此您可能需要检查是否甚至需要放置它们的那些行。
对于您的实际问题:
OpenLDAP ACL 是先匹配即获胜的情况。此外,所有行都以隐含的 结尾by * none。因此,olcAccess: to * by dn="cn=webadm,dc=webADM" write实际上是olcAccess: to * by dn="cn=webadm,dc=webADM" write by * none,这意味着您的下一行永远不会被解析,因为您已经有一个匹配。(流控制可以改变情况,但您可能还不需要它。)
标准:
olcAccess: to *
by dn="cn=webadm,dc=webADM" write
by self write
by users read
by anonymous auth
流量控制:
olcAccess: to *
by group.exact="cn=ldap-admins,ou=groups,dc=example,dc=com" write
by group.exact="cn=ldap-servers,ou=groups,dc=example,dc=com" read
by dn.exact="cn=webadm,ou=users,dc=example,dc=com" write
by * break
olcAccess: to attr=userPassword
by self write
by * auth
olcAccess: to attrs=member
by set="this/owner & this/owner/member* & user" write
by users read
olcAccess: to *
by self write
by users read
by anonymous auth
(是的,您可以将 webadm 作为 ldap-admins 的一部分,但实际上我对您正在做的事情或系统的范围有很多不了解的地方。我还以集合的最佳常用用法为例,以防万一。)