Ubuntu 20.04,OpenLDAP,phpLDAPadmin
我想使用 LDAPS、LDAP over TLS,这样除非 TLS 先连接,否则无法建立连接,所以我不会选择 STARTLS 路线。
尽管我可以使用“admin”帐户登录 phpLDAPadmin,但我知道它没有使用 TLS,因为 phpLDAPadmin 在页面顶部显示了一个很大的错误消息:
无法启动 TLS。(我的 LDAP 服务器)
错误:无法启动 TLS。请检查您的 LDAP 服务器配置。
LDAP 的主机名 = DIR.MYDOMAIN.com(使用 mydomain 的子目录“dir”)
当我运行时ldapsearch -H ldap://DIR.MYDOMAIN.com/ -b dc=DIR,dc=MYDOMAIN,dc=com -x,我得到:
# extended LDIF
#
# LDAPv3
# base <dc=DIR,dc=MYDOMAIN,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# DIR.MYDOMAIN.com
dn: dc=DIR,dc=MYDOMAIN,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: myorg
dc: dir
# admin, DIR.MYDOMAIN.com
dn: cn=admin,dc=DIR,dc=MYDOMAIN,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
当我尝试使用 LDAPS(“ldaps://DIR.MYDOMAIN.com”)运行相同命令时,它返回:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
当我运行时openssl s_client -connect DIR.MYDOMAIN.com:636,它返回:
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 314 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
当我运行时LDAPTLS_CACERT=/etc/ldap/sasl2/cert1.pem ldapwhoami -H ldaps://DIR.MYDOMAIN.com -ZZ -x -d 1,我得到:
ldap_url_parse_ext(ldaps://DIR.MYDOMAIN.com)
ldap_create
ldap_url_parse_ext(ldaps://DIR.MYDOMAIN.com:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP DIR.MYDOMAIN.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying MY.SERVER.IP.ADDRESS:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: can't connect: The TLS connection was non-properly terminated..
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
additional info: The TLS connection was non-properly terminated.
这是我的 /etc/ldap/ldap.conf 文件的样子:
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
# TLS certificates (needed for GnuTLS)
TLS_REQCERT demand
TLS_CACERT /etc/letsencrypt/live/MYDOMAIN.COM/chain.pem
TLSCertificateFile /etc/letsencrypt/live/MYDOMAIN.COM/cert.pem
TLSCertificateKeyFile /etc/letsencrypt/live/MYDOMAIN.COM/privkey.pem
TLS_CIPHER_SUITE ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
TLS_PROTOCOL_MIN 3.3
BASE dc=MYDOMAIN,dc=com
URI ldapi://localhost ldapi://127.0.0.1 ldaps://DIR.MYDOMAIN.com:636
SIZELIMIT 12
TIMELIMIT 15
#DEREF never
列出的 SSL 证书是 LetsEncrypt 为域“DIR.MYDOMAIN.com”请求的,我将其用作 LDAP 目录的主机名。我刚刚将它们从 /etc/letsencrypt/archive 目录移动到 /etc/ldap/sasl2 目录。
另外,我在注册证书时输入了“DIR.MYDOMAIN.com”作为 CN(通用名称),以便匹配。
我在 /etc/phpldapadmin/config.php 中启用的所有行是:
<?php
* Useful important configuration overrides *
# $config->custom->debug['level'] = 255;
# $config->custom->debug['syslog'] = true;
# $config->custom->debug['file'] = '/tmp/pla_debug.log';
# $config->custom->appearance['timezone'] = 'America/Chicago';
* Appearance *
# $config->custom->appearance['tree'] = 'HTMLTree';
# $config->custom->appearance['hide_template_warning'] = true;
# $config->custom->appearance['tree_height'] = 600;
# $config->custom->appearance['tree_width'] = 250;
* User-friendly attribute translation *
$config->custom->appearance['friendly_attrs'] = array(
'facsimileTelephoneNumber' => 'Fax',
'gid' => 'Group',
'mail' => 'Email',
'telephoneNumber' => 'Telephone',
'uid' => 'User Name',
'userPassword' => 'Password'
);
* Hidden attributes *
# $config->custom->appearance['hide_attrs'] = array('objectClass');
# $config->custom->appearance['hide_attrs_exempt'] = 'cn=PLA UnHide,ou=Groups,c=US';
* Read-only attributes *
# $config->custom->appearance['readonly_attrs_exempt'] = 'cn=PLA ReadWrite,ou=Groups,c=US';
* Support for attrs display order *
# $config->custom->appearance['attr_display_order'] = array(
# 'givenName',
# 'sn',
# 'cn',
# 'displayName',
# 'uid',
# 'uidNumber',
# 'gidNumber',
# 'homeDirectory',
# 'mail',
# 'userPassword'
# );
* Define your LDAP servers in this section *
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','My LDAP Server');
$servers->setValue('server','host','ldaps://DIR.MYDOMAIN.com');
$servers->setValue('server','port',636);
$servers->setValue('server','base',array('dc=DIR,dc=MYDOMAIN,dc=com'));
$servers->setValue('login','auth_type','session');
$servers->setValue('login','bind_id','');
$servers->setValue('login','bind_pass','');
$servers->setValue('server','tls',true);
* SASL Authentication *
# $servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i');
# $servers->setValue('sasl','authz_id_replacement','$1');
# $servers->setValue('auto_number','search_base','ou=People,dc=DIR,dc=MYDOMAIN,dc=com');
$servers->setValue('login','anon_bind',false);
# $servers->setValue('custom','pages_prefix','custom_');
# $servers->setValue('login','timeout',30);
# $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','passwordAllowChangeTime'));
# $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
# $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
* Unique attributes *
# $servers->setValue('unique','attrs',array('mail','uid','uidNumber'));
?>
nmap localhost返回:
root@mail:~# nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-17 09:45 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000050s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
143/tcp open imap
389/tcp open ldap
443/tcp open https
465/tcp open smtps
587/tcp open submission
636/tcp open ldapssl
993/tcp open imaps
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
netstat -lpn | grep 636返回:
root@mail:~# netstat -lpn | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 58496/slapd
tcp6 0 0 :::636 :::* LISTEN 58496/slapd
Netcat ldaphost:636 -vz返回:
root@mail:/etc/ldap/ldif-files# netcat 127.0.0.1 636 -vz
Connection to 127.0.0.1 636 port [tcp/ldaps] succeeded!
root@mail:/etc/ldap/ldif-files# netcat DIR.MYDOMAIN.com 636 -vz
Connection to DIR.MYDOMAIN.com 636 port [tcp/ldaps] succeeded!
ldapsearch -H ldaps://DIR.MYDOMAIN.com -D cn=admin,dc=DIR,dc=MYDOMAIN,dc=com -W -d 9返回:
root@mail:/etc/ldap# ldapsearch -H ldaps://DIR.MYDOMAIN.com -D cn=admin,dc=DIR,dc=MYDOMAIN,dc=com -W -d 9
ldap_url_parse_ext(ldaps://DIR.MYDOMAIN.com)
ldap_create
ldap_url_parse_ext(ldaps://DIR.MYDOMAIN.com:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP DIR.MYDOMAIN.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying MY.SERVER.IP.ADDRESS:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: could not set cipher list ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldapsearch -H ldap://DIR.MYDOMAIN.com -D cn=admin,dc=DIR,dc=MYDOMAIN,dc=com -W -d 9返回:
root@mail:/etc/ldap# ldapsearch -H ldap://DIR.MYDOMAIN.com -D cn=admin,dc=DIR,dc=MYDOMAIN,dc=com -W -d 9
ldap_url_parse_ext(ldap://DIR.MYDOMAIN.com)
ldap_create
ldap_url_parse_ext(ldap://DIR.MYDOMAIN.com:389/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP DIR.MYDOMAIN.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying MY.SERVER.IP.ADDRESS:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 76 bytes to sd 3
ldap_result ld 0x562bb7079c80 msgid 1
wait4msg ld 0x562bb7079c80 msgid 1 (infinite timeout)
wait4msg continue ld 0x562bb7079c80 msgid 1 all 1
** ld 0x562bb7079c80 Connections:
* host: DIR.MYDOMAIN.com port: 389 (default)
refcnt: 2 status: Connected
last used: Mon May 17 16:15:24 2021
** ld 0x562bb7079c80 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x562bb7079c80 request count 1 (abandoned 0)
** ld 0x562bb7079c80 Response Queue:
Empty
ld 0x562bb7079c80 response count 0
ldap_chkResponseList ld 0x562bb7079c80 msgid 1 all 1
ldap_chkResponseList returns ld 0x562bb7079c80 NULL
ldap_int_select
read1msg: ld 0x562bb7079c80 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x562bb7079c80 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x562bb7079c80 0 new referrals
read1msg: mark request completed, ld 0x562bb7079c80 msgid 1
request done: ld 0x562bb7079c80 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=DIR,dc=MYDOMAIN,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 70 bytes to sd 3
ldap_result ld 0x562bb7079c80 msgid -1
wait4msg ld 0x562bb7079c80 msgid -1 (infinite timeout)
wait4msg continue ld 0x562bb7079c80 msgid -1 all 0
** ld 0x562bb7079c80 Connections:
* host: DIR.MYDOMAIN.com port: 389 (default)
refcnt: 2 status: Connected
last used: Mon May 17 16:15:24 2021
** ld 0x562bb7079c80 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x562bb7079c80 request count 1 (abandoned 0)
** ld 0x562bb7079c80 Response Queue:
Empty
ld 0x562bb7079c80 response count 0
ldap_chkResponseList ld 0x562bb7079c80 msgid -1 all 0
ldap_chkResponseList returns ld 0x562bb7079c80 NULL
ldap_int_select
read1msg: ld 0x562bb7079c80 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 122 contents:
read1msg: ld 0x562bb7079c80 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# DIR.MYDOMAIN.com
dn: dc=DIR,dc=MYDOMAIN,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: top
objectClass: dcObject
objectClass: organization
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
o: ORG
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
dc: dir
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x562bb7079c80 msgid -1
wait4msg ld 0x562bb7079c80 msgid -1 (infinite timeout)
wait4msg continue ld 0x562bb7079c80 msgid -1 all 0
** ld 0x562bb7079c80 Connections:
* host: DIR.MYDOMAIN.com port: 389 (default)
refcnt: 2 status: Connected
last used: Mon May 17 16:15:24 2021
** ld 0x562bb7079c80 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x562bb7079c80 request count 1 (abandoned 0)
** ld 0x562bb7079c80 Response Queue:
Empty
ld 0x562bb7079c80 response count 0
ldap_chkResponseList ld 0x562bb7079c80 msgid -1 all 0
ldap_chkResponseList returns ld 0x562bb7079c80 NULL
ldap_int_select
read1msg: ld 0x562bb7079c80 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 220 contents:
read1msg: ld 0x562bb7079c80 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# admin, DIR.MYDOMAIN.com
dn: cn=admin,dc=DIR,dc=MYDOMAIN,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: simpleSecurityObject
objectClass: organizationalRole
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
cn: admin
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
description: LDAP administrator
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
userPassword:: {a-hash-was-here}
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x562bb7079c80 msgid -1
wait4msg ld 0x562bb7079c80 msgid -1 (infinite timeout)
wait4msg continue ld 0x562bb7079c80 msgid -1 all 0
** ld 0x562bb7079c80 Connections:
* host: DIR.MYDOMAIN.com port: 389 (default)
refcnt: 2 status: Connected
last used: Mon May 17 16:15:24 2021
** ld 0x562bb7079c80 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x562bb7079c80 request count 1 (abandoned 0)
** ld 0x562bb7079c80 Response Queue:
Empty
ld 0x562bb7079c80 response count 0
ldap_chkResponseList ld 0x562bb7079c80 msgid -1 all 0
ldap_chkResponseList returns ld 0x562bb7079c80 NULL
ldap_int_select
read1msg: ld 0x562bb7079c80 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 124 contents:
read1msg: ld 0x562bb7079c80 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# LDAPuser, DIR.MYDOMAIN.com
dn: cn=LDAPuser,dc=DIR,dc=MYDOMAIN,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
gidNumber: 500
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
cn: LDAPuser
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: posixGroup
objectClass: top
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x562bb7079c80 msgid -1
wait4msg ld 0x562bb7079c80 msgid -1 (infinite timeout)
wait4msg continue ld 0x562bb7079c80 msgid -1 all 0
** ld 0x562bb7079c80 Connections:
* host: DIR.MYDOMAIN.com port: 389 (default)
refcnt: 2 status: Connected
last used: Mon May 17 16:15:24 2021
** ld 0x562bb7079c80 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x562bb7079c80 request count 1 (abandoned 0)
** ld 0x562bb7079c80 Response Queue:
Empty
ld 0x562bb7079c80 response count 0
ldap_chkResponseList ld 0x562bb7079c80 msgid -1 all 0
ldap_chkResponseList returns ld 0x562bb7079c80 NULL
ldap_int_select
read1msg: ld 0x562bb7079c80 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 361 contents:
read1msg: ld 0x562bb7079c80 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# testldapuser, DIR.MYDOMAIN.com
dn: cn=testldapuser,dc=DIR,dc=MYDOMAIN,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
givenName: Test
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
gidNumber: 500
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
homeDirectory: /home/users/tldapuser
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
sn: LDAPuser
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
loginShell: /bin/sh
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
userPassword:: {a-hash-was-here}
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
uidNumber: 1000
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
uid: tldapuser
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
cn: testldapuser
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x562bb7079c80 msgid -1
wait4msg ld 0x562bb7079c80 msgid -1 (infinite timeout)
wait4msg continue ld 0x562bb7079c80 msgid -1 all 0
** ld 0x562bb7079c80 Connections:
* host: DIR.MYDOMAIN.com port: 389 (default)
refcnt: 2 status: Connected
last used: Mon May 17 16:15:24 2021
** ld 0x562bb7079c80 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x562bb7079c80 request count 1 (abandoned 0)
** ld 0x562bb7079c80 Response Queue:
Empty
ld 0x562bb7079c80 response count 0
ldap_chkResponseList ld 0x562bb7079c80 msgid -1 all 0
ldap_chkResponseList returns ld 0x562bb7079c80 NULL
ldap_int_select
read1msg: ld 0x562bb7079c80 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x562bb7079c80 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x562bb7079c80 0 new referrals
read1msg: mark request completed, ld 0x562bb7079c80 msgid 2
request done: ld 0x562bb7079c80 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
# search result
search: 2
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 0 Success
ldap_msgfree
# numResponses: 5
# numEntries: 4
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
journalctl -xe返回:
root@mail:~# journalctl -xe
-- Subject: A start job for unit phpsessionclean.service has finished successfully
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- A start job for unit phpsessionclean.service has finished successfully.
--
-- The job identifier is 38068.
May 17 18:39:18 mail.MYDOMAIN.com slapd[68175]: SASL [conn=1061] Failure: no secret in database
[...repeated several times...]
May 17 18:44:31 mail.MYDOMAIN.com systemd[1]: fwupd.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit fwupd.service has successfully entered the 'dead' state.
[...SASL error message repeated more times...]
May 17 18:50:41 mail.MYDOMAIN.com postfix/pickup[68281]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=DIR,dc=MYDOMAIN,dc=com - Can't contact LDAP server
May 17 18:50:41 mail.MYDOMAIN.com postfix/pickup[68281]: nss_ldap: failed to bind to LDAP server ldaps://DIR.MYDOMAIN.com:636: Can't contact LDAP server
May 17 18:50:41 mail.MYDOMAIN.com postfix/pickup[68281]: nss_ldap: reconnecting to LDAP server...
[...this error repeated several times...]
[...SASL error repeated more...]
我似乎无法使用交互式 SASL 选项修改任何 LDIF,因为我总是得到:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=admin,dc=DIR,dc=MYDOMAIN,dc=com"
ldap_modify: Insufficient access (50)
ldapsearch -x -s base -b "" supportedSASLMechanisms回到:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#
#
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
但是当我尝试使用-x(简单)登录时,使用ldapmodify -a -x -D "cn=config" -w MYLDAPROOTPASSWORD -H ldap:/// -f ldap-tls.ldif,它返回:
ldap_bind: Invalid credentials (49)
所以基本上,我无法导入 LDIF,因为我无法以任何方式进行身份验证。
我猜,尽管我在这里发布了“很多”信息,但我没有发布“正确”的信息,需要添加更多信息。我只是希望,虽然我显然找不到答案,但其他人可以找到。
如果出现问题,那是因为在按照 LinuxBabe 的教程操作后,我查看了好像 50 个打开的选项卡(这些选项卡保留在浏览器选项卡部分),并根据其他人的讨论内容进行修改,因此我对迄今为止所做的更改没有完全的信心。
有什么事情让你印象深刻吗?
答案1
这是一个老问题,但我自己只是深入研究这个问题,我可以提供一些意见,也许它可以帮助其他人。
LDAP 客户端配置
您需要 /etc/ldap/ldap.conf 的 TLS_CACERT 中的 LetEncrypt CA 证书
所以更像是TLS_CACERT /etc/ssl/certs/ca-certificates.crt
openldap 服务器配置
在您的 ldap 配置中使用 letencrypt fullchain 可能会更好:
TLSCertificateFile /etc/letsencrypt/live/MYDOMAIN.COM/fullchain.pem
phpLDAPAdmin 与 tls
注意 PDA 选项server.tls。它只是意味着 StartTLS。
您需要提供完整的 uri,如ldaps://DIR.MYDOMAIN.com,不带服务器选项,而不仅仅是DIR.MYDOMAIN.com带有选项server.tls/的主机名server.port。