在SLAPD中允许LDAPS服务

时间:2016-07-28 19:29:33

标签: ssl openssl ldap

我为我的服务器创建了自签名证书,未加密端口下的StartTLS也没问题,但我也需要在加密端口下运行,因为Jenkins ldap-plugin无法使用StartTLS功能。

我用:

启动我的服务器
slapd -h "ldap:/// ldaps:///" -f /etc/ldap/slapd.conf -d config -d conns -d packets

如果我运行这个ldapsearch:

ldapsearch -d 1 -v -H "ldaps://[server ip]" -D "[manager dn]" -w [manager password]

我收到此错误:

ldap_url_parse_ext(ldaps://172.17.0.1)
ldap_initialize( ldaps://172.17.0.1:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://172.17.0.1:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 172.17.0.1:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 172.17.0.1:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect: 
connect errno: 111
ldap_close_socket: 4
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

但如果我运行openssl来测试连接:

openssl s_client -connect [server ip]:686

我收到它没关系:

CONNECTED(00000003)
depth=1 C = BR, ST = Sao Paulo, O = example.com, CN = Davi Diorio Mendes, emailAddress = ddiorio@-----.com
verify return:1
depth=0 C = BR, ST = Sao Paulo, L = Campinas, O = example.com, CN =  example.com, emailAddress = ddiorio@-----.com
verify return:1
---
Certificate chain
 0 s:/C=BR/ST=Sao Paulo/L=Campinas/O=example.com/CN=example.com/emailAddress=ddiorio@-----.com
   i:/C=BR/ST=Sao Paulo/O=example.com/CN=Davi Diorio Mendes/emailAddress=ddiorio@-----.com
 1 s:/C=BR/ST=Sao Paulo/O=example.com/CN=Davi Diorio Mendes/emailAddress=ddiorio@-----.com
   i:/C=BR/ST=Sao Paulo/O=example.com/CN=Davi Diorio Mendes/emailAddress=ddiorio@-----.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID+TCCAuGgAwIBAgIJAOcBkNiAzXUIMA0GCSqGSIb3DQEBCwUAMHcxCzAJBgNV
BAYTAkJSMRIwEAYDVQQIDAlTYW8gUGF1bG8xFDASBgNVBAoMC2V4YW1wbGUuY29t
MRswGQYDVQQDDBJEYXZpIERpb3JpbyBNZW5kZXMxITAfBgkqhkiG9w0BCQEWEmRk
aW9yaW9AYnIuaWJtLmNvbTAeFw0xNjA3MjcxNTUxNDFaFw0xNzA3MjcxNTUxNDFa
MIGDMQswCQYDVQQGEwJCUjESMBAGA1UECAwJU2FvIFBhdWxvMREwDwYDVQQHDAhD
YW1waW5hczEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUu
Y29tMSEwHwYJKoZIhvcNAQkBFhJkZGlvcmlvQGJyLmlibS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDu8RXjY37lP8foIE0QZ9sQYotjRFdKBxeb
483dHf8NzbUTLILNqImzqU+EqBNRNxuHDhBh45/kM24A5dkcjaS5ZqCR/1pOR8bD
ojoeuNqEu/9ga4MWLqrj0rWxQywiBG/O9VzZg3eV7u34oTj3Rx7paohvU8KOFr8/
r9/cXG6QBXKl8Iu8jdo3KtWy7GcN9HOGkJrFwQ6sKbgIKMFpjrV3ByNapTCPJd32
kFY3Hkq2l54iyJGbO3q62HE3/KYKlRPR2uRjOj4YPxU13bvwRAUd1D77xMDEKya6
yj5M+gYGD8PHIn1lBvWOBaa8tzmM2zGk2H6eMoCFgtJAtqAOVIuRAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBRXjVcxfJOMwLS70jGjJb8X8xc2IDAfBgNVHSME
GDAWgBQbykbeuV2BDwKARaTYvpZwwKM/jjANBgkqhkiG9w0BAQsFAAOCAQEAgfKs
kFXxY6ZBzcvHU3wwu5kXZo8BYniJ3YZTGGX45JPF9v0yZzAjWAnYR9xJew+Ac1sZ
GrIA1aI1ooEjo1R42JUelo/PnY5rTuveaRvKG+b2H8+LOf0riIkG92byHazmBrK4
PX7ShgdEvK/B3YoDH201RpO8Fjugb31D9j9XcyfmBioKVUcRuxPTlpzOSWeyW8Db
GZ8Gr2Rz7Vxf0/mV25ikvXWHc/e2zNSD/C6bJcRlgaIo/hkoclpJ510oqj+XVcqI
PK/+QABzb9TX2uoMHA+nb7eV3aUzYHya56NAQNhbdfV1gogHFYPFntiE/dJYNM9c
cIWaKjrHXMFfnM2WIg==
-----END CERTIFICATE-----
subject=/C=BR/ST=Sao Paulo/L=Campinas/O=example.com/CN=example.com/emailAddress=ddiorio@-----.com
issuer=/C=BR/ST=Sao Paulo/O=example.com/CN=Davi Diorio Mendes/emailAddress=ddiorio@-----.com
---
No client certificate CA names sent
---
SSL handshake has read 2562 bytes and written 483 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:     A57A8114450D576489124B51B0E68EC8C6F59BDDA8BEDF1DD5CA456C878FD66B
    Session-ID-ctx: 
    Master-Key:     90734979FE60577DD24E35B03BBD6F2E57DF457C54BE0B320FD73C384A8F50A1CB783D629F22E060E89C7EB1B7D70FDA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
SRP username: None
Start Time: 1469733255
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---

这是我的slapd.conf:

# slapd.conf - Configuration file for LDAP SLAPD
##########
# Basics #
##########
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none

modulepath /usr/lib/ldap
moduleload back_hdb

###########
# SSL/TLS #
###########
TLSCACertificateFile  /etc/ldap/example.com.cacert.pem
TLSCertificateFile    /etc/ldap/example.com.cert.pem
TLSCertificateKeyFile /etc/ldap/example.com.key.pem

##########################
# Database Configuration #
##########################
database hdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw admin
directory /var/local/ldap/database
index objectClass,cn,uid,mail eq

########
# ACLs #
########
access to attrs=userPassword
       by anonymous auth
       by self write
       by * none

access to *
       by self write
       by * none

这是我的ldap.conf:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=example,dc=com
URI ldap://localhost
BINDDN cn=Manager,dc=example,dc=com

SIZELIMIT 0
TIMELIMIT 0
#DEREF      never

# TLS certificates (needed for GnuTLS)
TLS_CACERT  /etc/ldap/example.com.cacert.pem
TLS_REQCERT allow

有人能发现我的错误吗?还是指点一个方向?

谢谢!

1 个答案:

答案 0 :(得分:0)

我终于解决了这个问题。

我在端口686启动了安全slapd,而默认安全端口是636,所以当客户端尝试连接到安全端口时,端口是错误的。我将安全端口设置为636,这是默认设置。

其他错误,服务器证书必须在CN字段使用完全限定的域名,我使用example.com作为测试,但它必须是服务器地址。由于我没有服务器的域名,因此我使用了服务器IP。