LDAPs 모드에서 openldap 서버에 연결할 수 없습니다 - CentOS

tag-icon tag-icon centos openssl openldap
LDAPs 모드에서 openldap 서버에 연결할 수 없습니다 - CentOS

openldap 서버를 ldaps 모드로 구성했습니다. 하지만 구성한 후에는 포트 389에 연결할 수 있지만 포트 636에 연결할 수 없습니다.

[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D  cn=Manager,dc=india,dc=airwave,dc=com -w  whopee   -b "ou=Users,dc=india,dc=airwave,dc=com"
ldap_result: Can't contact LDAP server (-1)
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D  cn=Manager,dc=india,dc=airwave,dc=com -w  whopee   -b "ou=Users,dc=india,dc=airwave,dc=com"
dn: ou=users,dc=india,dc=airwave,dc=com
objectClass: organizationalUnit
ou: users

dn: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
cn: Sandeep Lade
sn: Lade
objectClass: inetOrgPerson
userPassword:: d2hvcGVl
uid: vlade

dn: cn=Engineering,ou=users,dc=india,dc=airwave,dc=com
cn: Engineering
objectClass: groupOfNames
member: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com

389와 636이 모두 듣고 있습니다.

[root@testldap certs]# netstat -an | grep 389
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN
tcp        0      0 :::389                      :::*                        LISTEN
unix  2      [ ]         DGRAM                    19389
[root@testldap certs]# netstat -an | grep 636
tcp        0      0 0.0.0.0:636                 0.0.0.0:*                   LISTEN
tcp        0      0 :::636                      :::*                        LISTEN
unix  3      [ ]         STREAM     CONNECTED     13636
[root@testldap certs]#

openssl connect를 사용하여 포트 636에 연결할 수 있습니다.

[root@localhost sandeeplade]# openssl s_client -connect 10.22.156.157:636 -showcerts -CAfile cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1516769274
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
[root@localhost sandeeplade]#

ldap.conf 파일

[root@testldap certs]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never


PORT 636
#TLS_CACERTDIR  /etc/openldap/certs
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT allow

ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/certs/cacert.pem

[root@testldap certs]#

slapd.conf file

[root@testldap certs]# cat /etc/openldap/slapd.conf
TLSCACertificateFile    /etc/openldap/certs/cacert.pem
TLSCertificateFile      /etc/openldap/certs/server.crt
TLSCertificateKeyFile   /etc/openldap/certs/server.key

# Use the following if client authentication is required
#TLSVerifyClient        demand
# ... or not desired at all
TLSVerifyClient never

[root@testldap certs]#

인증서는 /etc/openldap/certs에 있으며 openssl을 사용하여 생성됩니다.

[root@testldap certs]# cd /etc/openldap/certs/
[root@testldap certs]# ls -lrt
total 96
-r--------. 1 root root    45 Jan 23 21:59 password
-rw-r--r--. 1 root root 16384 Jan 23 21:59 secmod.db
-rw-r--r--. 1 root root 65536 Jan 23 21:59 cert8.db
-rw-r--r--. 1 root root 16384 Jan 23 21:59 key3.db
-rw-------. 1 ldap ldap  1743 Jan 23 23:57 server.key.pass
-rw-r--r--. 1 root root  1094 Jan 23 23:59 server.csr
-rw-r--r--. 1 root root  4718 Jan 24 00:02 server.crt
-rw-r--r--. 1 root root  1675 Jan 24 00:38 server.key
-rw-r--r--. 1 root root  4537 Jan 24 05:18 cacert.pem
[root@testldap certs]#

/etc/sysconfig/ldap에서 LDAP를 활성화합니다.

[root@testldap certs]# cat /etc/sysconfig/ldap
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=

# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
#   yes/no, default: yes
SLAPD_LDAP=yes

# Run slapd with -h "... ldapi:/// ..."
#   yes/no, default: yes
SLAPD_LDAPI=yes

# Run slapd with -h "... ldaps:/// ..."
#   yes/no, default: no
SLAPD_LDAPS=yes

# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""

# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3

# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""
[root@testldap certs]#

나는 지난 이틀 동안 openldap을 작동시키려고 노력해 왔습니다. 어떤 도움이라도 대단히 감사하겠습니다.

답변1

SSL 쿼리에 대한 ldpasearch 매개변수가 잘못되었습니다. 이봐:https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work

"-H" iso -h 및 -p를 사용해야 합니다.

답변2

서버 CA 루트를 추가하는 것이 좋습니다./etc/openldap/ldap.conf:

TLS_CACERT /etc/ssl/certs/ca-bundle.crt 
TLS_REQCERT allow

달리기도 해보세요슬래더-d 256연결을 디버그하고 ldapsearch를 수행하는 데 사용됩니다 .-d 9 디버깅에도 사용됩니다.

생성된 인증서에 문제가 있는 것이 확실합니다.

답변3

다음 패턴을 사용하여 기존 인증서 캐시 디렉터리(존재하는 경우)를 삭제해야 합니다.

/tmp/openldap-tlsmc-certs--*

추가 정보:https://fedoraproject.org/wiki/OpenLDAP-and-MozNSS-Compatibility-Layer

관련 정보