Centos

TLS 跟踪:SSL_connect:error in SSLv2/v3 read server hello A

  • October 22, 2018

我正在嘗試為使用者查詢 AD 並嘗試了所有可用選項但沒有成功

作業系統 = CentoS7.5 軟體包 = Openldap、ldapsearch Microsoft Active Directory

我的命令

ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=abc,dc=local" -H "ldaps://xxxx:3268" "uid=abc" -d 1

以下是調試跟踪

ldap_url_parse_ext(ldaps://xxxx:3268)
ldap_create
ldap_url_parse_ext(ldaps://xxxx:3268/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxxx:3268
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying x.x.x.x:3268
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66'.
tlsmc_convert: INFO: using the existing PEM dir.
tlsmc_convert: WARN: extracted cert file is not present.
tlsmc_convert: WARN: extracted key file is not present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

我嘗試通過更改 /etc/openldap/ldap.conf 中的值

首次添加

TLS_REQCERT never

然後

TLS_REQCERT allow

然後按照here所述進行設置,但沒有成功

ldap ssl v2 v3 無法讀取伺服器 halo A

TLS_PROTOCOL_MIN 3.3

也重新啟動了我的伺服器,但沒有成功。

如果我以調試級別 d 2 執行,最後幾行就像

tls_read: want=7 error=Connection reset by peer
TLS: can't connect: .
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

我唯一的意圖是執行 ldapsearch

編輯:

正如@fission 所建議的那樣,我更改了埠,現在我正在下方

>> cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=abc,dc=local
URI     ldaps://xxx:3269

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

#TLS_CACERTDIR  /etc/openldap/certs
#HOST you-adc1
#PORT 3268
TLS_REQCERT never

#TLS_PROTOCOL_MIN 3.3

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

痕跡:

[root@x ~]# ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=xyz,dc=local" -H "ldaps://xxx:3269" "uid=abc" -d 1
ldap_url_parse_ext(ldaps://xxx:3269)
ldap_create
ldap_url_parse_ext(ldaps://xxx:3269/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxx:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying x.x.x.x:3269
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `(null)'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `(null)'.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `(null)'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: , issuer: /DC=local/DC=xxx/CN=xxx-root-CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 76 bytes to sd 3
ldap_result ld 0x559d9b078a70 msgid 1
wait4msg ld 0x559d9b078a70 msgid 1 (infinite timeout)
wait4msg continue ld 0x559d9b078a70 msgid 1 all 1
** ld 0x559d9b078a70 Connections:
* host: xxx  port: 3269  (default)
 refcnt: 2  status: Connected
 last used: Sat Oct 20 16:46:31 2018


** ld 0x559d9b078a70 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
 ld 0x559d9b078a70 request count 1 (abandoned 0)
** ld 0x559d9b078a70 Response Queue:
  Empty
 ld 0x559d9b078a70 response count 0
ldap_chkResponseList ld 0x559d9b078a70 msgid 1 all 1
ldap_chkResponseList returns ld 0x559d9b078a70 NULL
ldap_int_select
read1msg: ld 0x559d9b078a70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x559d9b078a70 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x559d9b078a70 0 new referrals
read1msg:  mark request completed, ld 0x559d9b078a70 msgid 1
request done: ld 0x559d9b078a70 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "uid=abc"
put_filter: default
put_simple_filter: "uid=abc"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 70 bytes to sd 3
ldap_result ld 0x559d9b078a70 msgid -1
wait4msg ld 0x559d9b078a70 msgid -1 (infinite timeout)
wait4msg continue ld 0x559d9b078a70 msgid -1 all 0
** ld 0x559d9b078a70 Connections:
* host: xxx  port: 3269  (default)
 refcnt: 2  status: Connected
 last used: Sat Oct 20 16:46:31 2018


** ld 0x559d9b078a70 Outstanding Requests:
* msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
 ld 0x559d9b078a70 request count 1 (abandoned 0)
** ld 0x559d9b078a70 Response Queue:
  Empty
 ld 0x559d9b078a70 response count 0
ldap_chkResponseList ld 0x559d9b078a70 msgid -1 all 0
ldap_chkResponseList returns ld 0x559d9b078a70 NULL
ldap_int_select
read1msg: ld 0x559d9b078a70 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 168 contents:
read1msg: ld 0x559d9b078a70 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x559d9b078a70 0 new referrals
read1msg:  mark request completed, ld 0x559d9b078a70 msgid 2
request done: ld 0x559d9b078a70 msgid 2
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
Operations error (1)
Additional information: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed

通過將埠更改為 3269,您現在似乎正在連接到 LDAPS 伺服器,這很好。但是,身份驗證部分尚未完成。你可以從這個錯誤中看出

res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <>

您需要指定或(將提示輸入密碼)。-w *passwd*``-W

我發現有必要的另一件事是指定搜尋庫(-b選項)。

一個在這里工作的完整命令:

ldapsearch -x -LLL -d 1 \
 -D cn=user1,cn=users,dc=fj,dc=test -W \
 -H ldaps://winders.fj.test:3269 \
 -b dc=fj,dc=test \
 cn=user1

引用自:https://serverfault.com/questions/936364

相關問答

Ubuntu

LDAP TSL ldap_modify:錯誤 80

  • June 5, 2021
檢視問答
Ssl

SSSD 與 Ldap 集成錯誤“無法啟動 TLS 加密。TLS:主機名與對等證書中的 C N 不匹配'

  • April 1, 2021
檢視問答
Centos

如何通過命令行向 LDAP 進行身份驗證?

  • September 13, 2020
檢視問答
Ssl

LDAP TLS 連接成功但伺服器失敗

  • July 18, 2019
檢視問答
Ssl

如何啟用 OpenLDAP 伺服器信任來自客戶端的自簽名證書?

  • October 31, 2018
檢視問答
Ssl

Openldap 和 SSL 證書鏈驗證

  • July 24, 2018
檢視問答