Ldap
ldapsearch 無法通過 stunnel 使用 ldap.google.com
不能讓它工作。我必須使用 stunnel 才能將 Jenkins 與 Google LDAP 服務集成。沒有stunnel它工作正常
$ LDAPTLS_CERT=/etc/stunnel/gldap.crt LDAPTLS_KEY=/etc/stunnel/gldap.key \ ldapsearch -H ldaps://ldap.google.com -b "dc=example,dc=com" uid=alex mail SASL/EXTERNAL authentication started SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain View,o=Google Inc. SASL SSF: 0 # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: uid=alex # requesting: mail # # alex, Users, example.com dn: uid=alex,ou=Users,dc=example,dc=com mail: alex@example.com # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1
我都嘗試過 - ubuntu-16.04 和 18.04。Stunnel 配置非常簡單,基於官方文件
# cat /etc/stunnel/ldap.conf debug = 7 output = /tmp/stunnel-gldap.log [ldap] client = yes accept = 127.0.0.1:389 connect = ldap.google.com:636 cert = /etc/stunnel/gldap.crt key = /etc/stunnel/gldap.key
但不能通過 stunnel 工作
$ ldapsearch -H ldap://127.0.0.1 -b "dc=example,dc=com" uid=alex SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:
隧道日誌
2019.02.08 17:00:24 LOG7[main]: Service [ldap] accepted (FD=3) from 127.0.0.1:42296 2019.02.08 17:00:24 LOG7[0]: Service [ldap] started 2019.02.08 17:00:24 LOG5[0]: Service [ldap] accepted connection from 127.0.0.1:42296 2019.02.08 17:00:24 LOG6[0]: s_connect: connecting 216.239.32.58:636 2019.02.08 17:00:24 LOG7[0]: s_connect: s_poll_wait 216.239.32.58:636: waiting 10 seconds 2019.02.08 17:00:24 LOG5[0]: s_connect: connected 216.239.32.58:636 2019.02.08 17:00:24 LOG5[0]: Service [ldap] connected remote server from 192.168.3.13:59504 2019.02.08 17:00:24 LOG7[0]: Remote descriptor (FD=9) initialized 2019.02.08 17:00:24 LOG6[0]: SNI: sending servername: ldap.google.com 2019.02.08 17:00:24 LOG7[0]: SSL state (connect): before/connect initialization 2019.02.08 17:00:24 LOG7[0]: SSL state (connect): SSLv2/v3 write client hello A 2019.02.08 17:00:24 LOG6[0]: Certificate verification disabled 2019.02.08 17:00:24 LOG6[0]: Certificate verification disabled 2019.02.08 17:00:24 LOG7[0]: 1 client connect(s) requested 2019.02.08 17:00:24 LOG7[0]: 1 client connect(s) succeeded 2019.02.08 17:00:24 LOG7[0]: 0 client renegotiation(s) requested 2019.02.08 17:00:24 LOG7[0]: 0 session reuse(s) 2019.02.08 17:00:24 LOG6[0]: SSL connected: new session negotiated 2019.02.08 17:00:24 LOG7[0]: Peer certificate was cached (3201 bytes) 2019.02.08 17:00:24 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2019.02.08 17:00:24 LOG7[0]: Compression: null, expansion: null 2019.02.08 17:00:25 LOG6[0]: Read socket closed (readsocket) 2019.02.08 17:00:25 LOG7[0]: Sending close_notify alert 2019.02.08 17:00:25 LOG7[0]: SSL alert (write): warning: close notify 2019.02.08 17:00:25 LOG6[0]: SSL_shutdown successfully sent close_notify alert 2019.02.08 17:00:25 LOG6[0]: SSL socket closed (SSL_read) 2019.02.08 17:00:25 LOG7[0]: Sent socket write shutdown 2019.02.08 17:00:25 LOG5[0]: Connection closed: 71 byte(s) sent to SSL, 71 byte(s) sent to socket 2019.02.08 17:00:25 LOG7[0]: Remote descriptor (FD=9) closed 2019.02.08 17:00:25 LOG7[0]: Local descriptor (FD=3) closed 2019.02.08 17:00:25 LOG7[0]: Service [ldap] finished (0 left)
我也嘗試過帶有調試輸出的 ldapsearch
$ ldapsearch -d5 -H ldap://127.0.0.1 -b "dc=example,dc=com" uid=alex ldap_url_parse_ext(ldap://127.0.0.1) ldap_create ldap_url_parse_ext(ldap://127.0.0.1:389/??base) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 4 tm: -1 async: 0 attempting to connect: connect success ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 64 bytes to sd 4 ldap_result ld 0x56265b1fd400 msgid 1 wait4msg ld 0x56265b1fd400 msgid 1 (infinite timeout) wait4msg continue ld 0x56265b1fd400 msgid 1 all 1 ** ld 0x56265b1fd400 Connections: * host: 127.0.0.1 port: 389 (default) refcnt: 2 status: Connected last used: Fri Feb 8 17:02:39 2019 ** ld 0x56265b1fd400 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x56265b1fd400 request count 1 (abandoned 0) ** ld 0x56265b1fd400 Response Queue: Empty ld 0x56265b1fd400 response count 0 ldap_chkResponseList ld 0x56265b1fd400 msgid 1 all 1 ldap_chkResponseList returns ld 0x56265b1fd400 NULL ldap_int_select read1msg: ld 0x56265b1fd400 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 55 contents: read1msg: ld 0x56265b1fd400 msgid 1 message type search-entry wait4msg continue ld 0x56265b1fd400 msgid 1 all 1 ** ld 0x56265b1fd400 Connections: * host: 127.0.0.1 port: 389 (default) refcnt: 2 status: Connected last used: Fri Feb 8 17:02:39 2019 ** ld 0x56265b1fd400 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x56265b1fd400 request count 1 (abandoned 0) ** ld 0x56265b1fd400 Response Queue: * msgid 1, type 100 ld 0x56265b1fd400 response count 1 ldap_chkResponseList ld 0x56265b1fd400 msgid 1 all 1 ldap_chkResponseList returns ld 0x56265b1fd400 NULL ldap_int_select read1msg: ld 0x56265b1fd400 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x56265b1fd400 msgid 1 message type search-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x56265b1fd400 0 new referrals read1msg: mark request completed, ld 0x56265b1fd400 msgid 1 request done: ld 0x56265b1fd400 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) adding response ld 0x56265b1fd400 msgid 1 type 101: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_get_values ber_scanf fmt ({x{{a) ber: ber_scanf fmt ([v]) ber: ldap_msgfree ldap_sasl_interactive_bind: server supports: EXTERNAL PLAIN ldap_int_sasl_bind: EXTERNAL PLAIN ldap_int_sasl_open: host=ws-alex SASL/EXTERNAL authentication started ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 4 ldap_free_connection: actually freed
當我嘗試使用 stunnel 時,Jenkins 也是如此。
Login Authentication: failed for user "uid=alex,ou=Users,dc=example,dc=com" Lookup User lookup: user "uid=alex,ou=Users,dc=example,dc=com" does not exist. Does looking up user details require a Manager Dn and password? Are the user search base and user search filter settings correct? LDAP Group lookup: could not verify. Please try with a user that is a member of at least one LDAP group. Lockout The user "uid=alex,ou=Users,dc=example,dc=com" will be unable to login with the supplied password. If this is your own account this would mean you would be locked out! Are you sure you want to save this configuration?
我錯過了什麼?或者也許還有其他解決方法?
提前致謝
更新1
我能夠使用以下命令成功使用 ldapsearch(必須使用 bind_dn 使用者)
$ ldapsearch -x -D "BIND_USER" -w 123456789 -H ldap://127.0.0.1 -b "dc=example,dc=com" uid=alex ldap_bind: Success (0) additional info: Valid access code # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: uid=alex # requesting: ALL # # alex, Users, example.com dn: uid=alex,ou=Users,dc=example,dc=com
但是詹金斯還是不行
事實證明,我必須使用 -Djavax.net.ssl.keyStore 和 -Djavax.net.ssl.keyStorePassword 並將自定義密鑰庫傳遞給 Jenkins
- 將證書和私鑰導出到 pkcs12
$ openssl pkcs12 -export -out ldap.google.com.p12 \ -inkey Google_2022_02_05_42182.key -in Google_2022_02_05_42182.crt $ keytool -v -importkeystore -srckeystore ldap.google.com.p12 \ -srcstoretype PKCS12 -destkeystore keystore.p12 -deststoretype PKCS12
- 將自定義密鑰庫傳遞給 Jenkins
$ docker run -it --rm --name jenkins -p 8080:8080 -p 50000:50000 -v jenkins_home:/var/jenkins_home \ -e JAVA_OPTS='-Djavax.net.ssl.trustStore=/var/jenkins_home/.keystore/keystore.p12 -Djavax.net.ssl.trustStorePassword=changeit' jenkins/jenkins:lts
- 在配置全域安全性 -> LDAP下配置 Jenkins
Server: ldaps://ldap.google.com/ root DN: dc=example,dc=com User search base: ou=users User search filter: uid={0} Group search base: ou=groups Group search filter: objectclass=posixGroup Group membership: Search for LDAP groups containing user: memberUid={1} Manager DN: UntriedWel Manager Password: 123456789
當您測試 LDAP 設置時,您必須只使用 uid 而不是完整的 dn 使用者:alex,密碼:987654321
最後認證成功
Login Authentication: successful User ID: alex User Dn: uid=alex,ou=ITsoft,ou=users,dc=example,dc=com User Display Name: Alex Smith User email: alex@example.com LDAP Group membership: itsoft Lookup User lookup: successful User groups consistent (login and lookup) LDAP Group lookup: successful (1 group)
我希望它會幫助其他人