Ssl
LDAP TLS 連接成功但伺服器失敗
我對 LDAP over SSL 有一些問題。我為伺服器和客戶端生成證書。有驗證沒有問題:
openssl s_client -connect odps03:636 -showcerts -state -CAfile /etc/ssl/certs/cacert.pem CONNECTED(00000005) SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS read server hello depth=1 CN = Example Comapny verify return:1 depth=0 CN = odps03, O = Example Comapny verify return:1 SSL_connect:SSLv3/TLS read server certificate SSL_connect:SSLv3/TLS read server key exchange SSL_connect:SSLv3/TLS read server done SSL_connect:SSLv3/TLS write client key exchange SSL_connect:SSLv3/TLS write change cipher spec SSL_connect:SSLv3/TLS write finished SSL_connect:SSLv3/TLS write finished SSL_connect:SSLv3/TLS read change cipher spec SSL_connect:SSLv3/TLS read finished --- Certificate chain 0 s:CN = odps03, O = Example Comapny i:CN = Example Comapny -----BEGIN CERTIFICATE----- MIIDZDCCAcygAwIBAgIMXSR3ljZZEpjKqMTvMA0GCSqGSIb3DQEBCwUAMC8xLTAr BgNVBAMTJFBHTmlHIE9EIE9icm90IERldGFsaWN6bnkgU3AuIHogby5vLjAeFw0x OTA3MDkxMTE2MzhaFw0yMDA3MDgxMTE2MzhaMD0xDzANBgNVBAMTBm9kcHMwMzEq MCgGA1UEChMhUEdOaUcgT2Jyb3QgRGV0YWxpY3pueSBTcC4geiBvLm8uMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/WXWNYXoTjwU5ZkNo9wjWf0OqdlkB0fat mlX3dx167mDPRI0yF5wIjh7uj1L6DTcjVTL8+p7EYS0Bf98AumTZVVBj7k9U2QZO zeFThoc+SmabLqd92o3nrzBOwyEigBV18MZGr3IfmUgbRy6VseqU67a9BBhcl0+3 uGmXm1P0sQIDAQABo3YwdDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF BwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFC2dY36t5OaMfplyaljU8asy qxupMB8GA1UdIwQYMBaAFHKlhTlGegvaf5tc7ierwq2cQDXlMA0GCSqGSIb3DQEB CwUAA4IBgQAMdXt0aeLt6KwTAsWCre855+4aS26W67Dv27jXlKpyyTR+xAS567AO wUXoPwVDAZ+XYgmO5h8guGQcfUI9imIpPCJUQJKSu6Fsz3/hSx+w5PnK9Tk3HMMs ZeW4WLP1n7bOp8rJS7a3pQcW3yFzpffyq5LH4MP5dAEsKEaivyaOAEfuWJ348dRo uqpPY4FcNlLc1HYIxfixwtf8XohdkRgEIrDi/QmPGfYsm76K3eFBPIHRtFhvBnmP kRWGxeoInUgcWgns/G/WDwB2y3Fw5zcf0KYVdDvBFagBEAFc8JAJTyAYDVputX1I KnsUXRY5/PqXflwWQnfb8kuRcxpOHtEtQN49gPpigmH+zpt7vN2UM0skaa0Fou88 X6i/kGVU8XPxEWLdP91HGjKVlw7cxADfj+O8CMAmjxqDOxInkX4uFXJHoxBHb9LQ 8O+C4WhGTvt66VQDxOXZ+wVCrS2TK0Ug8xKmaTpBQAhlCcNWMWoyW7EorbFxJedo KrsPfZiWmHU= -----END CERTIFICATE----- 1 s:CN = Example Comapny i:CN = Example Comapny -----BEGIN CERTIFICATE----- MIIEJzCCAo+gAwIBAgIMW/Z8+RnPzxfpb3SDMA0GCSqGSIb3DQEBCwUAMC8xLTAr BgNVBAMTJFBHTmlHIE9EIE9icm90IERldGFsaWN6bnkgU3AuIHogby5vLjAeFw0x ODExMjIwOTU1MDVaFw0xOTExMjIwOTU1MDVaMC8xLTArBgNVBAMTJFBHTmlHIE9E IE9icm90IERldGFsaWN6bnkgU3AuIHogby5vLjCCAaIwDQYJKoZIhvcNAQEBBQAD ggGPADCCAYoCggGBANypN6Uq9ol8MULj0ErS1Pii8/GLTUcjXJW6zaS/VTl7dUiG dl+am2IQSozVIIfnvtoSrCIjebQm2PcW82Cprq9vz7p4rivHO2HQ3WjvSDmXBI1G 7tFe4xnrZYOscvoaf4IRc0okOQgI8h2B9rJWyppB6qFW55QRUStvhrW7EgVqWrWF 5NCtBMG2ThjO3nXOWbv8ApXklp3lW/JU1yf7H+XvHgjLs48QUyrsFElCS+Ve0Kve lSYaZccqhGbLGROTPO02boiIoT7kfMPykjV/h9B9oxAUw4lP1degk74k/MVML68U OBbY8uaO6SktxvLVQhmnk/u7jmF2qdMNy7H0magjEies/ctqd+QV7OP3rUxpAQsO K/PtWqtqiSt/ppeMbAvSzR5wsv1W0z1rW/EZHzaNKU5XkWfhJ9apeCRRR3niExk/ d57F1PofgK5ZsV6TOx9kfdVBlVtxroRoKEa7fCTKFq5XtX617W7sbuE3LpUtsdcN ifYJ1RU/Ta2/SGQWOQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB /wQFAwMHBAAwHQYDVR0OBBYEFHKlhTlGegvaf5tc7ierwq2cQDXlMA0GCSqGSIb3 DQEBCwUAA4IBgQBy0fuBros12hM/16tlyqMXWQp9yeZ7rBCVXR1Rr9NVhLOK2Pny 29LHrcXMxcWTtgqrmmozgxLPZ0rNwNQtBO3KF1plKHjD9HkQbVK26ghW0+oKb7qA TlWvF3bqmbQg2zaECaFGkadWuNKwgbdUi3JuIsL7Zy0JJp6a2P/wqzjV2io06vqB 5yWVoiyMvakR7qKyz8VKmFobmWfHrzvXW6Igl4x9KUZCn8SbcmX7wbNqTHEt7I04 jbjkH+/PusIifi581N26Od7mW1gq37nKJl5J1Rm5IgrwRS14nzSnX7oOyUwIad67 GkE0AhHTi2FHqKru0GyH9XIPFdWt0oY3mqdJxnVJQ+m6woyNu48kV5UeIMbqZoJ3 Qzgo+XAjqMtulh7tJnyQ6NkebRpAcbQNJAl/ojIeK6wQtxh7SLrLE6dV8052Hwhz FuxcECpGMosPyrARDplgMQWpa0iL9cgMI2nZCDDXtevqDQHIKNYOeMabRaLY0pyn B0L3Zy0ccHc4u7o= -----END CERTIFICATE----- --- Server certificate subject=CN = odps03, O = Example Comapny issuer=CN = Example Comapny --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2323 bytes and written 437 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: F2623A750CED893A63D3342B002F4AD963198DCA19BFC9740E0C4B6FD473BAE8 Session-ID-ctx: Master-Key: B86C77D94565AC82396FAB12648AC5ACF4A0F707506C09DD7D8EE7A7D8ED61870E33E0C858A43DFCB219F78FEB388D9D PSK identity: None PSK identity hint: None SRP username: None Start Time: 1562933947 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes ---
但是當我嘗試使用連接時,
ldapsearch
我得到一個指定的錯誤:ldapsearch -Z -H "ldaps://odps03:636" -D "cn=admin,dc=od,dc=pgnig,dc=pl" -d-1 "givenName=*" ldap_url_parse_ext(ldaps://odps03:636) ldap_create ldap_url_parse_ext(ldaps://odps03:636/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP odps03:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.66.64.11:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_err2string ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
我尋找並嘗試了很多解決問題的方法,但Google顯示的所有內容都不起作用。
我自己解決問題。也許有人想要更好地調試類似的問題,所以:
我首先使用以下方法開始低調試:
gdb ldapsearch set args -Z -LLL -H "ldaps://odps03:636" -D "cn=admin,dc=example.com" -b "cn=Users,dc=example,dc=com" -d -1 -W run
它是返回碼:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [Inferior 1 (process 4388) exited with code 0377]
但這無助於發現問題,所以在下一步我使用:
strace -f -o /tmp/lddapsearch.log ldapsearch -x -Z -H "ldaps://odps03:636" -D "cn=admin,dc=example,dc=com" -b "cn=Users,dc=example,dc=com" -d-1 -W
這非常有幫助。在日誌文件中,最重要的是:
12773 openat(AT_FDCWD, "/etc/ssl/certs/cacert.pem #ca-certificate.crt", O_RDONLY) = 2
導入 RootCert 時出錯意味著什麼,因為不幸的是我使用 # 來評論,但 DP 實用程序讀取了一行。