Ssl

libpam-ldap 無法通過 SSL/TLS 連接到 LDAP 伺服器

  • June 8, 2020

我正在嘗試將 PAM 配置為與我的 LDAP 伺服器一起進行身份驗證。為此,我嘗試使用 libpam-ldap,出於兩個原因,我決定使用 libpam-ldap 而不是 libpam-ldapd。首先,libpam-ldapd 似乎不支持基於組的身份驗證,這意味著我無法控制哪些使用者可以使用 LDAP 組訪問哪些服務(至少對於使用 PAM 的服務),其次當我嘗試安裝 libpam -ldapd 整個伺服器變得非常無響應,需要 30 秒以上來處理命令。

進行身份驗證嘗試時,libpam_ldap 會正確嘗試在埠 636 上聯繫所需的 LDAP 伺服器,但不會進行綁定嘗試。重新配置 libpam-ldap 以通過埠 389 上的非 TLS 連接連接到 LDAP 伺服器會導致綁定嘗試被我的 LDAP 伺服器的非 TLS 連接身份驗證策略正確拒絕。

我正在執行 Debian 10.4,我的 pam_ldap.conf 文件(作為我的故障排除過程的一部分,我已精簡為最小配置)如下

base ou=people,dc=example,dc=com
uri ldaps://example.com/
ldap_version 3
binddn uid=0,ou=servers,dc=example,dc=com
bindpw mypassword
pam_login_attribute displayName
pam_password clear
ssl on
tls_checkpeer no
tls_cacertdir /etc/ssl/certs
logdir /var/log/pamldap

在任何地方都說範例,實際配置具有正確的值。密碼設置為清除,因為密碼散列正在由 ppolicy 處理伺服器端。指定“ssl on”、“tls_checkpeer”和“tls_cacertdir”的選項都包含在我的故障排除過程中,它們的組合不會導致成功連接到 LDAP 伺服器。

配置中的 logdir 標誌不起作用,因此 libpam-ldap 不生成日誌,這使得故障排除非常複雜。到目前為止,故障排除包括嘗試驗證 FTP 使用者、監視 LDAP 伺服器上的日誌以及傳播到 FTP 客戶端的資訊。在 libpam-ldap 配置為使用 TLS 時嘗試登錄會導致 FTP 客戶端超時,並在 LDAP 伺服器上登錄以下日誌

Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: slap_listener_activate(8):
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 busy
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: >>> slap_listener(ldaps:///)
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: listen=8, new connection on 12
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]: daemon: added 12r (active) listener=(nil)
Jun  4 15:11:05 MyServer slapd[831]:  12r
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun  4 15:11:05 MyServer slapd[831]: conn=1000 fd=12 ACCEPT from IP=X.X.X.X:1025 (IP=0.0.0.0:636)
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:  12r
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun  4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:  12r
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: read active on 12
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12)
Jun  4 15:11:05 MyServer slapd[831]: connection_get(12): got connid=1000
Jun  4 15:11:05 MyServer slapd[831]: connection_read(12): checking for input on id=1000
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on 1 descriptor
Jun  4 15:11:05 MyServer slapd[831]: daemon: activity on:
Jun  4 15:11:05 MyServer slapd[831]:
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:11:05 MyServer slapd[831]: daemon: epoll: listen=10 active_threads=0 tvp=zero

嘗試通過未加密的連接登錄會導致 FTP 客戶端收到 530 登錄錯誤響應和“嚴重錯誤:無法連接到伺服器”錯誤消息,並且 LDAP 伺服器記錄以下日誌

Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: slap_listener_activate(8):
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 busy
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: >>> slap_listener(ldap:///)
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: listen=8, new connection on 14
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:  14r
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: added 14r (active) listener=(nil)
Jun  4 15:27:20 MyServer slapd[5866]: daemon: read active on 14
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 fd=14 ACCEPT from IP=X.X.X.X:47982 (IP=0.0.0.0:389)
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: connection_get(14)
Jun  4 15:27:20 MyServer slapd[5866]: connection_get(14): got connid=1002
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: connection_read(14): checking for input on id=1002
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]: op tag 0x60, time 1591298840
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 do_bind
Jun  4 15:27:20 MyServer slapd[5866]: >>> dnPrettyNormal: <uid=0,ou=servers,dc=example,dc=com>
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: <<< dnPrettyNormal: <uid=0,ou=servers,dc=example,dc=com>, <uid=0,ou=servers,dc=example,dc=com>
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 BIND dn="uid=0,ou=servers,dc=example,dc=com" method=128
Jun  4 15:27:20 MyServer slapd[5866]: do_bind: version=3 dn="uid=0,ou=servers,dc=example,dc=com" method=128
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: send_ldap_result: conn=1002 op=0 p=3
Jun  4 15:27:20 MyServer slapd[5866]: send_ldap_result: err=13 matched="" text="confidentiality required"
Jun  4 15:27:20 MyServer slapd[5866]: send_ldap_response: msgid=1 tag=97 err=13
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=0 RESULT tag=97 err=13 text=confidentiality required
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:  14r
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: read active on 14
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: connection_get(14)
Jun  4 15:27:20 MyServer slapd[5866]: connection_get(14): got connid=1002
Jun  4 15:27:20 MyServer slapd[5866]: connection_read(14): checking for input on id=1002
Jun  4 15:27:20 MyServer slapd[5866]: op tag 0x42, time 1591298840
Jun  4 15:27:20 MyServer slapd[5866]: ber_get_next on fd 14 failed errno=0 (Success)
Jun  4 15:27:20 MyServer slapd[5866]: connection_read(14): input error=-2 id=1002, closing.
Jun  4 15:27:20 MyServer slapd[5866]: connection_closing: readying conn=1002 sd=14 for close
Jun  4 15:27:20 MyServer slapd[5866]: connection_close: deferring conn=1002 sd=14
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on 1 descriptor
Jun  4 15:27:20 MyServer slapd[5866]: daemon: activity on:
Jun  4 15:27:20 MyServer slapd[5866]:
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=1 do_unbind
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 op=1 UNBIND
Jun  4 15:27:20 MyServer slapd[5866]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Jun  4 15:27:20 MyServer slapd[5866]: connection_resched: attempting closing conn=1002 sd=14
Jun  4 15:27:20 MyServer slapd[5866]: connection_close: conn=1002 sd=14
Jun  4 15:27:20 MyServer slapd[5866]: daemon: removing 14
Jun  4 15:27:20 MyServer slapd[5866]: conn=1002 fd=14 closed

這似乎是我的 LDAP 伺服器的正確策略響應。

為了澄清我的問題:libpam_ldap 無法通過 TLS 與我的 LDAP 伺服器通信,誰能告訴我為什麼會這樣以及我需要做什麼來解決這個問題。如果您認為這不是我遇到的問題,您認為問題是什麼,您認為我需要做什麼來解決該問題?

我終於弄清楚了我的問題。我的問題是一個奇怪的 TLS 問題,如果您嘗試通過 NAT 建立從機器到自身的 TLS 連接(LDAP 伺服器和客戶端在同一台機器上,但為了使 TLS 正常工作,客戶端需要通過域名,因此必須遍歷 NAT),連接完全不起作用。這不是 LDAP 獨有的,這是一種一般奇怪的 TLS 行為。此問題的解決方案是在 LDAP 伺服器上禁用強制 TLS(刪除 olcSecurity 屬性),並在 slapd 預設文件中重新啟用 ldap:///(與 ldaps:/// 相比),但將其限制為環回介面(ldap://127.0.0.1/)。這種方式仍然強制所有流量使用 TLS(通過 olcTLSCipherSuite 屬性強制執行密碼限制),

引用自:https://serverfault.com/questions/1020082

相關問答

Ubuntu

LDAP 完全忽略 ldap.conf 中的 pam_groupdn 和 pam_filter 屬性

  • December 5, 2017
檢視問答
Ubuntu

無法使 sshd+pam+ldap 工作(AuthorizedKeysCommand?)

  • October 22, 2016
檢視問答
Redhat

什麼是 nsswitch 兼容模式?

  • August 19, 2013
檢視問答
Ubuntu

LDAP TSL ldap_modify:錯誤 80

  • June 5, 2021
檢視問答
Windows-Server-2008

Active Directory LDAPS 以某種方式持有過期的證書

  • May 14, 2021
檢視問答
Ssl

SSSD 與 Ldap 集成錯誤“無法啟動 TLS 加密。TLS:主機名與對等證書中的 C N 不匹配'

  • April 1, 2021
檢視問答