Ubuntu

LDAP TSL ldap_modify:錯誤 80

  • June 5, 2021

我從這個論壇和許多其他論壇中讀到了一些建議,並嘗試自己解決問題,但沒有結果。我需要將證書添加到 ldap 並始終返回錯誤 80。

我是使用 ldap 向文件夾添加權限:

ls -la /etc/apache2/ssl/
razem 16
drwxrwxr-- 2 root root 4096 cze 29 12:52 .
drwxr-xr-x 9 root root 4096 lip  2 10:33 ..
-rwxrwxr-- 1 root root 1545 gru 22  2017 od.censored.pl.crt
-rwxrwxr-- 1 root root 1704 gru 22  2017 od.censored.pl.key

我正在檢查臨時目錄的權限:

ls -la /var/lib/lda*
razem 708
drwxr-xr-x  2 openldap openldap     4096 lip  2 10:39 .
drwxr-xr-x 79 root     root         4096 cze 30 09:06 ..
-rw-r--r--  1 openldap openldap     4096 cze 29 13:50 alock
-rw-------  1 openldap openldap     8192 kwi 13 11:12 cn.bdb
-rw-------  1 openldap openldap   548863 cze 29 14:20 __db.001
-rw-------  1 openldap openldap   147455 lip  2 10:50 __db.002
-rw-------  1 openldap openldap   114687 cze 29 13:50 __db.003
-rw-r--r--  1 openldap openldap       96 kwi 13 11:12 DB_CONFIG
-rw-------  1 openldap openldap     8192 kwi 13 11:12 dn2id.bdb
-rw-------  1 openldap openldap    32768 kwi 13 12:12 id2entry.bdb
-rw-------  1 openldap openldap 10485759 cze 29 14:20 log.0000000001
-rw-------  1 openldap openldap     8192 kwi 13 11:12 objectClass.bdb

certs.ldif 看起來:

cat -n certs.ldif 
    1  dn: cn=config
    2  changetype: modify
    3  replace: olcTLSCertificateFile
    4  olcTLSCertificateFile: /etc/apache2/ssl/od.censored.pl.crt
    5  
    6  dn: cn=config
    7  changetype: modify
    8  replace: olcTLSCertificateKeyFile
    9  olcTLSCertificateKeyFile: /etc/apache2/ssl/od.censored.pl.key

但我一遍又一遍地看到錯誤:

ldapmodify -Y EXTERNAL -H ldapi:/// -vvv -f certs.ldif
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
replace olcTLSCertificateFile:
   /etc/apache2/ssl/od.censored.pl.crt
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

添加嘗試後的日誌:

  195  Jul  4 12:50:49 odps02 slapd[18075]: conn=1005 op=1 RESULT tag=103 err=0 text=
  196  Jul  4 12:50:49 odps02 slapd[18075]: conn=1005 op=2 UNBIND
  197  Jul  4 12:50:49 odps02 slapd[18075]: conn=1005 fd=18 closed
  198  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 fd=18 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
  199  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND dn="" method=163
  200  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  201  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
  202  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 RESULT tag=97 err=0 text=
  203  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 MOD dn="cn=config"
  204  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 MOD attr=olcTLSCertificateFile
  205  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 RESULT tag=103 err=80 text=
  206  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=2 UNBIND
  207  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 fd=18 closed

調試導入嘗試:

ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/slapd/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=odps02
SASL/EXTERNAL authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x55ab9f63d3f0 ptr=0x55ab9f63d3f0 end=0x55ab9f63d40a len=26
 0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
 0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ber_scanf fmt ({i) ber:
ber_dump: buf=0x55ab9f63d3f0 ptr=0x55ab9f63d3f5 end=0x55ab9f63d40a len=21
 0000:  60 13 02 01 03 04 00 a3  0c 04 08 45 58 54 45 52   `..........EXTER  
 0010:  4e 41 4c 04 00                                     NAL..             
ber_flush2: 26 bytes to sd 4
 0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
 0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ldap_write: want=26, written=26
 0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
 0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ldap_msgfree
ldap_result ld 0x55ab9f63b260 msgid 1
wait4msg ld 0x55ab9f63b260 msgid 1 (infinite timeout)
wait4msg continue ld 0x55ab9f63b260 msgid 1 all 1
** ld 0x55ab9f63b260 Connections:
* host: (null)  port: 0  (default)
 refcnt: 2  status: Connected
 last used: Fri Jul  6 15:04:50 2018


** ld 0x55ab9f63b260 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
 ld 0x55ab9f63b260 request count 1 (abandoned 0)
** ld 0x55ab9f63b260 Response Queue:
  Empty
 ld 0x55ab9f63b260 response count 0
ldap_chkResponseList ld 0x55ab9f63b260 msgid 1 all 1
ldap_chkResponseList returns ld 0x55ab9f63b260 NULL
ldap_int_select
read1msg: ld 0x55ab9f63b260 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
 0000:  30 0c 02 01 01 61 07 0a                            0....a..          
ldap_read: want=6, got=6
 0000:  01 00 04 00 04 00                                  ......            
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d990 end=0x55ab9f61d99c len=12
 0000:  02 01 01 61 07 0a 01 00  04 00 04 00               ...a........      
read1msg: ld 0x55ab9f63b260 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9
 0000:  61 07 0a 01 00 04 00 04  00                        a........         
read1msg: ld 0x55ab9f63b260 0 new referrals
read1msg:  mark request completed, ld 0x55ab9f63b260 msgid 1
request done: ld 0x55ab9f63b260 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: EXTERNAL
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9
 0000:  61 07 0a 01 00 04 00 04  00                        a........         
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9
 0000:  61 07 0a 01 00 04 00 04  00                        a........         
ber_scanf fmt (}) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d99c end=0x55ab9f61d99c len=0

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_msgfree
modifying entry "cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x55ab9f640b00 ptr=0x55ab9f640b00 end=0x55ab9f640b58 len=88
 0000:  30 56 02 01 02 66 51 04  09 63 6e 3d 63 6f 6e 66   0V...fQ..cn=conf  
 0010:  69 67 30 44 30 42 0a 01  02 30 3d 04 17 6f 6c 63   ig0D0B...0=..olc  
 0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
 0030:  46 69 6c 65 31 22 04 20  2f 65 74 63 2f 61 70 61   File1". /etc/apa  
 0040:  63 68 65 32 2f 73 73 6c  2f 6f 64 2e 70 67 6e 69   che2/ssl/od.pgni  
 0050:  67 2e 70 6c 2e 63 73 72                            g.pl.csr          
ber_scanf fmt ({) ber:
ber_dump: buf=0x55ab9f640b00 ptr=0x55ab9f640b05 end=0x55ab9f640b58 len=83
 0000:  66 51 04 09 63 6e 3d 63  6f 6e 66 69 67 30 44 30   fQ..cn=config0D0  
 0010:  42 0a 01 02 30 3d 04 17  6f 6c 63 54 4c 53 43 41   B...0=..olcTLSCA  
 0020:  43 65 72 74 69 66 69 63  61 74 65 46 69 6c 65 31   CertificateFile1  
 0030:  22 04 20 2f 65 74 63 2f  61 70 61 63 68 65 32 2f   ". /etc/apache2/  
 0040:  73 73 6c 2f 6f 64 2e 70  67 6e 69 67 2e 70 6c 2e   ssl/od.censored.pl.  
 0050:  63 73 72                                           csr               
ber_flush2: 88 bytes to sd 4
 0000:  30 56 02 01 02 66 51 04  09 63 6e 3d 63 6f 6e 66   0V...fQ..cn=conf  
 0010:  69 67 30 44 30 42 0a 01  02 30 3d 04 17 6f 6c 63   ig0D0B...0=..olc  
 0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
 0030:  46 69 6c 65 31 22 04 20  2f 65 74 63 2f 61 70 61   File1". /etc/apa  
 0040:  63 68 65 32 2f 73 73 6c  2f 6f 64 2e 70 67 6e 69   che2/ssl/od.pgni  
 0050:  67 2e 70 6c 2e 63 73 72                            g.pl.csr          
ldap_write: want=88, written=88
 0000:  30 56 02 01 02 66 51 04  09 63 6e 3d 63 6f 6e 66   0V...fQ..cn=conf  
 0010:  69 67 30 44 30 42 0a 01  02 30 3d 04 17 6f 6c 63   ig0D0B...0=..olc  
 0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
 0030:  46 69 6c 65 31 22 04 20  2f 65 74 63 2f 61 70 61   File1". /etc/apa  
 0040:  63 68 65 32 2f 73 73 6c  2f 6f 64 2e 70 67 6e 69   che2/ssl/od.pgni  
 0050:  67 2e 70 6c 2e 63 73 72                            g.pl.csr          
ldap_result ld 0x55ab9f63b260 msgid 2
wait4msg ld 0x55ab9f63b260 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x55ab9f63b260 msgid 2 all 1
** ld 0x55ab9f63b260 Connections:
* host: (null)  port: 0  (default)
 refcnt: 2  status: Connected
 last used: Fri Jul  6 15:04:50 2018


** ld 0x55ab9f63b260 Outstanding Requests:
* msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
 ld 0x55ab9f63b260 request count 1 (abandoned 0)
** ld 0x55ab9f63b260 Response Queue:
  Empty
 ld 0x55ab9f63b260 response count 0
ldap_chkResponseList ld 0x55ab9f63b260 msgid 2 all 1
ldap_chkResponseList returns ld 0x55ab9f63b260 NULL
ldap_int_select
read1msg: ld 0x55ab9f63b260 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
 0000:  30 0c 02 01 02 67 07 0a                            0....g..          
ldap_read: want=6, got=6
 0000:  01 50 04 00 04 00                                  .P....            
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c910 end=0x55ab9f61c91c len=12
 0000:  02 01 02 67 07 0a 01 50  04 00 04 00               ...g...P....      
read1msg: ld 0x55ab9f63b260 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c913 end=0x55ab9f61c91c len=9
 0000:  67 07 0a 01 50 04 00 04  00                        g...P....         
read1msg: ld 0x55ab9f63b260 0 new referrals
read1msg:  mark request completed, ld 0x55ab9f63b260 msgid 2
request done: ld 0x55ab9f63b260 msgid 2
res_errno: 80, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c913 end=0x55ab9f61c91c len=9
 0000:  67 07 0a 01 50 04 00 04  00                        g...P....         
ber_scanf fmt (}) ber:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c91c end=0x55ab9f61c91c len=0

ldap_msgfree
ldap_err2string
ldap_modify: Other (e.g., implementation specific) error (80)

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
 0000:  30 05 02 01 03 42 00                               0....B.           
ldap_write: want=7, written=7
 0000:  30 05 02 01 03 42 00                               0....B.           
ldap_free_connection: actually freed

請為任何建議如何解決它。

這個問題對我來說是個大問題,因為我無法完成必要伺服器的配置,請尋求幫助。

如果openldap是執行 OpenLDAP 的 slapd 的系統使用者,則問題中列出的此所有權/權限不允許 slap 讀取伺服器證書和私鑰:

ls -la /etc/apache2/ssl/
razem 16
drwxrwxr-- 2 root root 4096 cze 29 12:52 .
drwxr-xr-x 9 root root 4096 lip  2 10:33 ..
-rwxrwxr-- 1 root root 1545 gru 22  2017 od.censored.pl.crt
-rwxrwxr-- 1 root root 1704 gru 22  2017 od.censored.pl.key

與例如 Apache slapd相反,即使在使用靜態配置文件時,也會在呼叫後初始化SSLContext 。setuid()並且對於動態配置 (cn=config),無論如何它都必須在處理 LDAP 修改期間讀取文件。

因此嘗試這個來修復組所有權:

chgrp -R openldap /etc/apache2/ssl

並刪除不需要的 exec 權限:

chmod 0640 /etc/apache2/ssl/od.censored.pl.crt /etc/apache2/ssl/od.censored.pl.key

引用自:https://serverfault.com/questions/919133