Ubuntu
LDAP TSL ldap_modify:錯誤 80
我從這個論壇和許多其他論壇中讀到了一些建議,並嘗試自己解決問題,但沒有結果。我需要將證書添加到 ldap 並始終返回錯誤 80。
我是使用 ldap 向文件夾添加權限:
ls -la /etc/apache2/ssl/ razem 16 drwxrwxr-- 2 root root 4096 cze 29 12:52 . drwxr-xr-x 9 root root 4096 lip 2 10:33 .. -rwxrwxr-- 1 root root 1545 gru 22 2017 od.censored.pl.crt -rwxrwxr-- 1 root root 1704 gru 22 2017 od.censored.pl.key
我正在檢查臨時目錄的權限:
ls -la /var/lib/lda* razem 708 drwxr-xr-x 2 openldap openldap 4096 lip 2 10:39 . drwxr-xr-x 79 root root 4096 cze 30 09:06 .. -rw-r--r-- 1 openldap openldap 4096 cze 29 13:50 alock -rw------- 1 openldap openldap 8192 kwi 13 11:12 cn.bdb -rw------- 1 openldap openldap 548863 cze 29 14:20 __db.001 -rw------- 1 openldap openldap 147455 lip 2 10:50 __db.002 -rw------- 1 openldap openldap 114687 cze 29 13:50 __db.003 -rw-r--r-- 1 openldap openldap 96 kwi 13 11:12 DB_CONFIG -rw------- 1 openldap openldap 8192 kwi 13 11:12 dn2id.bdb -rw------- 1 openldap openldap 32768 kwi 13 12:12 id2entry.bdb -rw------- 1 openldap openldap 10485759 cze 29 14:20 log.0000000001 -rw------- 1 openldap openldap 8192 kwi 13 11:12 objectClass.bdb
certs.ldif 看起來:
cat -n certs.ldif 1 dn: cn=config 2 changetype: modify 3 replace: olcTLSCertificateFile 4 olcTLSCertificateFile: /etc/apache2/ssl/od.censored.pl.crt 5 6 dn: cn=config 7 changetype: modify 8 replace: olcTLSCertificateKeyFile 9 olcTLSCertificateKeyFile: /etc/apache2/ssl/od.censored.pl.key
但我一遍又一遍地看到錯誤:
ldapmodify -Y EXTERNAL -H ldapi:/// -vvv -f certs.ldif ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 replace olcTLSCertificateFile: /etc/apache2/ssl/od.censored.pl.crt modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
添加嘗試後的日誌:
195 Jul 4 12:50:49 odps02 slapd[18075]: conn=1005 op=1 RESULT tag=103 err=0 text= 196 Jul 4 12:50:49 odps02 slapd[18075]: conn=1005 op=2 UNBIND 197 Jul 4 12:50:49 odps02 slapd[18075]: conn=1005 fd=18 closed 198 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 fd=18 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) 199 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND dn="" method=163 200 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 201 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71 202 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 RESULT tag=97 err=0 text= 203 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 MOD dn="cn=config" 204 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 MOD attr=olcTLSCertificateFile 205 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 RESULT tag=103 err=80 text= 206 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 op=2 UNBIND 207 Jul 4 12:54:57 odps02 slapd[18075]: conn=1006 fd=18 closed
調試導入嘗試:
ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 4 ldap_connect_to_path: Trying /var/run/slapd/ldapi ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_ndelay_on: 4 ldap_ndelay_off: 4 ldap_int_sasl_open: host=odps02 SASL/EXTERNAL authentication started ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x55ab9f63d3f0 ptr=0x55ab9f63d3f0 end=0x55ab9f63d40a len=26 0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`.......... 0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL.. ber_scanf fmt ({i) ber: ber_dump: buf=0x55ab9f63d3f0 ptr=0x55ab9f63d3f5 end=0x55ab9f63d40a len=21 0000: 60 13 02 01 03 04 00 a3 0c 04 08 45 58 54 45 52 `..........EXTER 0010: 4e 41 4c 04 00 NAL.. ber_flush2: 26 bytes to sd 4 0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`.......... 0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL.. ldap_write: want=26, written=26 0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`.......... 0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL.. ldap_msgfree ldap_result ld 0x55ab9f63b260 msgid 1 wait4msg ld 0x55ab9f63b260 msgid 1 (infinite timeout) wait4msg continue ld 0x55ab9f63b260 msgid 1 all 1 ** ld 0x55ab9f63b260 Connections: * host: (null) port: 0 (default) refcnt: 2 status: Connected last used: Fri Jul 6 15:04:50 2018 ** ld 0x55ab9f63b260 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x55ab9f63b260 request count 1 (abandoned 0) ** ld 0x55ab9f63b260 Response Queue: Empty ld 0x55ab9f63b260 response count 0 ldap_chkResponseList ld 0x55ab9f63b260 msgid 1 all 1 ldap_chkResponseList returns ld 0x55ab9f63b260 NULL ldap_int_select read1msg: ld 0x55ab9f63b260 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 61 07 0a 0....a.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d990 end=0x55ab9f61d99c len=12 0000: 02 01 01 61 07 0a 01 00 04 00 04 00 ...a........ read1msg: ld 0x55ab9f63b260 msgid 1 message type bind ber_scanf fmt ({eAA) ber: ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9 0000: 61 07 0a 01 00 04 00 04 00 a........ read1msg: ld 0x55ab9f63b260 0 new referrals read1msg: mark request completed, ld 0x55ab9f63b260 msgid 1 request done: ld 0x55ab9f63b260 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: EXTERNAL ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9 0000: 61 07 0a 01 00 04 00 04 00 a........ ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9 0000: 61 07 0a 01 00 04 00 04 00 a........ ber_scanf fmt (}) ber: ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d99c end=0x55ab9f61d99c len=0 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_msgfree modifying entry "cn=config" ldap_modify_ext ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x55ab9f640b00 ptr=0x55ab9f640b00 end=0x55ab9f640b58 len=88 0000: 30 56 02 01 02 66 51 04 09 63 6e 3d 63 6f 6e 66 0V...fQ..cn=conf 0010: 69 67 30 44 30 42 0a 01 02 30 3d 04 17 6f 6c 63 ig0D0B...0=..olc 0020: 54 4c 53 43 41 43 65 72 74 69 66 69 63 61 74 65 TLSCACertificate 0030: 46 69 6c 65 31 22 04 20 2f 65 74 63 2f 61 70 61 File1". /etc/apa 0040: 63 68 65 32 2f 73 73 6c 2f 6f 64 2e 70 67 6e 69 che2/ssl/od.pgni 0050: 67 2e 70 6c 2e 63 73 72 g.pl.csr ber_scanf fmt ({) ber: ber_dump: buf=0x55ab9f640b00 ptr=0x55ab9f640b05 end=0x55ab9f640b58 len=83 0000: 66 51 04 09 63 6e 3d 63 6f 6e 66 69 67 30 44 30 fQ..cn=config0D0 0010: 42 0a 01 02 30 3d 04 17 6f 6c 63 54 4c 53 43 41 B...0=..olcTLSCA 0020: 43 65 72 74 69 66 69 63 61 74 65 46 69 6c 65 31 CertificateFile1 0030: 22 04 20 2f 65 74 63 2f 61 70 61 63 68 65 32 2f ". /etc/apache2/ 0040: 73 73 6c 2f 6f 64 2e 70 67 6e 69 67 2e 70 6c 2e ssl/od.censored.pl. 0050: 63 73 72 csr ber_flush2: 88 bytes to sd 4 0000: 30 56 02 01 02 66 51 04 09 63 6e 3d 63 6f 6e 66 0V...fQ..cn=conf 0010: 69 67 30 44 30 42 0a 01 02 30 3d 04 17 6f 6c 63 ig0D0B...0=..olc 0020: 54 4c 53 43 41 43 65 72 74 69 66 69 63 61 74 65 TLSCACertificate 0030: 46 69 6c 65 31 22 04 20 2f 65 74 63 2f 61 70 61 File1". /etc/apa 0040: 63 68 65 32 2f 73 73 6c 2f 6f 64 2e 70 67 6e 69 che2/ssl/od.pgni 0050: 67 2e 70 6c 2e 63 73 72 g.pl.csr ldap_write: want=88, written=88 0000: 30 56 02 01 02 66 51 04 09 63 6e 3d 63 6f 6e 66 0V...fQ..cn=conf 0010: 69 67 30 44 30 42 0a 01 02 30 3d 04 17 6f 6c 63 ig0D0B...0=..olc 0020: 54 4c 53 43 41 43 65 72 74 69 66 69 63 61 74 65 TLSCACertificate 0030: 46 69 6c 65 31 22 04 20 2f 65 74 63 2f 61 70 61 File1". /etc/apa 0040: 63 68 65 32 2f 73 73 6c 2f 6f 64 2e 70 67 6e 69 che2/ssl/od.pgni 0050: 67 2e 70 6c 2e 63 73 72 g.pl.csr ldap_result ld 0x55ab9f63b260 msgid 2 wait4msg ld 0x55ab9f63b260 msgid 2 (timeout 100000 usec) wait4msg continue ld 0x55ab9f63b260 msgid 2 all 1 ** ld 0x55ab9f63b260 Connections: * host: (null) port: 0 (default) refcnt: 2 status: Connected last used: Fri Jul 6 15:04:50 2018 ** ld 0x55ab9f63b260 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x55ab9f63b260 request count 1 (abandoned 0) ** ld 0x55ab9f63b260 Response Queue: Empty ld 0x55ab9f63b260 response count 0 ldap_chkResponseList ld 0x55ab9f63b260 msgid 2 all 1 ldap_chkResponseList returns ld 0x55ab9f63b260 NULL ldap_int_select read1msg: ld 0x55ab9f63b260 msgid 2 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 02 67 07 0a 0....g.. ldap_read: want=6, got=6 0000: 01 50 04 00 04 00 .P.... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c910 end=0x55ab9f61c91c len=12 0000: 02 01 02 67 07 0a 01 50 04 00 04 00 ...g...P.... read1msg: ld 0x55ab9f63b260 msgid 2 message type modify ber_scanf fmt ({eAA) ber: ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c913 end=0x55ab9f61c91c len=9 0000: 67 07 0a 01 50 04 00 04 00 g...P.... read1msg: ld 0x55ab9f63b260 0 new referrals read1msg: mark request completed, ld 0x55ab9f63b260 msgid 2 request done: ld 0x55ab9f63b260 msgid 2 res_errno: 80, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c913 end=0x55ab9f61c91c len=9 0000: 67 07 0a 01 50 04 00 04 00 g...P.... ber_scanf fmt (}) ber: ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c91c end=0x55ab9f61c91c len=0 ldap_msgfree ldap_err2string ldap_modify: Other (e.g., implementation specific) error (80) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 4 0000: 30 05 02 01 03 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 03 42 00 0....B. ldap_free_connection: actually freed
請為任何建議如何解決它。
這個問題對我來說是個大問題,因為我無法完成必要伺服器的配置,請尋求幫助。
如果openldap是執行 OpenLDAP 的 slapd 的系統使用者,則問題中列出的此所有權/權限不允許 slap 讀取伺服器證書和私鑰:
ls -la /etc/apache2/ssl/ razem 16 drwxrwxr-- 2 root root 4096 cze 29 12:52 . drwxr-xr-x 9 root root 4096 lip 2 10:33 .. -rwxrwxr-- 1 root root 1545 gru 22 2017 od.censored.pl.crt -rwxrwxr-- 1 root root 1704 gru 22 2017 od.censored.pl.key
與例如 Apache slapd相反,即使在使用靜態配置文件時,也會在呼叫後初始化SSLContext 。
setuid()
並且對於動態配置 (cn=config),無論如何它都必須在處理 LDAP 修改期間讀取文件。因此嘗試這個來修復組所有權:
chgrp -R openldap /etc/apache2/ssl
並刪除不需要的 exec 權限:
chmod 0640 /etc/apache2/ssl/od.censored.pl.crt /etc/apache2/ssl/od.censored.pl.key