0
我爲我的服務器創建了自簽名證書,並且在未加密端口下的StartTLS正常,但我需要在加密端口下運行,因爲Jenkins ldap-plugin無法使用StartTLS功能。在SLAPD中允許LDAPS服務
我開始我的服務器:
slapd -h "ldap:/// ldaps:///" -f /etc/ldap/slapd.conf -d config -d conns -d packets
如果我運行此的ldapsearch:
ldapsearch -d 1 -v -H "ldaps://[server ip]" -D "[manager dn]" -w [manager password]
我收到此錯誤:
ldap_url_parse_ext(ldaps://172.17.0.1)
ldap_initialize(ldaps://172.17.0.1:636/??base)
ldap_create
ldap_url_parse_ext(ldaps://172.17.0.1:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 172.17.0.1:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 172.17.0.1:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
但如果我跑的OpenSSL測試連接:
openssl s_client -connect [server ip]:686
我收到它的確定:
CONNECTED(00000003)
depth=1 C = BR, ST = Sao Paulo, O = example.com, CN = Davi Diorio Mendes, emailAddress = [email protected]
verify return:1
depth=0 C = BR, ST = Sao Paulo, L = Campinas, O = example.com, CN = example.com, emailAddress = [email protected]
verify return:1
---
Certificate chain
0 s:/C=BR/ST=Sao Paulo/L=Campinas/O=example.com/CN=example.com/[email protected]
i:/C=BR/ST=Sao Paulo/O=example.com/CN=Davi Diorio Mendes/[email protected]
1 s:/C=BR/ST=Sao Paulo/O=example.com/CN=Davi Diorio Mendes/[email protected]
i:/C=BR/ST=Sao Paulo/O=example.com/CN=Davi Diorio Mendes/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID+TCCAuGgAwIBAgIJAOcBkNiAzXUIMA0GCSqGSIb3DQEBCwUAMHcxCzAJBgNV
BAYTAkJSMRIwEAYDVQQIDAlTYW8gUGF1bG8xFDASBgNVBAoMC2V4YW1wbGUuY29t
MRswGQYDVQQDDBJEYXZpIERpb3JpbyBNZW5kZXMxITAfBgkqhkiG9w0BCQEWEmRk
aW9yaW9AYnIuaWJtLmNvbTAeFw0xNjA3MjcxNTUxNDFaFw0xNzA3MjcxNTUxNDFa
MIGDMQswCQYDVQQGEwJCUjESMBAGA1UECAwJU2FvIFBhdWxvMREwDwYDVQQHDAhD
YW1waW5hczEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUu
Y29tMSEwHwYJKoZIhvcNAQkBFhJkZGlvcmlvQGJyLmlibS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDu8RXjY37lP8foIE0QZ9sQYotjRFdKBxeb
483dHf8NzbUTLILNqImzqU+EqBNRNxuHDhBh45/kM24A5dkcjaS5ZqCR/1pOR8bD
ojoeuNqEu/9ga4MWLqrj0rWxQywiBG/O9VzZg3eV7u34oTj3Rx7paohvU8KOFr8/
r9/cXG6QBXKl8Iu8jdo3KtWy7GcN9HOGkJrFwQ6sKbgIKMFpjrV3ByNapTCPJd32
kFY3Hkq2l54iyJGbO3q62HE3/KYKlRPR2uRjOj4YPxU13bvwRAUd1D77xMDEKya6
yj5M+gYGD8PHIn1lBvWOBaa8tzmM2zGk2H6eMoCFgtJAtqAOVIuRAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBRXjVcxfJOMwLS70jGjJb8X8xc2IDAfBgNVHSME
GDAWgBQbykbeuV2BDwKARaTYvpZwwKM/jjANBgkqhkiG9w0BAQsFAAOCAQEAgfKs
kFXxY6ZBzcvHU3wwu5kXZo8BYniJ3YZTGGX45JPF9v0yZzAjWAnYR9xJew+Ac1sZ
GrIA1aI1ooEjo1R42JUelo/PnY5rTuveaRvKG+b2H8+LOf0riIkG92byHazmBrK4
PX7ShgdEvK/B3YoDH201RpO8Fjugb31D9j9XcyfmBioKVUcRuxPTlpzOSWeyW8Db
GZ8Gr2Rz7Vxf0/mV25ikvXWHc/e2zNSD/C6bJcRlgaIo/hkoclpJ510oqj+XVcqI
PK/+QABzb9TX2uoMHA+nb7eV3aUzYHya56NAQNhbdfV1gogHFYPFntiE/dJYNM9c
cIWaKjrHXMFfnM2WIg==
-----END CERTIFICATE-----
subject=/C=BR/ST=Sao Paulo/L=Campinas/O=example.com/CN=example.com/[email protected]
issuer=/C=BR/ST=Sao Paulo/O=example.com/CN=Davi Diorio Mendes/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 2562 bytes and written 483 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A57A8114450D576489124B51B0E68EC8C6F59BDDA8BEDF1DD5CA456C878FD66B
Session-ID-ctx:
Master-Key: 90734979FE60577DD24E35B03BBD6F2E57DF457C54BE0B320FD73C384A8F50A1CB783D629F22E060E89C7EB1B7D70FDA
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1469733255
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
這是我的slapd.conf:
# slapd.conf - Configuration file for LDAP SLAPD
##########
# Basics #
##########
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
###########
# SSL/TLS #
###########
TLSCACertificateFile /etc/ldap/example.com.cacert.pem
TLSCertificateFile /etc/ldap/example.com.cert.pem
TLSCertificateKeyFile /etc/ldap/example.com.key.pem
##########################
# Database Configuration #
##########################
database hdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw admin
directory /var/local/ldap/database
index objectClass,cn,uid,mail eq
########
# ACLs #
########
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to *
by self write
by * none
,這是我的ldap.conf:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com
URI ldap://localhost
BINDDN cn=Manager,dc=example,dc=com
SIZELIMIT 0
TIMELIMIT 0
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/example.com.cacert.pem
TLS_REQCERT allow
有誰可以當場我的錯?或者指出一個方向?
謝謝!
Stack Overflow是編程和開發問題的網站。這個問題似乎與題目無關,因爲它不涉及編程或開發。請參閱幫助中心的[我可以詢問哪些主題](http://stackoverflow.com/help/on-topic)。也許[超級用戶](http://superuser.com/)或[Unix&Linux堆棧交換](http://unix.stackexchange.com/)會是一個更好的地方。另請參閱[我在哪裏發佈有關Dev Ops的問題?](http://meta.stackexchange.com/q/134306)。 – jww
***'CN = example.com' ***可能是錯誤的。主機名始終在* SAN *中。如果它存在於* CN *中,那麼它也必須存在於* SAN *中(在這種情況下,您必須列出它兩次)。有關更多規則和原因,請參見[如何使用您的證書頒發機構簽署證書籤名請求?](http://stackoverflow.com/a/21340898/608639)和[如何使用openssl創建自簽名證書?] (http://stackoverflow.com/q/10175812/608639) – jww
@jww,我在openLDAP文檔之後使用了'CN = example.com':「爲服務器創建一個證書請求和私鑰,記住Common Name因爲此證書應該是服務器的完全限定域名「 - [OpenLDAP-Faq-我如何使用TLS/SSL](http://www.openldap.org/faq/data/cache/185.html) –