ssl/tls上的ldapsearch不起作用 [英] ldapsearch over ssl/tls doesn't work

问题描述

我正在尝试通过ssl/tls连接使用ldapsearch，但是它不起作用:

I am trying to use ldapsearch over ssl/tls connection, but it doesn't work:

ldapsearch -ZZ -d 5 -b "cn=Users,dc=my,dc=server,dc=com" -s sub -D
"cn=mydevice,cn=Users,dc=my,dc=server,dc=com" -h my.server.com -p 3269
-w "mypass" -x "(cn=test)"

ldap_create
ldap_url_parse_ext(ldap://my.server.com:3269)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.server.com:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.199.46.70:3269
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x95ff590 msgid 1
wait4msg ld 0x95ff590 msgid 1 (infinite timeout)
wait4msg continue ld 0x95ff590 msgid 1 all 1
** ld 0x95ff590 Connections:
* host: my.server.com  port: 3269  (default)
refcnt: 2  status: Connected
last used: Mon Feb 27 10:59:43 2012

** ld 0x95ff590 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x95ff590 Response Queue:
Empty
ldap_chkResponseList ld 0x95ff590 msgid 1 all 1
ldap_chkResponseList returns ld 0x95ff590 NULL
ldap_int_select
read1msg: ld 0x95ff590 msgid 1 all 1
ber_get_next
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)

该错误消息未充分提示错误之处.相比之下，在端口389上进行简单的绑定和搜索就可以顺利进行.

The error message doesn't give enought hint on what is wrong. In contrast, a simple binding and search goes well without any problem on port 389.

有任何提示吗?

P.S.这是我的ldap.conf:

P.S. Here is my ldap.conf:

TLS_REQCERT demand
TLS_CACERT ./cacert.pem

我什至尝试将TLS_REQCERT更改为never，但仍然无法正常工作. :-(

I have even tried to change TLS_REQCERT to never, but it still doesn't work. :-(

推荐答案

首先，按照@dearlbry的建议，将-h my.server.com -p 3269替换为-H ldaps://my.server.com:3269.

First, replace -h my.server.com -p 3269 with -H ldaps://my.server.com:3269 as suggested by @dearlbry.

然后，在/etc/openldap/ldap.conf(或我的Ubuntu 13.04上的/etc/ldap/ldap.conf)中，通过添加以下内容来禁用证书验证:

Then, in /etc/openldap/ldap.conf (or /etc/ldap/ldap.conf on my Ubuntu 13.04), disable certificate verification by adding this :

HOST my.server.com
PORT 3269
TLS_REQCERT ALLOW

如果不想影响整个系统，还可以在当前目录中创建具有相同内容的ldaprc文件.

You can also create a ldaprc file in the current directory with the same content if you don't want to affect the whole system.

这将启用基于SSL的ldapsearch，但无需验证.请遵循以下

This will enable ldapsearch over SSL, but without verification. Follow these steps to add certificate validation to the mix.

这篇关于ssl/tls上的ldapsearch不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！