通过 ssl/tls 的 ldapsearch 不起作用 [英] ldapsearch over ssl/tls doesn't work

问题描述

我正在尝试通过 ssl/tls 连接使用 ldapsearch，但它不起作用:

I am trying to use ldapsearch over ssl/tls connection, but it doesn't work:

ldapsearch -ZZ -d 5 -b "cn=Users,dc=my,dc=server,dc=com" -s sub -D
"cn=mydevice,cn=Users,dc=my,dc=server,dc=com" -h my.server.com -p 3269
-w "mypass" -x "(cn=test)"

ldap_create
ldap_url_parse_ext(ldap://my.server.com:3269)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.server.com:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.199.46.70:3269
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x95ff590 msgid 1
wait4msg ld 0x95ff590 msgid 1 (infinite timeout)
wait4msg continue ld 0x95ff590 msgid 1 all 1
** ld 0x95ff590 Connections:
* host: my.server.com  port: 3269  (default)
refcnt: 2  status: Connected
last used: Mon Feb 27 10:59:43 2012

** ld 0x95ff590 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x95ff590 Response Queue:
Empty
ldap_chkResponseList ld 0x95ff590 msgid 1 all 1
ldap_chkResponseList returns ld 0x95ff590 NULL
ldap_int_select
read1msg: ld 0x95ff590 msgid 1 all 1
ber_get_next
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)

错误消息没有给出足够的提示来说明什么是错误的.相比之下，简单的绑定和搜索在 389 端口上运行良好，没有任何问题.

The error message doesn't give enought hint on what is wrong. In contrast, a simple binding and search goes well without any problem on port 389.

有什么提示吗?

附:这是我的 ldap.conf:

P.S. Here is my ldap.conf:

TLS_REQCERT demand
TLS_CACERT ./cacert.pem

我什至尝试将 TLS_REQCERT 更改为 never，但它仍然不起作用.:-(

I have even tried to change TLS_REQCERT to never, but it still doesn't work. :-(

推荐答案

首先，将-h my.server.com -p 3269替换为-H ldaps://my.server.com:3269 正如@dearlbry 所建议的那样.

First, replace -h my.server.com -p 3269 with -H ldaps://my.server.com:3269 as suggested by @dearlbry.

然后，在 /etc/openldap/ldap.conf(或我的 Ubuntu 13.04 上的 /etc/ldap/ldap.conf)中，通过添加以下内容来禁用证书验证:

Then, in /etc/openldap/ldap.conf (or /etc/ldap/ldap.conf on my Ubuntu 13.04), disable certificate verification by adding this :

HOST my.server.com
PORT 3269
TLS_REQCERT ALLOW

如果不想影响整个系统，也可以在当前目录下创建一个ldaprc文件，内容相同.

You can also create a ldaprc file in the current directory with the same content if you don't want to affect the whole system.

这将通过 SSL 启用 ldapsearch，但无需验证.按照这些 添加证书验证的步骤.

This will enable ldapsearch over SSL, but without verification. Follow these steps to add certificate validation to the mix.

这篇关于通过 ssl/tls 的 ldapsearch 不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！