将 StartTLS 与 System.DirectoryServices 中的 LDAP 结合使用 [英] Using StartTLS with LDAP from System.DirectoryServices
问题描述
我正在尝试连接到需要 StartTLS 的 LDAP 服务器,但运气不佳 - 每当我使用 SessionOptions.StartTransportLayerSecurity(..) 或将 SessionOptions.SecureSocketLayer 设置为 true 时,都会出现异常.
I'm trying to connect to an LDAP server which requires StartTLS, but having no luck - whenever I use either the SessionOptions.StartTransportLayerSecurity(..) or set SessionOptions.SecureSocketLayer to true, I get exceptions.
这是我正在使用的代码:
Here's the code I'm using:
using (var connection = new LdapConnection(new LdapDirectoryIdentifier(config.LdapServer, config.Port, false, false)))
{
connection.SessionOptions.ProtocolVersion = 3;
connection.Credential = new NetworkCredential(config.BindDN, config.BindPassword);
connection.SessionOptions.VerifyServerCertificate += (conn, cert) => {return true;};
connection.AuthType = AuthType.Basic;
//connection.SessionOptions.SecureSocketLayer = true;
connection.SessionOptions.StartTransportLayerSecurity(null); // throws here, same if done after bind.
connection.Bind();
... do stuff with connection
}
产生的异常是TlsOperationException: An unspecified error occurred",在调用 StartTransportLayerSecurity 方法时发生.
The resulting exception is "TlsOperationException: An unspecified error occurred", which happens when invoking the StartTransportLayerSecurity method.
我已经针对 OpenLDAP 服务器和 Active Directory 测试了代码,但都不起作用.
I've tested the code against both and OpenLDAP server and Active Directory, but neither works.
有谁知道如何让 StartTLS 与 System.DirectoryServices 一起工作?
Does anyone know how to get StartTLS working with System.DirectoryServices?
推荐答案
在这个问题上做了更多的工作后,我发现我遇到了几个问题:
After a bit more work on this issue I found that I was running up against a couple of issues:
- 在我们的测试套件中连接到 AD 时,端口号被错误地更改为 SSL 端口 (636) 的代码中存在错误(doh!).
- OpenLDAP 测试服务器(我们客户的副本)使用的是 openldap-2.4.18 - StartTLS 存在已知问题.
对 OpenLDAP 应用补丁后(如此处所述 - http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html)我们能够修复#2 - 此时我们开始收到不同的错误发生本地错误".
After applying a patch to OpenLDAP (as discussed here - http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html) we were able to fix #2 - at which point we started getting a different error "A local error occurred".
虽然最初我们有这个代码:
Though originally we had this code:
connection.SessionOptions.VerifyServerCertificate
+= (conn, cert) => {return true;};
我们在测试时删除了它,因为 OpenLDAP 服务器使用的是自签名证书,所以它不在受信任的存储中.重新引入该回调解决了此问题,尽管我们现在将其设为可配置选项,即验证服务器证书 Y/N",因此客户需要选择跳过检查(主要供我们的 QA 团队使用).
We had removed it while testing, and because the OpenLDAP server was using a self-signed cert, that was not in a trusted store. Re-introducing that callback resolved this issue, though we now make it a configurable option i.e. "Verify Server Certificate Y/N" so customers need to opt into skipping the check (mostly for our QA team to use).
感谢 Steffen 为我指明了 OpenLDAP 版本的方向,这使我找到了这个解决方案.
Thanks Steffen for pointing me in the direction of OpenLDAP versions which lead me to this solution.
这篇关于将 StartTLS 与 System.DirectoryServices 中的 LDAP 结合使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
