使用启动TLS与LDAP的System.DirectoryServices [英] Using StartTLS with LDAP from System.DirectoryServices
问题描述
我试图连接到需要启动TLS LDAP服务器,但有没有运气 - 每当我请使用SessionOptions.StartTransportLayerSecurity(..)或设置SessionOptions.SecureSocketLayer为真,我得到异常
I'm trying to connect to an LDAP server which requires StartTLS, but having no luck - whenever I use either the SessionOptions.StartTransportLayerSecurity(..) or set SessionOptions.SecureSocketLayer to true, I get exceptions.
下面是我使用的代码:
using (var connection = new LdapConnection(new LdapDirectoryIdentifier(config.LdapServer, config.Port, false, false)))
{
connection.SessionOptions.ProtocolVersion = 3;
connection.Credential = new NetworkCredential(config.BindDN, config.BindPassword);
connection.SessionOptions.VerifyServerCertificate += (conn, cert) => {return true;};
connection.AuthType = AuthType.Basic;
//connection.SessionOptions.SecureSocketLayer = true;
connection.SessionOptions.StartTransportLayerSecurity(null); // throws here, same if done after bind.
connection.Bind();
... do stuff with connection
}
的
导致异常TlsOperationException:出现未知错误,调用StartTransportLayerSecurity方法时恰好
The resulting exception is "TlsOperationException: An unspecified error occurred", which happens when invoking the StartTransportLayerSecurity method.
我测试过的代码,对阵双方和OpenLDAP服务器和Active Directory。但既不工作。
I've tested the code against both and OpenLDAP server and Active Directory, but neither works.
有谁知道怎么去启动TLS使用的System.DirectoryServices工作?
Does anyone know how to get StartTLS working with System.DirectoryServices?
推荐答案
在这个问题上,我发现我对几个问题跑了更多的工作之后:
After a bit more work on this issue I found that I was running up against a couple of issues:
- 有一个在代码中的错误,其中连接到AD在我们的测试套件时,端口号是被错误地更改为SSL端口(636)(DOH!)。
- OpenLDAP的测试服务器(这是我们的客户的翻版),使用的OpenLDAP-2.4.18是 - 与启动TLS已已知问题
应用后,补丁到OpenLDAP的(因为这里讨论 - http://www.openldap.org /lists/openldap-bugs/200405/msg00096.html ),我们能够解决#2 - 在这一点上,我们开始收到不同的错误出现了一个本地错误
After applying a patch to OpenLDAP (as discussed here - http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html) we were able to fix #2 - at which point we started getting a different error "A local error occurred".
虽然最初我们有这样的代码:
Though originally we had this code:
connection.SessionOptions.VerifyServerCertificate
+= (conn, cert) => {return true;};
我们已经在测试中删除它,是因为OpenLDAP服务器使用自签名的证书,即是不是一个值得信赖的商店。重新引入该回调解决了这个问题,但我们现在做它一个可配置的选项,也就是验证服务器证书Y / N,所以客户需要选择加入跳过检查(多为我们的QA团队使用)。
We had removed it while testing, and because the OpenLDAP server was using a self-signed cert, that was not in a trusted store. Re-introducing that callback resolved this issue, though we now make it a configurable option i.e. "Verify Server Certificate Y/N" so customers need to opt into skipping the check (mostly for our QA team to use).
感谢斯特芬指着我的OpenLDAP的版本,这导致我这个解决方案的方向。
Thanks Steffen for pointing me in the direction of OpenLDAP versions which lead me to this solution.
这篇关于使用启动TLS与LDAP的System.DirectoryServices的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
