如何使用p12证书连接到LDAP服务器 [英] How to connect to a LDAP server using a p12 certificate

问题描述

我想使用.p12凭证连线至LDAP伺服器，而不使用使用者名称和密码。这个Java解决方案看起来像

I want to connect to a LDAP server using a .p12 certificate instead of using a username and password. The Java solution for this looks like

String ldapURL = "ldaps://"+host+":"+port;   

System.setProperty("javax.net.ssl.keyStoreType", "PKCS12" );  
System.setProperty("javax.net.ssl.keyStore",keystore);
System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);   

Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapURL);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.REFERRAL, "follow");

try 
{
    // Create initial context
    LdapContext ctx = new InitialLdapContext(env, null);
    // Perform client authentication using TLS credentials
    ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "EXTERNAL");

    SearchControls ctls = new SearchControls();
    // Specify the search filter to match
    String filter = "(objectClass=*)";
    // Search for objects using the filter
NamingEnumeration answer = ctx.search("ou="+elemType[i]+","+siteSpecificBaseDN, filter, ctls);

...

我可以使用python做同样的事吗？我只能找到示例，显示如何使用用户名和密码连接到LDAP服务器与python-ldap，但这不是我需要的。如果不可能使用.p12证书，它也将帮助我，如果有一个解决方案使用x509证书（.pem格式）。

Can I do the same using python? I only could find examples showing how to connect to a LDAP server with python-ldap using a username and a password, but that is not what I need. If it is not possible using .p12 certificate, it would also help me, if there is a solution using x509 certificates (.pem format).

推荐答案

如果使用python-ldap，可以使用 TLS选项来设置这些参数。

If you use python-ldap, you can use the TLS options to set these parameters.

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "/path/to/trustedcerts.pem")
ldap.set_option(ldap.OPT_X_TLS_CERTFILE, "/path/to/usercert.pem")
ldap.set_option(ldap.OPT_X_TLS_KEYFILE, "/path/to/user.key.pem")

ds = ldap.initialize("ldaps://ldap.example.com:port/")
# If using START_TLS instead of ldaps:
# ds = ldap.initialize("ldap://ldap.example.com:port/")
# ds.start_tls_s()

在这种情况下：

• trustedcerts.pem 等效于信任存储。它是您想要的PEM格式的可信证书的串联。你也可以使用带有 OPT_X_TLS_CACERTFILE 的个人证书的目录，但是我认为它不被GnuTLS支持，所以它取决于Python库python-ldap及其OpenLDAP客户端库被编译。有关 OpenLDAP手册中的基本方针的详细信息。 / li>
  
• usercert.pem 是您的用户证书，采用PEM格式（您必须从PKCS＃12文件中提取） / li>
  
• user.key.pem 是您的私钥（同样，它需要从p12文件中提取）

• trustedcerts.pem is the equivalent of the trust store. It's a concatenation of the trusted certificates you want in PEM format. You could also use a directory with individual certificates with OPT_X_TLS_CACERTFILE, but I think it's not supported by GnuTLS, so it depends on which TLS library python-ldap and its OpenLDAP client library have been compiled against. More details on the underlying direcives in the OpenLDAP manual.
• usercert.pem is your user certificate, in PEM format (you'll have to extract it from your PKCS#12 file)
• user.key.pem is your private key (again, it needs to be extracted from the p12 file)

使用OpenSSL可以从PKCS＃12文件中提取证书和密钥：

Certificate and key extraction from a PKCS#12 file can be done with OpenSSL using this:

openssl pkcs12 -in userstore.p12 -clcerts -nokeys -out usercert.pem
openssl pkcs12 -in userstore.p12 -nocerts -nodes -out user.key.pem

注意：如果以这种方式提取私钥（在user.key.pem中） c> -nodes ），不会受密码保护，因此您需要确保此文件不可被其他人读取。我不认为OpenLDAP（甚至更少的Python绑定）让你提交交互式密码来解决这个问题，但我不知道。

Note: if you extract the private key (in user.key.pem) this way (-nodes), it will not be password-protected, so you'll need to make sure this file is not readable by anyone else. I don't think OpenLDAP (and even less its Python binding) let you prompt for a password interactively to get around that problem, but I'm not sure.

这篇关于如何使用p12证书连接到LDAP服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！