如何使用p12证书连接到LDAP服务器 [英] How to connect to a LDAP server using a p12 certificate
问题描述
我想使用.p12凭证连线至LDAP伺服器,而不使用使用者名称和密码。这个Java解决方案看起来像
I want to connect to a LDAP server using a .p12 certificate instead of using a username and password. The Java solution for this looks like
String ldapURL = "ldaps://"+host+":"+port;
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12" );
System.setProperty("javax.net.ssl.keyStore",keystore);
System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapURL);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.REFERRAL, "follow");
try
{
// Create initial context
LdapContext ctx = new InitialLdapContext(env, null);
// Perform client authentication using TLS credentials
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "EXTERNAL");
SearchControls ctls = new SearchControls();
// Specify the search filter to match
String filter = "(objectClass=*)";
// Search for objects using the filter
NamingEnumeration answer = ctx.search("ou="+elemType[i]+","+siteSpecificBaseDN, filter, ctls);
...
我可以使用python做同样的事吗?我只能找到示例,显示如何使用用户名和密码连接到LDAP服务器与python-ldap,但这不是我需要的。如果不可能使用.p12证书,它也将帮助我,如果有一个解决方案使用x509证书(.pem格式)。
Can I do the same using python? I only could find examples showing how to connect to a LDAP server with python-ldap using a username and a password, but that is not what I need. If it is not possible using .p12 certificate, it would also help me, if there is a solution using x509 certificates (.pem format).
推荐答案
如果使用python-ldap,可以使用 TLS选项来设置这些参数。
If you use python-ldap, you can use the TLS options to set these parameters.
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "/path/to/trustedcerts.pem")
ldap.set_option(ldap.OPT_X_TLS_CERTFILE, "/path/to/usercert.pem")
ldap.set_option(ldap.OPT_X_TLS_KEYFILE, "/path/to/user.key.pem")
ds = ldap.initialize("ldaps://ldap.example.com:port/")
# If using START_TLS instead of ldaps:
# ds = ldap.initialize("ldap://ldap.example.com:port/")
# ds.start_tls_s()
在这种情况下:
-
trustedcerts.pem
等效于信任存储。它是您想要的PEM格式的可信证书的串联。你也可以使用带有OPT_X_TLS_CACERTFILE
的个人证书的目录,但是我认为它不被GnuTLS支持,所以它取决于Python库python-ldap及其OpenLDAP客户端库被编译。有关 OpenLDAP手册中的基本方针的详细信息。 / li>
-
usercert.pem
是您的用户证书,采用PEM格式(您必须从PKCS#12文件中提取) / li>
-
user.key.pem
是您的私钥(同样,它需要从p12文件中提取)
trustedcerts.pem
is the equivalent of the trust store. It's a concatenation of the trusted certificates you want in PEM format. You could also use a directory with individual certificates withOPT_X_TLS_CACERTFILE
, but I think it's not supported by GnuTLS, so it depends on which TLS library python-ldap and its OpenLDAP client library have been compiled against. More details on the underlying direcives in the OpenLDAP manual.usercert.pem
is your user certificate, in PEM format (you'll have to extract it from your PKCS#12 file)user.key.pem
is your private key (again, it needs to be extracted from the p12 file)
使用OpenSSL可以从PKCS#12文件中提取证书和密钥:
Certificate and key extraction from a PKCS#12 file can be done with OpenSSL using this:
openssl pkcs12 -in userstore.p12 -clcerts -nokeys -out usercert.pem
openssl pkcs12 -in userstore.p12 -nocerts -nodes -out user.key.pem
注意:如果以这种方式提取私钥(在user.key.pem中) c> -nodes ),不会受密码保护,因此您需要确保此文件不可被其他人读取。我不认为OpenLDAP(甚至更少的Python绑定)让你提交交互式密码来解决这个问题,但我不知道。
Note: if you extract the private key (in user.key.pem) this way (-nodes
), it will not be password-protected, so you'll need to make sure this file is not readable by anyone else. I don't think OpenLDAP (and even less its Python binding) let you prompt for a password interactively to get around that problem, but I'm not sure.
这篇关于如何使用p12证书连接到LDAP服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!