LDAP的TLS加密问题

LDAP配置TLS加密后，不能登录验证，以下是全过程，望高手赐教 

 

服务器端

 

# cat /etc/openldap/slapd.conf |grep -v '^#' |sed /^$/d

include          /etc/openldap/schema/core.schema

include          /etc/openldap/schema/cosine.schema

include          /etc/openldap/schema/inetorgperson.schema

include          /etc/openldap/schema/nis.schema

allow bind_v2

pidfile          /var/run/openldap/slapd.pid

argsfile         /var/run/openldap/slapd.args

access to attrs=shadowLastChange,userPassword   by self write by * auth

access to * by * read

database         bdb

suffix           "dc=dh,dc=cn"

rootdn           "cn=Manager,dc=dh,dc=cn"

rootpw           {MD5}v1LxgpzjSTemCG4F7j4HbA==

loglevel 256

directory       /var/lib/ldap

index objectClass                        eq,pres

index ou,cn,mail,surname,givenname       eq,pres,sub

index uidNumber,gidNumber,loginShell     eq,pres

index uid,memberUid                      eq,pres,sub

index nisMapName,nisMapEntry             eq,pres,sub

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /etc/openldap/cacerts/cacert.pem

TLSCertificateFile /etc/openldap/cacerts/newcert.pem

TLSCertificateKeyFile /etc/openldap/cacerts/newkey.pem

 

cat /etc/openldap/ldap.conf |grep -v '^#' |sed /^$/d

 

HOST 127.0.0.1

URI ldap://ldapm.dh.cn

BASE dc=dh,dc=cn

TLS_CACERTDIR/etc/openldap/cacerts

TLS_CACERT /etc/openldap/cacerts/cacert.pem

TLS_REQCERT allow

         

 

客户端

# cat /etc/ldap.conf |grep -v '^#' |sed /^$/d

 

base dc=dh,dc=cn

timelimit 120

bind_timelimit 120

idle_timelimit 3600

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman

uri ldap://ldapm.dh.cn

ssl o ff

tls_checkpeer yes

tls_cacertfile /etc/openldap/cacerts/cacert.pem

tls_cacertdir /etc/openldap/cacerts

pam_password md5

 

下面是测试的日志信息（日志等级是256）

 

启动服务的日志信息

Jul 10 23:16:12 ldapm slapd[16984]: @(#) $OpenLDAP: slapd 2.3.43 (Mar 31 2010 03:59:04) $        mockbuild@builder17.centos.org:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd

Jul 10 23:16:12 ldapm slapd[16985]: slapd starting

 

当客户端不用 tls 加密登录，可以正常验证，日志信息如下

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 fd=14 ACCEPT from IP=192.168.60.132:40395 (IP=0.0.0.0:389)

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=0 BIND dn="" method=128

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=0 RESULT tag=97 err=0 text=

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=1 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test10))"

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=2 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test10))"

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=3 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test10))"

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=4 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test10))"

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:21:33 ldapm slapd[16985]: conn=0 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:21:33 ldapm slapd[16985]: conn=1 fd=17 ACCEPT from IP=192.168.60.132:40396 (IP=0.0.0.0:389)

Jul 10 23:21:33 ldapm slapd[16985]: conn=1 op=0 BIND dn="" method=128

Jul 10 23:21:33 ldapm slapd[16985]: conn=1 op=0 RESULT tag=97 err=0 text=

Jul 10 23:21:33 ldapm slapd[16985]: conn=1 op=1 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test10))"

Jul 10 23:21:33 ldapm slapd[16985]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:21:33 ldapm slapd[16985]: conn=1 op=2 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=test10)(uniqueMember=uid=test10,ou=people,dc=dh,dc=cn)))"

Jul 10 23:21:33 ldapm slapd[16985]: conn=1 op=2 SRCH attr=gidNumber

Jul 10 23:21:33 ldapm slapd[16985]: <= bdb_equality_candidates: (uniqueMember) not indexed

Jul 10 23:21:33 ldapm slapd[16985]: conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

Jul 10 23:21:33 ldapm slapd[16985]: conn=1 fd=17 closed (connection lost)

Jul 10 23:21:34 ldapm slapd[16985]: conn=2 op=0 BIND dn="" method=128

Jul 10 23:21:34 ldapm slapd[16985]: conn=2 op=0 RESULT tag=97 err=0 text=

Jul 10 23:21:34 ldapm slapd[16985]: conn=2 fd=17 ACCEPT from IP=192.168.60.132:40397 (IP=0.0.0.0:389)

Jul 10 23:21:34 ldapm slapd[16985]: conn=2 op=1 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=511))"

Jul 10 23:21:34 ldapm slapd[16985]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:21:34 ldapm slapd[16985]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:21:34 ldapm slapd[16985]: conn=3 op=0 BIND dn="" method=128

Jul 10 23:21:34 ldapm slapd[16985]: conn=3 op=0 RESULT tag=97 err=0 text=

Jul 10 23:21:34 ldapm slapd[16985]: conn=3 fd=20 ACCEPT from IP=192.168.60.132:40398 (IP=0.0.0.0:389)

Jul 10 23:21:34 ldapm slapd[16985]: conn=3 op=1 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=511))"

Jul 10 23:21:34 ldapm slapd[16985]: conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:21:34 ldapm slapd[16985]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:21:34 ldapm slapd[16985]: conn=3 fd=20 closed (connection lost)

Jul 10 23:21:34 ldapm slapd[16985]: conn=4 fd=20 ACCEPT from IP=192.168.60.132:40399 (IP=0.0.0.0:389)

Jul 10 23:21:34 ldapm slapd[16985]: conn=4 op=0 BIND dn="" method=128

Jul 10 23:21:34 ldapm slapd[16985]: conn=4 op=0 RESULT tag=97 err=0 text=

Jul 10 23:21:34 ldapm slapd[16985]: conn=4 op=1 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=511))"

Jul 10 23:21:34 ldapm slapd[16985]: conn=4 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber

Jul 10 23:21:34 ldapm slapd[16985]: conn=4 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:21:34 ldapm slapd[16985]: conn=5 fd=22 ACCEPT from IP=192.168.60.132:40400 (IP=0.0.0.0:389)

Jul 10 23:21:34 ldapm slapd[16985]: conn=4 fd=20 closed (connection lost)

Jul 10 23:21:34 ldapm slapd[16985]: conn=5 op=0 BIND dn="" method=128

Jul 10 23:21:34 ldapm slapd[16985]: conn=5 op=0 RESULT tag=97 err=0 text=

Jul 10 23:21:34 ldapm slapd[16985]: conn=5 op=1 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=511))"

Jul 10 23:21:34 ldapm slapd[16985]: conn=5 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:21:34 ldapm slapd[16985]: conn=5 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:21:34 ldapm slapd[16985]: conn=5 fd=22 closed (connection lost)

 

 

客户端用 tls 加密：把 /etc/ldap.conf 配置文件的“ ssl off ”改成“ ssl start_tls ”， 再进行 登录验证，则不能成功登录，日志信息如下

 

 

Jul 10 23:24:30 ldapm slapd[16985]: conn=2 fd=17 closed (connection lost)

Jul 10 23:24:30 ldapm slapd[16985]: conn=0 fd=14 closed (connection lost)

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 fd=14 ACCEPT from IP=192.168.60.132:40401 (IP=0.0.0.0:389)

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=0 STARTTLS

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=0 RESULT oid= err=0 text=

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 fd=14 TLS established tls_ssf=256 ssf=256

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=1 BIND dn="" method=128

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=1 RESULT tag=97 err=0 text=

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=2 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test10))"

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=3 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test10))"

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=4 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test10))"

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=5 SRCH base="dc=dh,dc=cn" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test10))"

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=5 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jul 10 23:24:59 ldapm slapd[16985]: conn=6 fd=14 closed (connection lost)

 

 

转载于:https://blog.51cto.com/ninglianjie/347565