使用 RubyLDAP ldap 进行客户端身份验证
我正在尝试实现一个使用 LDAP over SSL(SSL,而不是 TLS)的功能,它需要连接到启用 SSL 的 LDAP 服务器(即 OpenLDAP),绑定,然后执行任何其他查询。它还需要支持客户端身份验证,这就是事情变得棘手的地方:客户端是一个用 Ruby 编写的 Web 应用程序,而我们正在使用 RubyLDAP(到目前为止,我们已将其用于非 SSL LDAP 内容,并取得了巨大成功)。
我的问题是:有没有办法在执行 LDAP::SSLConn 时加载客户端证书并将其数据通过线路发送到 LDAP 服务器?我在 API 文档中没有发现任何明显的内容(http://ruby-ldap.sourceforge.net /rdoc/)也不在谷歌搜索时。
我知道我可以通过将以下内容放在 slapd.conf (OpenLDAP) 上来阻止服务器请求证书:
TLSVerifyClient never
但是,这不是这里的一个选项。
I'm trying to implement a feature that uses LDAP over SSL (SSL, not TLS), it needs to connect to a SSL-enabled LDAP server (i.e OpenLDAP), bind and then do any additional queries. It also needs to support client-authentication, and this is where things get tricky: The client is a web application written in Ruby, and we are using RubyLDAP (so far we have used it for non-SSL ldap stuff with great success).
My question is: Is there a way to load a client certificate and send its data over the wire to the LDAP server when doing a LDAP::SSLConn? I haven't found anything obvious on the API docs (http://ruby-ldap.sourceforge.net/rdoc/) nor while googling around.
I know I that I can prevent the server from asking for a certificate by putting the following on slapd.conf (OpenLDAP):
TLSVerifyClient never
However, this is not an option here.
我不知道这是否仍然相关。
您需要客户证书吗?您还可以在 openldap 中使用绑定用户和 acl。与客户端证书相比,这在 openldap 服务器内更容易且更易于管理。
要启用客户端 ssl,您需要将 ruby-ldap 指向正确的 CA 证书,即签署您的服务器证书的证书。在您的客户端上,在
/etc/openldap/ldap.conf
中I don't know if this is still relevant.
Do you need a client cert? You can also use bind users and acl's in openldap. This would be much easier and manageable from within your openldap server than client cert's.
To enable the client side ssl you need to point ruby-ldap to the correct CA cert, the one that singed your servers cert. on your client, in the
/etc/openldap/ldap.conf