OpenLDAP:在 Mac 上连接失败
在我的 Mac 上,我安装了 OpenLDAP,修改了 /etc/openldap/ldap.conf 并指定了证书的路径。但是,我不断收到此错误:
SERVER_DOWN: {
'info':
'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed (unable to get local issuer certificate)',
'desc': "Can't contact LDAP server"
}
ldap.conf 中包含:
TLS_REQCERT demand
TLS_CACERT /etc/openldap/CA_tncdc01.cer
cer 在那里:
$ ll /etc/openldap/CA_tncdc01.cer
-rw-r--r--@ 1 eric staff 1298 Jun 23 09:12 /etc/openldap/CA_tncdc01.cer
OpenSSL 验证说:
$ openssl verify /etc/openldap/CA_tncdc01.cer
error 18 at 0 depth lookup:self signed certificate
OK
为了绑定,我使用 (Python):
url = "ldaps://[snip]:636"
l = ldap.initialize(url)
l.simple_bind_s(bind_name, bind_password)
一切似乎都按顺序进行。
谢谢 埃里克
On my Mac, I've installed OpenLDAP, modified /etc/openldap/ldap.conf and specified the path to the cert. However, I keep getting this error:
SERVER_DOWN: {
'info':
'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed (unable to get local issuer certificate)',
'desc': "Can't contact LDAP server"
}
The ldap.conf has in it:
TLS_REQCERT demand
TLS_CACERT /etc/openldap/CA_tncdc01.cer
And the cer is there:
$ ll /etc/openldap/CA_tncdc01.cer
-rw-r--r--@ 1 eric staff 1298 Jun 23 09:12 /etc/openldap/CA_tncdc01.cer
OpenSSL verify says:
$ openssl verify /etc/openldap/CA_tncdc01.cer
error 18 at 0 depth lookup:self signed certificate
OK
And to bind, I use (Python):
url = "ldaps://[snip]:636"
l = ldap.initialize(url)
l.simple_bind_s(bind_name, bind_password)
All seems to be in order.
Thanks
Eric
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
设置:
...是默认的 TLS 证书验证设置。这也是最严格的。
您遇到的问题可能是因为证书是自签名的(如您所指出的),但您的配置要求完美的验证结果(在使用 TLS_REQCERT 的“需求”的一部分)。
如果证书在各个方面都不完美,使用“需求”将导致任何 LDAP SSL/TLS 连接失败。这包括证书自签名、过期等问题。
您通过 TLS_CACERT 指定“CA”的事实很好,但 CACERT 可能不完整。链中某处可能缺少证书字符串。有时,我发现有必要将多个 CA 连接在一起,例如,如果使用中间 CA 而不是根 CA 生成证书。
无论如何,最简单的解决方法是尝试将“需求”替换为“允许”或“从不”,然后从那里重新测试。如果可以选择,我会建议“允许”而不是“从不”。
我希望这会有所帮助...
麦克斯
The setting:
... is the default TLS certificate verification setting. It is also the MOST STRICT.
The problem you're having is likely because the certificate is self-signed (as you indicated), yet your config says to demand perfect validation results (on part of using 'demand' for TLS_REQCERT).
Using 'demand' will cause any LDAP SSL/TLS connection to fail IF the certificate is not perfect in every respect. This includes issues with a certificate being self-signed, expired, etc etc.
The fact that you've specified your "CA" via TLS_CACERT is good, but the CACERT may be incomplete. There could be a missing certificate string in the chain somewhere. Sometimes I've seen it necessary to concatenate multiple CAs together if, for example, a certificate was generated using an Intermediate CA instead of a Root CA.
Regardless, the simplest possible fix is to try replacing 'demand' with 'allow' or 'never', and re-test from there. If I could choose, I would suggest 'allow' instead of 'never'.
I hope this helps...
Max
不确定,但发布您服务器证书的证书颁发机构的公钥似乎不被理解。在我的客户端上,我有:
BASE dc=dom, dc=fr
URI ldaps://srvldap.dom.fr/
TLS_CACERT /etc/ssl/MyCAcert.pem
TLS_REQCERT 要求
.pem 和 .cer 是相同的 DER 证书,一个是二进制,另一个是 ASCII,你可以尝试一下 pem 格式吗?
Not sure, but the public key of the certificate authority that publish the certificate of your server not seem to be understood. On my client I've got :
BASE dc=dom, dc=fr
URI ldaps://srvldap.dom.fr/
TLS_CACERT /etc/ssl/MyCAcert.pem
TLS_REQCERT demand
.pem and .cer are the same DER certificate, one is binary, the other is ASCII, can you try the pem format ?