将LDAP服务器证书添加到可信列表并启用证书验证。
将LDAP服务器证书添加到可信列表并启用证书验证。
提问于 2018-10-30 16:27:00
我试图通过TLS ldaps://:为各种应用程序(例如Gitlab)使用安全的LDAP连接。但是,连接会引发证书错误,这是由于LDAP管理员使用了自签名证书。
以下是我尝试过的:
curl "ldap://ldapserver.example.com:389/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)" -u my-user@example.com工作与预期一样,并返回所需的查询结果,但显然是不安全的。
当我试着:
curl -v "ldaps://ldapserver.example.com:636/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)" -u my-user@example.com我得到了:
* About to connect() to ldapserver.example.com port 636 (#0)
* Trying 10.10.10.10...
* Connected to ldapserver.example.com (10.10.10.10) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=ldapserver.example.com
* start date: Jan 14 15:00:00 2018 GMT
* expire date: Dec 24 14:59:59 2019 GMT
* common name: ldapserver.example.com
* issuer: O=EXAMPLE,C=UK
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.使用--insecure标志尝试相同的命令,然后连接到LDAP服务器,但没有返回结果:
* About to connect() to ldapserver.example.com port 636 (#0)
* Trying 10.10.10.10...
* Connected to ldapserver.example.com (10.10.10.10) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=ldapserver.example.com
* start date: Jan 14 15:00:00 2018 GMT
* expire date: Dec 24 14:59:59 2019 GMT
* common name: ldapserver.example.com
* issuer: O=EXAMPLE,C=UK
* LDAP local: ldaps://ldapserver.example.com:636/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)好了,我已经试过了,ldapsearch:
ldapsearch -x -b 'dc=example,dc=com' -D 'my-user@example.com' -H "ldaps://ldapserver.example.com:636" -W '(memberOf=CN=custom-group,DC=example,DC=com)'并得到:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)执行export LDAPTLS_REQCERT=never并在上面发出相同的ldapsearch命令后,查询返回一个结果。
禁用证书验证显然不是一个好的选择,尤其是在使用LDAP身份验证的情况下,例如在Gitlab中。
我试图通过以下方法将LDAP服务器的证书添加到受信任的证书中:
echo -n | openssl s_client -connect ldapserver.example.com:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.example.com.pem然后我把它放到/etc/pki/ca-trust/source/anchors/上,并更新ca-trust
cp ldapserver.example.com.pem /etc/pki/ca-trust/source/anchors/ldapserver.example.com.crt
update-ca-trust extract但是,上面的命令返回了相同的结果。
我想我可能需要添加CA链,它实际上只包含一个证书:
openssl s_client -showcerts -verify -connect ldapserver.example.com:636 < /dev/null
verify depth is 5
CONNECTED(00000003)
depth=0 CN = ldapserver.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ldapserver.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=ldapserver.example.com
i:/C=UK/O=EXAMPLE
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ldapserver.example.com
issuer=/C=UK/O=EXAMPLE
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 1666 bytes and written 563 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 12345678912345678912345791234567891234567891234579
Session-ID-ctx:
Master-Key: 123456789123456789123457912345678912345678912345791234567891234567891234579
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1540914932
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE因此,我的问题是:如何以证书验证工作的方式添加证书?我可以这样做,或者我必须联系我们的LDAP管理员为我提供一些东西吗?
以下是有关系统和工具的一些信息:
RHEL 7.5
ldapsearch -V -v
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.44 (Apr 3 2018 08:03:33) $
mockbuild@x86-034.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/clients/tools
(LDAP library: OpenLDAP 20444)
ldap_initialize( )
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
curl -V -v
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.28.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets回答 1
Unix & Linux用户
回答已采纳
发布于 2021-01-27 10:13:30
虽然最初的问题已经有几年了,但我还是想要回答它,以帮助那些可能处于类似处境的迷失灵魂。
LDAP系统实际上是一个Active目录,无法通过网络获得CA证书(至少我还没有找到一种方法)。因此,我们询问了Windows团队,与负责的管理员取得了联系,并询问他是否可以给我们CA证书。管理员导出了它,我们只需将其转换为PEM文件,将其放在相应的目录中,并发出update-ca-trust命令。
就像这样:
openssl x509 -inform der -in ca.example.com.cer -out ca.example.com.pem
cp ca.example.com.pem /etc/pki/ca-trust/source/anchors/ca.example.com.pem
update-ca-trust证书问题得到了解决,我们继续使用ldapsearch,而不是curl,因为我们遇到了其他curl问题,比如只检索部分结果。
页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/478696
复制相关文章
相似问题
腾讯云开发者
