Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
643 views
in Technique[技术] by (71.8m points)

ldap - ldapsearch over ssl/tls doesn't work

I am trying to use ldapsearch over ssl/tls connection, but it doesn't work:

ldapsearch -ZZ -d 5 -b "cn=Users,dc=my,dc=server,dc=com" -s sub -D
"cn=mydevice,cn=Users,dc=my,dc=server,dc=com" -h my.server.com -p 3269
-w "mypass" -x "(cn=test)"

ldap_create
ldap_url_parse_ext(ldap://my.server.com:3269)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.server.com:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.199.46.70:3269
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x95ff590 msgid 1
wait4msg ld 0x95ff590 msgid 1 (infinite timeout)
wait4msg continue ld 0x95ff590 msgid 1 all 1
** ld 0x95ff590 Connections:
* host: my.server.com  port: 3269  (default)
refcnt: 2  status: Connected
last used: Mon Feb 27 10:59:43 2012

** ld 0x95ff590 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x95ff590 Response Queue:
Empty
ldap_chkResponseList ld 0x95ff590 msgid 1 all 1
ldap_chkResponseList returns ld 0x95ff590 NULL
ldap_int_select
read1msg: ld 0x95ff590 msgid 1 all 1
ber_get_next
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)

The error message doesn't give enought hint on what is wrong. In contrast, a simple binding and search goes well without any problem on port 389.

Any hint?

P.S. Here is my ldap.conf:

TLS_REQCERT demand
TLS_CACERT ./cacert.pem

I have even tried to change TLS_REQCERT to never, but it still doesn't work. :-(

question from:https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

First, replace -h my.server.com -p 3269 with -H ldaps://my.server.com:3269 as suggested by @dearlbry.

Then, in /etc/openldap/ldap.conf (or /etc/ldap/ldap.conf on my Ubuntu 13.04), disable certificate verification by adding this :

HOST my.server.com
PORT 3269
TLS_REQCERT ALLOW

You can also create a ldaprc file in the current directory with the same content if you don't want to affect the whole system.

This will enable ldapsearch over SSL, but without verification. Follow these steps to add certificate validation to the mix.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...