Ssl
將 LDAP 伺服器證書添加到受信任列表並啟用證書驗證
我正在嘗試通過 TLS
ldaps://<server_name>:<port>為各種應用程序(例如 Gitlab)使用安全的 LDAP 連接。但是,由於 LDAP 管理員使用了自簽名證書,連接會引發證書錯誤。這是我嘗試過的:
curl "ldap://ldapserver.example.com:389/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)" -u my-user@example.com按預期工作並返回所需的查詢結果,但顯然不安全。
當我嘗試時:
curl -v "ldaps://ldapserver.example.com:636/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)" -u my-user@example.com我有:
* About to connect() to ldapserver.example.com port 636 (#0) * Trying 10.10.10.10... * Connected to ldapserver.example.com (10.10.10.10) port 636 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=ldapserver.example.com * start date: Jan 14 15:00:00 2018 GMT * expire date: Dec 24 14:59:59 2019 GMT * common name: ldapserver.example.com * issuer: O=EXAMPLE,C=UK * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.使用標誌嘗試相同的命令
--insecure然後連接到 LDAP 伺服器但不返回結果:* About to connect() to ldapserver.example.com port 636 (#0) * Trying 10.10.10.10... * Connected to ldapserver.example.com (10.10.10.10) port 636 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=ldapserver.example.com * start date: Jan 14 15:00:00 2018 GMT * expire date: Dec 24 14:59:59 2019 GMT * common name: ldapserver.example.com * issuer: O=EXAMPLE,C=UK * LDAP local: ldaps://ldapserver.example.com:636/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)好的,我現在試過了
ldapsearch:ldapsearch -x -b 'dc=example,dc=com' -D 'my-user@example.com' -H "ldaps://ldapserver.example.com:636" -W '(memberOf=CN=custom-group,DC=example,DC=com)'並得到:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)在執行
export LDAPTLS_REQCERT=never並發出相同的 ldapsearch-command 之後,查詢返回了一個結果。禁用證書驗證顯然不是一個好的選擇,尤其是在 Gitlab 中使用 LDAP 身份驗證的情況下。
我嘗試通過以下方式獲取證書,將 LDAP 伺服器的證書添加到受信任的證書中:
echo -n | openssl s_client -connect ldapserver.example.com:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.example.com.pem然後我把它放到
/etc/pki/ca-trust/source/anchors/並更新了 ca-trustcp ldapserver.example.com.pem /etc/pki/ca-trust/source/anchors/ldapserver.example.com.crt update-ca-trust extract但是,上面的命令返回了相同的結果。
我想我可能需要添加有效地僅包含一個證書的 CA 鏈:
openssl s_client -showcerts -verify -connect ldapserver.example.com:636 < /dev/null verify depth is 5 CONNECTED(00000003) depth=0 CN = ldapserver.example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = ldapserver.example.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=ldapserver.example.com i:/C=UK/O=EXAMPLE -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- --- Server certificate subject=/CN=ldapserver.example.com issuer=/C=UK/O=EXAMPLE --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Peer signing digest: SHA1 Server Temp Key: ECDH, P-521, 521 bits --- SSL handshake has read 1666 bytes and written 563 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 12345678912345678912345791234567891234567891234579 Session-ID-ctx: Master-Key: 123456789123456789123457912345678912345678912345791234567891234567891234579 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1540914932 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- DONE所以我的問題是:如何以證書驗證的方式添加證書?我可以這樣做還是我必須聯繫我們的 LDAP 管理員為我提供一些東西?
在下面找到有關係統和工具的一些資訊:
RHEL 7.5 ldapsearch -V -v ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.44 (Apr 3 2018 08:03:33) $ mockbuild@x86-034.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/clients/tools (LDAP library: OpenLDAP 20444) ldap_initialize( <DEFAULT> ) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) curl -V -v curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.28.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
儘管距離最初的問題已經有好幾年了,但我還是想回答一下,以幫助可能處於類似情況的迷失靈魂。
LDAP系統實際上是一個Active Directory,無法通過網路獲取CA證書(至少我還沒有找到方法)。於是,我們詢問了 Windows 團隊,聯繫了負責的管理員,問他是否可以給我們 CA 證書。管理員將其導出,我們只需將其轉換為 PEM 文件,將其放在相應的目錄中,然後發出
update-ca-trust命令。像這樣的東西:
openssl x509 -inform der -in ca.example.com.cer -out ca.example.com.pem cp ca.example.com.pem /etc/pki/ca-trust/source/anchors/ca.example.com.pem update-ca-trust證書問題已解決,我們繼續使用
ldapsearch而不是curl,因為我們遇到了 curl 的其他問題,例如僅檢索部分結果。