我试图让我的CentOS服务器信任从活动目录服务器安装的证书(我之前将.cer转换为.pem)。
当我尝试连接时,debugging信息是:
[root@web1 cacerts]# ldapsearch -d1 -v -D SOMEDN\pretenduser01 -w SOMEPASSWORD -H ldaps://1.2.3.4:636 -x ldap_url_parse_ext(ldaps://1.2.3.4:636) ldap_initialize( ldaps://1.2.3.4/??base ) ldap_create ldap_url_parse_ext(ldaps://1.2.3.4:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 1.2.3.4:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 1.2.3.4:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/openldap/cacerts prefix . TLS: loaded CA certificate file /etc/openldap/cacerts/some_pem_file.pem. TLS: certificate [CN=SRV-DC3-RG.hiddendomain.co.uk] is not valid - error -8179:Peer's Certificate issuer is not recognized.. TLS: error: connect - force handshake failure: errno 21 - moznss error -8179 TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) 我真的不知道下一步是在解决这个问题..我可以连接就好,没有SSL,但这不是很好:)
您需要信任签署证书的证书。 通常情况下,这将是信任根(CA证书),您可以从运行AD CS的计算机的证书存储中获得信任根(即CA证书),尽pipe它也可能是中间件(在这种情况下应该显示整个链,因此信任根仍然是信任的人)。 您应该能够简单地将证书连接到/etc/openldap/cacerts/some_pem_file.pem的结尾,并使事情有效。