服务器 Gind.cn
  1. 服务器 Gind.cn
  3. ldapsearch -ZZ挂
Intereting Posts
与服务器同步的不同技术 通过IP对讲? Postfix交付到内部交易所永远不会到达 networking(防火墙)架构为大型企业 iptables规则错误 IPTABLES不存储在规则内input的IP地址 是否有(官方)API从vCops获取信息? 如何使腻子记住窗口大小/位置 什么是“sudo su”的魔力? 授予networking访问权限PostgreSQL 9 从networking引导和/或同步Linux映像 任何人都知道一个很好的自包含数据包嗅探器? 如何在注销terminal服务后继续运行应用程序? configurationjboss web应用程序以支持SSL 统计单行CSV文件中的项目数量?

ldapsearch -ZZ挂

我刚刚使用以下说明安装了OpenLDAP

http://www.computerglitch.net/bin/texts/CentOS6_LDAP.php

正常的连接返回所期望的,但tlstesting只是挂起。

任何想法我在这里做错了。 我花了一天半的时间在网上寻找答案,但我还没有find任何有类似问题的人。

这是一个debugging输出列表。 

[root@alderaan openldap]# ldapsearch -v -d1023 -x -b "dc=alderaan,dc=com" -ZZ ldap_initialize( <DEFAULT> ) ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x227a9b0 ptr=0x227a9b0 end=0x227a9cf len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x227a9b0 ptr=0x227a9b5 end=0x227a9cf len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x2271170 msgid 1 wait4msg ld 0x2271170 msgid 1 (infinite timeout) wait4msg continue ld 0x2271170 msgid 1 all 1 ** ld 0x2271170 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Mon Feb 11 03:52:44 2013 ** ld 0x2271170 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x2271170 request count 1 (abandoned 0) ** ld 0x2271170 Response Queue: Empty ld 0x2271170 response count 0 ldap_chkResponseList ld 0x2271170 msgid 1 all 1 ldap_chkResponseList returns ld 0x2271170 NULL ldap_int_select read1msg: ld 0x2271170 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 78 07 0a 0....x.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x227be60 ptr=0x227be60 end=0x227be6c len=12 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........ read1msg: ld 0x2271170 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x227be60 ptr=0x227be63 end=0x227be6c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ read1msg: ld 0x2271170 0 new referrals read1msg: mark request completed, ld 0x2271170 msgid 1 request done: ld 0x2271170 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x227be60 ptr=0x227be63 end=0x227be6c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x227be60 ptr=0x227be63 end=0x227be6c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ber_scanf fmt (}) ber: ber_dump: buf=0x227be60 ptr=0x227be6c end=0x227be6c len=0 ldap_msgfree TLS: using moznss security dir /etc/openldap/certs prefix . TLS: loaded CA certificate file /etc/pki/tls/certs/slapdcert.pem. tls_write: want=70, written=70 0000: 16 03 01 00 41 01 00 00 3d 03 01 51 18 b1 5c a5 ....A...=..Q..\. 0010: 86 c7 5f 91 80 97 ca 40 fc a8 6a 63 34 b5 f0 7b [email protected]..{ 0020: ad 95 f3 c7 4c 45 d1 c8 57 60 da 00 00 16 00 ff ....LE..W`...... 0030: 00 35 00 04 00 05 00 2f 00 0a 00 09 00 64 00 62 .5...../.....db 0040: 00 03 00 06 01 00 ......

运行后。 

  ln -s /etc/pki/tls/certs/slapdcert.pem `openssl x509 -noout -hash -in /etc/pki/tls/certs/slapdcert.pem`

我现在得到以下输出。 

  ldapsearch -x -d1023 -b "dc=alderaan,dc=com" -ZZ ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x11009e0 ptr=0x11009e0 end=0x11009ff len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x11009e0 ptr=0x11009e5 end=0x11009ff len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x10f7170 msgid 1 wait4msg ld 0x10f7170 msgid 1 (infinite timeout) wait4msg continue ld 0x10f7170 msgid 1 all 1 ** ld 0x10f7170 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Mon Feb 11 06:06:00 2013 ** ld 0x10f7170 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x10f7170 request count 1 (abandoned 0) ** ld 0x10f7170 Response Queue: Empty ld 0x10f7170 response count 0 ldap_chkResponseList ld 0x10f7170 msgid 1 all 1 ldap_chkResponseList returns ld 0x10f7170 NULL ldap_int_select

与-H ldaps://192.168.1.25:636 

 ldapsearch -x -d1023 -H ldaps://192.168.1.25:636 -b "dc=alderaan,dc=com" objective=* ldap_url_parse_ext(ldaps://192.168.1.25:636) ldap_create ldap_url_parse_ext(ldaps://192.168.1.25:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.1.25:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.25:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: loaded CA certificate file /etc/pki/tls/certs/slapdcert.pem. tls_write: want=70, written=70 0000: 16 03 01 00 41 01 00 00 3d 03 01 51 18 d3 e6 56 ....A...=..Q...V 0010: 13 d6 44 8b 38 50 c3 8f 07 b3 4f fc e4 c2 81 1a ..D.8P....O..... 0020: a9 71 8b 94 2e 32 a9 82 fa 4b f2 00 00 16 00 ff .q...2...K...... 0030: 00 35 00 04 00 05 00 2f 00 0a 00 09 00 64 00 62 .5...../.....db 0040: 00 03 00 06 01 00 ......

你有没有把证书链接到哈希值? 即: 

 ln -s /etc/ssl/certs/server.pem `openssl x509 -noout -hash -in /etc/ssl/certs/server.pem`

如果你有中级证书,那么你也需要为它做这个。

如果你有你的问题仍然可以运行: 

 openssl s_client -connect <ldapserver_name_or_ip>:636

并粘贴到输出中(假设openldap正在侦听端口636)。

假设你的证书是: 

 /etc/pki/tls/certs/slapdcert.pem

然后你会运行: 

 ln -s /etc/pki/tls/certs/slapdcert.pem `openssl x509 -noout -hash -in /etc/pki/tls/certs/slapdcert.pem`

注意openssl命令是反引号(〜键上的)不是单引号。

如果你运行strace -e file,network ldapsearch ...你看到,正在读取证书? 使用WireShark进行networking捕获,看看是否build立了TLS隧道。