有谁有SSL客户端身份validation与OpenLDAP(在CentOS7上 – 使用moznss)?
我已经search了最近2天试图让这个工作,无论是与certutil数据库和直接的PEMconfiguration,并沮丧,它不工作。
我最初虽然是客户端不发送SSL证书进行validation,我已经certificate了这一点,当使用PEM身份validation和strace(并没有打开()的crt文件或密钥)。
首先,这是RHEL7,客户端和服务器都安装了相同版本的openldap:
服务器:
openldap-servers-2.4.39-6.el7.x86_64 openldap-2.4.39-6.el7.x86_64 客户:
openldap-clients-2.4.39-6.el7.x86_64 openldap-2.4.39-6.el7.x86_64
SSL:我自己的CA.
使用PEMauthentication:
服务器(cn = config.ldif):
olcTLSCACertificateFile: /etc/openldap/tls/ldap-ca.crts olcTLSCertificateFile: /etc/openldap/tls/ldap-server.crt olcTLSCertificateKeyFile: /etc/openldap/tls/ldap-server.key olcTLSVerifyClient: hard
服务器(/ usr / sbin / slapd -u ldap -h“ldapi:/// ldap:/// ldaps:///”-d 1):
55935ff8 slap_listener_activate(10): 55935ff8 >>> slap_listener(ldaps:///) 55935ff8 connection_get(18): got connid=1000 55935ff8 connection_read(18): checking for input on id=1000 TLS: loaded CA certificate file /etc/openldap/tls/ldap-ca.crts. TLS: error: the certificate '/etc/openldap/tls/ldap-server.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/tls/ldap-server.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=xxx,...,C=AU'. TLS: certificate [CN=xxx,...,C=AU] is valid 55935ff8 connection_get(18): got connid=1000 55935ff8 connection_read(18): checking for input on id=1000 TLS: error: accept - force handshake failure: errno 11 - moznss error -12285 TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication.. 55935ff8 connection_read(18): TLS accept failure error=-1 id=1000, closing 55935ff8 connection_close: conn=1000 sd=18
客户端(/etc/openldap/ldap.conf):
TLS_CACERT /etc/openldap/tls/ldap-ca.crts TLS_CERT /etc/openldap/tls/ldap-client.crt TLS_KEY /etc/openldap/tls/ldap-client.key TLS_REQCERT never
客户端(ldapsearch -d1 -H ldaps:// xxx -bc = AU'uid = x'):
TLS: loaded CA certificate file /etc/openldap/tls/ldap-ca.crts. TLS: certificate [CN=xxx,...,C=AU] is valid TLS: error: connect - force handshake failure: errno 21 - moznss error -12271 TLS: can't connect: TLS error -12271:SSL peer cannot verify your certificate..
客户(strace – 不提供客户证书)
... 8047 stat("/etc/openldap/tls/ldap-ca.crts", {st_mode=S_IFREG|0644, st_size=5287, ...}) = 0 8047 open("/etc/openldap/tls/ldap-ca.crts", O_RDONLY) = 4 ...
客户端连接只使用openssl连接工作正常:
openssl s_client -connect xxx:636 -showcerts -CAfile /etc/openldap/tls/ldap-ca.crts -key /etc/openldap/tls/ldap-client.key -state -cert /etc/openldap/tls/ldap-client.crt ... New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-SHA Session-ID: [long hex value] Session-ID-ctx: Master-Key: [long hex value] Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1435722028 Timeout : 300 (sec) Verify return code: 0 (ok)
使用certutil(moznss数据库):
同样的问题:
服务器(cn = config.ldif):
olcTLSVerifyClient: hard olcTLSCertificateFile: "xxx - X" olcTLSCACertificatePath: /etc/openldap/certs
服务器(moznss):
[root@host certs]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI x LDAP CA CT,C,C xxx - X u,u,u x CA CT,C,C x CA CT,C,C
服务器(/ usr / sbin / slapd -u ldap -h“ldapi:/// ldap:/// ldaps:///”-d 1):
559363d2 connection_get(18): got connid=1000 559363d2 connection_read(18): checking for input on id=1000 TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/openldap/certs prefix . TLS: certificate 'xxx - X' successfully loaded from moznss database. TLS: no unlocked certificate for certificate 'CN=xxx,...,C=AU'. TLS: certificate [CN=xxx,...,C=AU] is valid 559363d2 connection_get(18): got connid=1000 559363d2 connection_read(18): checking for input on id=1000 TLS: error: accept - force handshake failure: errno 11 - moznss error -12285 TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication..
客户端(/etc/openldap/ldap.conf):
TLS_CACERTDIR /etc/openldap/certs TLS_CERT "x - X" TLS_REQCERT never
客户端(moznss):
[root@client certs]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI X LDAP CA CT,C,C x - X u,u,u X Root CA CT,C,C X CA CT,,
客户端(ldapsearch -d1 -H ldaps:// xxx -bc = AU'uid = x'):
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/openldap/certs prefix . TLS: certificate [CN=xxx,...,C=AU] is valid TLS: error: connect - force handshake failure: errno 21 - moznss error -12271 TLS: can't connect: TLS error -12271:SSL peer cannot verify your certificate..
使用这种方法openssltesting工作正常,但是,ldapsearch失败,相同的错误。 strace不帮助,但显示打开证书的数据库文件。
客户(strace):
8075 stat("/etc/openldap/certs/cert8.db", {st_mode=S_IFREG|0644, st_size=65536, ...}) = 0 8075 open("/etc/openldap/certs/cert8.db", O_RDONLY) = 4 8075 stat("/etc/openldap/certs/key3.db", {st_mode=S_IFREG|0644, st_size=16384, ...}) = 0 8075 open("/etc/openldap/certs/key3.db", O_RDONLY) = 5
任何人有任何提示? (沮丧 – 我知道我在CentOS的旧版本上工作)
以下内容取自正在运行的CentOS7 ldap服务器,并应涵盖SASL / EXTERNAL(TLS)身份validation的关键方面。
未成年人注意到:
– 在这个例子中,服务器也充当客户端。
– 这个例子使用~/.ldaprc而不是/etc/openldap/ldap.conf
– 这个例子使用olcTLSVerifyClient: verify而不是hard因为服务器除SASL / EXTERNAL(TLS)authentication之外还支持其他authenticationtypes。
slapd的-configuration
[root@ldap ~]# ldapsearch cn=config olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> (default) with scope subtree # filter: cn=config # requesting: olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient # # config dn: cn=config olcTLSCACertificateFile: /etc/pki/tls/certs/ldap.example.com_CA.crt olcTLSCertificateFile: /etc/pki/tls/certs/ldap.example.com.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.example.com.key olcTLSVerifyClient: try # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
证书密钥权限
[root@ldap ~]# ls -lZ /etc/pki/tls/private/ldap.example.com.key -rw-r-----+ root root unconfined_u:object_r:cert_t:s0 /etc/pki/tls/private/ldap.example.com.key [root@ldap ~]# getfacl /etc/pki/tls/private/ldap.example.com.key getfacl: Removing leading '/' from absolute path names # file: etc/pki/tls/private/ldap.example.com.key # owner: root # group: root user::rw- user:ldap:r-- group::--- mask::r-- other::---
saslconfiguration
[root@ldap ~]# cat /etc/sasl2/slapd.conf mech_list: external gssapi plain pwcheck_method: saslauthd
ldap客户端设置
[root@ldap ~]# cat .ldaprc URI ldapi:/// BASE cn=config SASL_MECH external #TLS_CACERT /etc/ssl/certs/ca-bundle.crt TLS_CACERT /etc/pki/tls/certs/ldap.example.com_CA.crt TLS_CERT /etc/pki/tls/certs/ldap.example.com.crt TLS_KEY /etc/pki/tls/private/ldap.example.com.key
成功的SASL / EXTERNAL(TLS)绑定
[root@ldap ~]# ldapwhoami -ZZ -h ldap.example.com SASL/EXTERNAL authentication started SASL username: cn=ldap.example.com,<cert locality info> SASL SSF: 0 dn:cn=ldap.example.com,<cert locality info> [root@ldap ~]# ldapwhoami -H ldaps://ldap.example.com SASL/EXTERNAL authentication started SASL username: cn=ldap.example.com,<cert locality info> SASL SSF: 0