环境:Mac OS X 10.6.3安装/导入MacOS X 10.5.8开放式目录主服务器。 升级之后,LDAP + TLS在我们的MacOS X 10.5,10.6,CentOS,Debian和FreeBSD客户端(Apache2和PAM)上失败。
使用ldapsearch进行testing:
ldapsearch -ZZ -H ldap://gnome.darkhorse.com -v -x -b "dc=darkhorse,dc=com" '(uid=donaldr)' uid …失败:
ldap_start_tls: Protocol error (2)
添加“-d 9”的testing失败:
res_errno: 2, res_error: <unsupported extended operation>, res_matched: <>
无需STARTTLS或LDAPS的testing:
ldapsearch -H ldap://gnome.darkhorse.com -v -x -b "dc=darkhorse,dc=com" '(uid=donaldr)' uid ldapsearch -H ldaps://gnome.darkhorse.com -v -x -b "dc=darkhorse,dc=com" '(uid=donaldr)' uid
…成功:
# donaldr, users, darkhorse.com dn: uid=donaldr,cn=users,dc=darkhorse,dc=com uid: donaldr # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 result: 0 Success
(我们在/etc/openldap/ldap.conf中指定“TLS_REQCERT never”)
使用openssl进行testing:
openssl s_client -connect gnome.darkhorse.com:636 -showcerts -state
成功:
CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department verify error:num=19:self signed certificate in certificate chain verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=MIS/CN=gnome.darkhorse.com i:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department 1 s:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department i:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department --- Server certificate -----BEGIN CERTIFICATE----- <deleted for brevity> -----END CERTIFICATE----- subject=/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=MIS/CN=gnome.darkhorse.com issuer=/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department --- No client certificate CA names sent --- SSL handshake has read 2640 bytes and written 325 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: D3F9536D3C64BAAB9424193F81F09D5C53B7D8E7CB5A9000C58E43285D983851 Session-ID-ctx: Master-Key: E224CC065924DDA6FABB89DBCC3E6BF89BEF6C0BD6E5D0B3C79E7DE927D6E97BF12219053BA2BB5B96EA2F6A44E934D3 Key-Arg : None Start Time: 1271202435 Timeout : 300 (sec) Verify return code: 0 (ok)
所以我们认为slapd守护进程正在读取我们的证书并将其写入LDAP客户端。
当服务器pipe理员将/System/Library/LaunchDaemons/org.openldap.slapd.plist和TLSCertificateFile,TLSCertificateKeyFile,TLSCACertificateFile和TLSCertificatePassphraseTool的ProgramArguments(“-h ldaps:///”)添加到/etc/openldap/slapd_macosxserver.conf中时在开放目录服务的LDAP部分中启用SSL。 虽然这对于LDAPS来说似乎足够了,但对于TLS来说这似乎还不够。 比较我们的10.6和10.5 slapd.conf和slapd_macosxserver.confconfiguration文件没有提供线索。 使用Apple服务器pipe理员生成的自签名证书replace我们的证书(使用自签名ca生成),导致ldapsearch结果不变。
在/System/Library/LaunchDaemons/org.openldap.slapd.plist日志中将-d设置为256。
4/13/10 5:23:35 PM org.openldap.slapd[82162] conn=384 op=0 EXT oid=1.3.6.1.4.1.1466.20037 4/13/10 5:23:35 PM org.openldap.slapd[82162] conn=384 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037" 4/13/10 5:23:35 PM org.openldap.slapd[82162] conn=384 op=0 RESULT tag=120 err=2 text=unsupported extended operation
任何debuggingbuild议非常感谢。
汤姆·基斯尔
PS
来自苹果的电子邮件证实,他们可以重现(LDAP + STARTLS失败,但LDAPS在10.6上成功,但都在10.5上工作),并打开了一个内部错误报告。