OpenLDAP Centos 7 LDAP 服务器请求密码
OpenLDAP Centos 7 LDAP server request for passphrase
我正在尝试设置 OpenLDAP 运行 TLS(2.4.39 和 Centos 7)。当客户端发送 ldapsearch 请求时,服务器以某种方式提示输入 passphrase/password。当 运行 'slapd' 输出时见下文(最后要求输入密码)。我一定是在设置 Mozilla nss 证书时做错了什么?
# slapd -u ldap -h ldaps:// -d -1
...
55305109 slapd startup: initiated.
55305109 backend_startup_one: starting "cn=config"
55305109 config_back_db_open
Backend ACL: access to *
by * none
55305109 config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
55305109 backend_startup_one: starting "dc=xxxxxxx,dc=com"
55305109 bdb_db_open: "dc=xxxxxxx,dc=com"
55305109 bdb_db_open: database "dc=xxxxxxx,dc=com": dbenv_open(/var/lib/ldap/xxxxxxx.com).
55305109 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
55305109 slapd starting
55305109 daemon: added 4r listener=(nil)
55305109 daemon: added 7r listener=0x7fb461bbd430
55305109 daemon: added 8r listener=0x7fb461bbd530
55305109 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305109 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305109 daemon: activity on 1 descriptor
55305109 daemon: activity on:55305109
55305109 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305109 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 daemon: activity on 1 descriptor
55305156 daemon: activity on:55305156
55305156 slap_listener_activate(7):
55305156 daemon: epoll: listen=7 busy
55305156 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 >>> slap_listener(ldaps://)
55305156 daemon: activity on 1 descriptor
55305156 daemon: activity on:55305156
55305156 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305156 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 daemon: listen=7, new connection on 15
55305156 daemon: added 15r (active) listener=(nil)
55305156 conn=1000 fd=15 ACCEPT from IP=10.42.0.215:50115 (IP=0.0.0.0:636)
55305156 daemon: activity on 1 descriptor
55305156 daemon: activity on:55305156
55305156 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305156 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 daemon: activity on 1 descriptor
55305156 daemon: activity on:55305156 15r55305156
55305156 daemon: read active on 15
55305156 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305156 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 connection_get(15)
55305156 connection_get(15): got connid=1000
55305156 connection_read(15): checking for input on id=1000
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate 'Server-Cert' successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'CN=ldapserver.xxxxxxx.com'.
Please enter pin, password, or pass phrase for security token 'ldap(0)':
TLS: certificate [CN=ldapserver.xxxxxxx.com] is valid
tls_read: want=3, got=3
0000: 16 03 01 ...
tls_read: want=2, got=2
0000: 00 ae ..
tls_read: want=174, got=174
...
这是生成的证书:
# cd /etc/openldap/certs
# echo 12345 > password
# certutil -N -d . -f password
# certutil -S -n "CA certificate" -s "cn=CAcert, dc=xxxxxxx,dc=com" -2 -x -t "CT,," -m 1000 -v 120 -d . -k rsa -f password
# certutil -S -n "Server-Cert" -s "cn=ldapserver.xxxxxxx.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f password
# # export the certificate for client
# stored in client machine /etc/openldap/certs/
# certutil -d . -L -n "CA certificate" -a > cacert.pem
客户端 /etc/openldap/ldap.conf 包含:
BASE dc=xxxxxxx,dc=com
URI ldaps://10.42.0.1
TLS_CACERT /etc/openldap/certs/cacert.pem
TLS_CIPHER_SUITE ALL:!NULL
(编辑:)
服务器 /etc/openldap/slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile Server-Cert
TLSCipherSuite ALL:!NULL
TLSVerifyClient never
disallow bind_anon
#require bind
#security simple_bind=128
database bdb
suffix "dc=xxxxxxx,dc=com"
rootdn "cn=ldapadmin,dc=xxxxxxx,dc=com"
rootpw {SSHA}B1auWTJT2Prj9kOlci1vqALlROb48iBu
directory /var/lib/ldap/xxxxxxx.com
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
cachesize 10000
checkpoint 128 15
database config
rootdn "cn=ldapadmin,cn=config"
rootpw {SSHA}B1auWTJT2Prj9kOlci1vqALlROb48iBu
TLSCertificateKeyFile
Specifies the file that contains the slapd server private key that matches the certificate stored in the TLSCertificateFile file. > Currently, the private key
must not be protected with a password, so it is of
critical importance that it is protected carefully.
我断定你的私钥文件有密码。你需要改变它,这样它就不会了。
(Apache HTTPD 有处理此提示的规定,我相信它来自 OpenSSL 的内部。我从未在 slapd.conf 中找到等效项。)
它还说:
TLSCertificatePath
Specifies the path of a directory that contains Certificate Authority certificates in separate individual files.
Usually only one of this or the TLSCACertificateFile is used.
你那里的配置很奇怪。
我正在尝试设置 OpenLDAP 运行 TLS(2.4.39 和 Centos 7)。当客户端发送 ldapsearch 请求时,服务器以某种方式提示输入 passphrase/password。当 运行 'slapd' 输出时见下文(最后要求输入密码)。我一定是在设置 Mozilla nss 证书时做错了什么?
# slapd -u ldap -h ldaps:// -d -1
...
55305109 slapd startup: initiated.
55305109 backend_startup_one: starting "cn=config"
55305109 config_back_db_open
Backend ACL: access to *
by * none
55305109 config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
55305109 backend_startup_one: starting "dc=xxxxxxx,dc=com"
55305109 bdb_db_open: "dc=xxxxxxx,dc=com"
55305109 bdb_db_open: database "dc=xxxxxxx,dc=com": dbenv_open(/var/lib/ldap/xxxxxxx.com).
55305109 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
55305109 slapd starting
55305109 daemon: added 4r listener=(nil)
55305109 daemon: added 7r listener=0x7fb461bbd430
55305109 daemon: added 8r listener=0x7fb461bbd530
55305109 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305109 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305109 daemon: activity on 1 descriptor
55305109 daemon: activity on:55305109
55305109 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305109 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 daemon: activity on 1 descriptor
55305156 daemon: activity on:55305156
55305156 slap_listener_activate(7):
55305156 daemon: epoll: listen=7 busy
55305156 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 >>> slap_listener(ldaps://)
55305156 daemon: activity on 1 descriptor
55305156 daemon: activity on:55305156
55305156 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305156 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 daemon: listen=7, new connection on 15
55305156 daemon: added 15r (active) listener=(nil)
55305156 conn=1000 fd=15 ACCEPT from IP=10.42.0.215:50115 (IP=0.0.0.0:636)
55305156 daemon: activity on 1 descriptor
55305156 daemon: activity on:55305156
55305156 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305156 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 daemon: activity on 1 descriptor
55305156 daemon: activity on:55305156 15r55305156
55305156 daemon: read active on 15
55305156 daemon: epoll: listen=7 active_threads=0 tvp=zero
55305156 daemon: epoll: listen=8 active_threads=0 tvp=zero
55305156 connection_get(15)
55305156 connection_get(15): got connid=1000
55305156 connection_read(15): checking for input on id=1000
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate 'Server-Cert' successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'CN=ldapserver.xxxxxxx.com'.
Please enter pin, password, or pass phrase for security token 'ldap(0)':
TLS: certificate [CN=ldapserver.xxxxxxx.com] is valid
tls_read: want=3, got=3
0000: 16 03 01 ...
tls_read: want=2, got=2
0000: 00 ae ..
tls_read: want=174, got=174
...
这是生成的证书:
# cd /etc/openldap/certs
# echo 12345 > password
# certutil -N -d . -f password
# certutil -S -n "CA certificate" -s "cn=CAcert, dc=xxxxxxx,dc=com" -2 -x -t "CT,," -m 1000 -v 120 -d . -k rsa -f password
# certutil -S -n "Server-Cert" -s "cn=ldapserver.xxxxxxx.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f password
# # export the certificate for client
# stored in client machine /etc/openldap/certs/
# certutil -d . -L -n "CA certificate" -a > cacert.pem
客户端 /etc/openldap/ldap.conf 包含:
BASE dc=xxxxxxx,dc=com
URI ldaps://10.42.0.1
TLS_CACERT /etc/openldap/certs/cacert.pem
TLS_CIPHER_SUITE ALL:!NULL
(编辑:) 服务器 /etc/openldap/slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile Server-Cert
TLSCipherSuite ALL:!NULL
TLSVerifyClient never
disallow bind_anon
#require bind
#security simple_bind=128
database bdb
suffix "dc=xxxxxxx,dc=com"
rootdn "cn=ldapadmin,dc=xxxxxxx,dc=com"
rootpw {SSHA}B1auWTJT2Prj9kOlci1vqALlROb48iBu
directory /var/lib/ldap/xxxxxxx.com
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
cachesize 10000
checkpoint 128 15
database config
rootdn "cn=ldapadmin,cn=config"
rootpw {SSHA}B1auWTJT2Prj9kOlci1vqALlROb48iBu
TLSCertificateKeyFile
Specifies the file that contains the slapd server private key that matches the certificate stored in the TLSCertificateFile file. > Currently, the private key must not be protected with a password, so it is of critical importance that it is protected carefully.
我断定你的私钥文件有密码。你需要改变它,这样它就不会了。
(Apache HTTPD 有处理此提示的规定,我相信它来自 OpenSSL 的内部。我从未在 slapd.conf 中找到等效项。)
它还说:
TLSCertificatePath
Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this or the TLSCACertificateFile is used.
你那里的配置很奇怪。