Трассировка TLS: SSL_connect: ошибка на сервере чтения SSLv2 / v3 привет A
Я пытаюсь запросить пользователей AD и пробовал все доступные варианты, но безуспешно
Операционная система = CentoS7.5 Пакеты = Openldap, ldapsearch Microsoft Active Directory
моя команда
ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=abc,dc=local" -H "ldaps://xxxx:3268" "uid=abc" -d 1
Далее следует трассировка отладки
ldap_url_parse_ext(ldaps://xxxx:3268)
ldap_create
ldap_url_parse_ext(ldaps://xxxx:3268/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxxx:3268
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying x.x.x.x:3268
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66'.
tlsmc_convert: INFO: using the existing PEM dir.
tlsmc_convert: WARN: extracted cert file is not present.
tlsmc_convert: WARN: extracted key file is not present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Я попытался изменить значения в /etc/openldap/ldap.conf
Сначала добавлен
TLS_REQCERT never
, затем
TLS_REQCERT allow
, затем установлен ниже, как указано здесь но безуспешно
ldap ssl v2 v3 не может прочитать сервер Hallo A
TLS_PROTOCOL_MIN 3.3
Перезагрузил и мой сервер, но безуспешно.
если я запускаю с уровнем отладки d 2, последние строки похожи на
tls_read: want=7 error=Connection reset by peer
TLS: can't connect: .
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
мои единственные намерения это запустить ldapsearch
РЕДАКТИРОВАТЬ:
как было предложено @fission Я изменил порт, и теперь я получаю ниже
>> cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=abc,dc=local
URI ldaps://xxx:3269
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_CACERTDIR /etc/openldap/certs
#HOST you-adc1
#PORT 3268
TLS_REQCERT never
#TLS_PROTOCOL_MIN 3.3
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
Трассировка:
[root@x ~]# ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=xyz,dc=local" -H "ldaps://xxx:3269" "uid=abc" -d 1
ldap_url_parse_ext(ldaps://xxx:3269)
ldap_create
ldap_url_parse_ext(ldaps://xxx:3269/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxx:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying x.x.x.x:3269
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `(null)'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `(null)'.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `(null)'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: , issuer: /DC=local/DC=xxx/CN=xxx-root-CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 76 bytes to sd 3
ldap_result ld 0x559d9b078a70 msgid 1
wait4msg ld 0x559d9b078a70 msgid 1 (infinite timeout)
wait4msg continue ld 0x559d9b078a70 msgid 1 all 1
** ld 0x559d9b078a70 Connections:
* host: xxx port: 3269 (default)
refcnt: 2 status: Connected
last used: Sat Oct 20 16:46:31 2018
** ld 0x559d9b078a70 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x559d9b078a70 request count 1 (abandoned 0)
** ld 0x559d9b078a70 Response Queue:
Empty
ld 0x559d9b078a70 response count 0
ldap_chkResponseList ld 0x559d9b078a70 msgid 1 all 1
ldap_chkResponseList returns ld 0x559d9b078a70 NULL
ldap_int_select
read1msg: ld 0x559d9b078a70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x559d9b078a70 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x559d9b078a70 0 new referrals
read1msg: mark request completed, ld 0x559d9b078a70 msgid 1
request done: ld 0x559d9b078a70 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "uid=abc"
put_filter: default
put_simple_filter: "uid=abc"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 70 bytes to sd 3
ldap_result ld 0x559d9b078a70 msgid -1
wait4msg ld 0x559d9b078a70 msgid -1 (infinite timeout)
wait4msg continue ld 0x559d9b078a70 msgid -1 all 0
** ld 0x559d9b078a70 Connections:
* host: xxx port: 3269 (default)
refcnt: 2 status: Connected
last used: Sat Oct 20 16:46:31 2018
** ld 0x559d9b078a70 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x559d9b078a70 request count 1 (abandoned 0)
** ld 0x559d9b078a70 Response Queue:
Empty
ld 0x559d9b078a70 response count 0
ldap_chkResponseList ld 0x559d9b078a70 msgid -1 all 0
ldap_chkResponseList returns ld 0x559d9b078a70 NULL
ldap_int_select
read1msg: ld 0x559d9b078a70 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 168 contents:
read1msg: ld 0x559d9b078a70 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x559d9b078a70 0 new referrals
read1msg: mark request completed, ld 0x559d9b078a70 msgid 2
request done: ld 0x559d9b078a70 msgid 2
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
Operations error (1)
Additional information: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
0
задан ImranRazaKhan
20 October 2018 в 18:15
Ссылка
1 ответ
Изменив порт на 3269, вы, кажется, теперь подключаетесь к LDAPS-серверу, что хорошо. Однако, аутентификация не завершена. Об этом можно судить по этой ошибке
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, комментарий: Для выполнения этой операции необходимо выполнить успешную привязку по соединению, данные 0, v1db1>, res_matched: <>
Вам нужно указать либо -w passwd , либо -W (который запросит пароль).
Другое, что я нашел необходимым, это указать базу поиска (-b опция).
Полная команда, которая здесь работала:
ldapsearch -x -LLL -d 1 \
-D cn=user1,cn=users,dc=fj,dc=test -W \
-H ldaps://winders.fj.test:3269 \
-b dc=fj,dc=test \
cn=user1
0