Debian 10, OpenLDAP, LetsEncrypt, Error 80 trying to add

Question

Debian 10, OpenLDAP, LetsEncrypt, Error 80 trying to add

...У меня никогда не было столько проблем с обеспечением безопасных коммуникаций.

Я считаю, что это действительная цепочка сертификатов CA для Let's Encrypt

Содержимое /etc/ssl/le/ca-chain.pem

Я могу запустить другие команды LDAP, которые работают успешно, так что сервер работает и отвечает.

Файл CA cert chain принадлежит openldap:openldap и имеет права r-xr--r--. Каталог имеет аналогичные права собственности и разрешения, за исключением того, что он доступен для всех, r-xr-xr-x.

Содержимое /root/tmp/secureldap.conf:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/le/ca-chain.pem

Команда, которую я пытаюсь выполнить:

ldapmodify -H ldapi:/// -Y EXTERNAL -f /root/tmp/secureldap.conf -d "-1"

Аааа, это провал.

ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/slapd/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=auth.example.net
SASL/EXTERNAL authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x5621fef74de0 ptr=0x5621fef74de0 end=0x5621fef74dfa len=26
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ber_scanf fmt ({i) ber:
ber_dump: buf=0x5621fef74de0 ptr=0x5621fef74de5 end=0x5621fef74dfa len=21
  0000:  60 13 02 01 03 04 00 a3  0c 04 08 45 58 54 45 52   `..........EXTER  
  0010:  4e 41 4c 04 00                                     NAL..             
ber_flush2: 26 bytes to sd 4
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ldap_write: want=26, written=26
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ldap_msgfree
ldap_result ld 0x5621fef72c50 msgid 1
wait4msg ld 0x5621fef72c50 msgid 1 (infinite timeout)
wait4msg continue ld 0x5621fef72c50 msgid 1 all 1
** ld 0x5621fef72c50 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Thu Apr 29 17:51:59 2021


** ld 0x5621fef72c50 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5621fef72c50 request count 1 (abandoned 0)
** ld 0x5621fef72c50 Response Queue:
   Empty
  ld 0x5621fef72c50 response count 0
ldap_chkResponseList ld 0x5621fef72c50 msgid 1 all 1
ldap_chkResponseList returns ld 0x5621fef72c50 NULL
ldap_int_select
read1msg: ld 0x5621fef72c50 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 61 07 0a                            0....a..          
ldap_read: want=6, got=6
  0000:  01 00 04 00 04 00                                  ......            
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c100 end=0x5621fef5c10c len=12
  0000:  02 01 01 61 07 0a 01 00  04 00 04 00               ...a........      
read1msg: ld 0x5621fef72c50 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c103 end=0x5621fef5c10c len=9
  0000:  61 07 0a 01 00 04 00 04  00                        a........         
read1msg: ld 0x5621fef72c50 0 new referrals
read1msg:  mark request completed, ld 0x5621fef72c50 msgid 1
request done: ld 0x5621fef72c50 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: EXTERNAL
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c103 end=0x5621fef5c10c len=9
  0000:  61 07 0a 01 00 04 00 04  00                        a........         
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c103 end=0x5621fef5c10c len=9
  0000:  61 07 0a 01 00 04 00 04  00                        a........         
ber_scanf fmt (}) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c10c end=0x5621fef5c10c len=0

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_msgfree
modifying entry "cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x5621fef77220 ptr=0x5621fef77220 end=0x5621fef7727d len=93
  0000:  30 5b 02 01 02 66 56 04  09 63 6e 3d 63 6f 6e 66   0[...fV..cn=conf  
  0010:  69 67 30 49 30 47 0a 01  00 30 42 04 17 6f 6c 63   ig0I0G...0B..olc  
  0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
  0030:  46 69 6c 65 31 27 04 25  2f 65 74 63 2f 73 73 6c   File1'.%/etc/ssl  
  0040:  2f 32 30 32 31 2d 77 69  6c 64 63 61 72 64 2d 63   /etc/ssl/le/ca-c    
  0050:  65 72 74 2f 63 68 61 69  6e 2e 70 65 6d            hain.pem          
ber_scanf fmt ({) ber:
ber_dump: buf=0x5621fef77220 ptr=0x5621fef77225 end=0x5621fef7727d len=88
  0000:  66 56 04 09 63 6e 3d 63  6f 6e 66 69 67 30 49 30   fV..cn=config0I0  
  0010:  47 0a 01 00 30 42 04 17  6f 6c 63 54 4c 53 43 41   G...0B..olcTLSCA  
  0020:  43 65 72 74 69 66 69 63  61 74 65 46 69 6c 65 31   CertificateFile1  
  0030:  27 04 25 2f 65 74 63 2f  73 73 6c 2f 32 30 32 31   '.%/etc/ssl/le/c  
  0040:  2d 77 69 6c 64 63 61 72  64 2d 63 65 72 74 2f 63   a-chain.pem       
  0050:  68 61 69 6e 2e 70 65 6d                                              
ber_flush2: 93 bytes to sd 4
  0000:  30 5b 02 01 02 66 56 04  09 63 6e 3d 63 6f 6e 66   0[...fV..cn=conf  
  0010:  69 67 30 49 30 47 0a 01  00 30 42 04 17 6f 6c 63   ig0I0G...0B..olc  
  0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
  0030:  46 69 6c 65 31 27 04 25  2f 65 74 63 2f 73 73 6c   File1'.%/etc/ssl  
  0040:  2f 32 30 32 31 2d 77 69  6c 64 63 61 72 64 2d 63   /le/ca-chain.pem  
  0050:  65 72 74 2f 63 68 61 69  6e 2e 70 65 6d                             
ldap_write: want=93, written=93
  0000:  30 5b 02 01 02 66 56 04  09 63 6e 3d 63 6f 6e 66   0[...fV..cn=conf  
  0010:  69 67 30 49 30 47 0a 01  00 30 42 04 17 6f 6c 63   ig0I0G...0B..olc  
  0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
  0030:  46 69 6c 65 31 27 04 25  2f 65 74 63 2f 73 73 6c   File1'.%/etc/ssl  
  0040:  2f 32 30 32 31 2d 77 69  6c 64 63 61 72 64 2d 63   /le/ca-chain.pem    
  0050:  65 72 74 2f 63 68 61 69  6e 2e 70 65 6d                              
ldap_result ld 0x5621fef72c50 msgid 2
wait4msg ld 0x5621fef72c50 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x5621fef72c50 msgid 2 all 1
** ld 0x5621fef72c50 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Thu Apr 29 17:51:59 2021


** ld 0x5621fef72c50 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5621fef72c50 request count 1 (abandoned 0)
** ld 0x5621fef72c50 Response Queue:
   Empty
  ld 0x5621fef72c50 response count 0
ldap_chkResponseList ld 0x5621fef72c50 msgid 2 all 1
ldap_chkResponseList returns ld 0x5621fef72c50 NULL
ldap_int_select
read1msg: ld 0x5621fef72c50 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 02 67 07 0a                            0....g..          
ldap_read: want=6, got=6
  0000:  01 50 04 00 04 00                                  .P....            
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b440 end=0x5621fef5b44c len=12
  0000:  02 01 02 67 07 0a 01 50  04 00 04 00               ...g...P....      
read1msg: ld 0x5621fef72c50 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b443 end=0x5621fef5b44c len=9
  0000:  67 07 0a 01 50 04 00 04  00                        g...P....         
read1msg: ld 0x5621fef72c50 0 new referrals
read1msg:  mark request completed, ld 0x5621fef72c50 msgid 2
request done: ld 0x5621fef72c50 msgid 2
res_errno: 80, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b443 end=0x5621fef5b44c len=9
  0000:  67 07 0a 01 50 04 00 04  00                        g...P....         
ber_scanf fmt (}) ber:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b44c end=0x5621fef5b44c len=0

ldap_msgfree
ldap_err2string
ldap_modify: Other (e.g., implementation specific) error (80)

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
  0000:  30 05 02 01 03 42 00                               0....B.           
ldap_write: want=7, written=7
  0000:  30 05 02 01 03 42 00                               0....B.           
ldap_free_connection: actually freed

Я попытался сделать это небольшим - добавление только цепочки ЦС сертификатов TLS должно быть очень специфической атомарной вещью, которую нужно добавить и получить правильно.

nmap говорит, что slapd/LDAP прослушивает порт 636.

root@auth:/etc/ssl/le/# grep -rn "ldaps" /etc
/etc/services:186:ldaps         636/tcp                         # LDAP over SSL
/etc/services:187:ldaps         636/udp
/etc/default/slapd:20:# service requests on TCP-port 636 (ldaps) and requests via unix
/etc/default/slapd:24:SLAPD_SERVICES="ldaps:/// ldapi:/// ldap:///"

root@auth:/etc/ssl/le/# nmap auth.example.net
Starting Nmap 7.70 ( https://nmap.org ) at 2021-04-29 18:26 UTC
Nmap scan report for auth.example.net (10.0.1.100)
Host is up (0.000029s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
389/tcp open  ldap
636/tcp open  ldapssl

Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds

Я попробовал "replace" перед тем, как попробовать "add" после строки changetype в /root/tmp/secureldap.conf.

Я проделал процедуру apparmor.

root@auth:/etc/apparmor.d# grep -rn ldap /etc/apparmor.d
/etc/apparmor.d/abstractions/nameservice:75:  # ldap
/etc/apparmor.d/abstractions/nameservice:76:  #include <abstractions/ldapclient>
/etc/apparmor.d/abstractions/nis:13:  # portmapper may ask root processes to do nis/ldap at low ports
/etc/apparmor.d/abstractions/ldapclient:11:  # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/apparmor.d/abstractions/ldapclient:12:  /etc/ldap.conf            r,
/etc/apparmor.d/abstractions/ldapclient:13:  /etc/ldap.secret          r,
/etc/apparmor.d/abstractions/ldapclient:14:  /etc/openldap/*           r,
/etc/apparmor.d/abstractions/ldapclient:15:  /etc/openldap/cacerts/*   r,
root@auth:/etc/apparmor.d# tail /etc/apparmor.d/local/usr.sbin.slapd 
/etc/ssl/le/ r,
/etc/ssl/le/* r

Застревание в одном месте начинает разочаровывать. Еще хуже - я не знаю, как прочитать сообщение об ошибке. Ошибка 80 и ничего больше - это практически бесполезно для меня.

0

debian ssl openldap lets-encrypt slapd

задан BradChesney79 29 April 2021 в 21:28

Ссылка

1 ответ

Debian 10, OpenLDAP, LetsEncrypt, Error 80 trying to add

Теги

Похожие вопросы