Stay hungry,Stay foolish

0%

ldapsearch Can't contact LDAP server

经常做LDAP查询突然今天出错

1
2
dev@ubuntu ~ $ ldapsearch -w  -b 'ou=People,dc=intra,dc=test,dc=com' -H LDAPS://ldap.intra.test.com -D 'uid=test,ou=People,dc=intra,dc=test,dc=com'
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

打开debug查看更多细节,基本确认证书相关问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
dev@ubuntu ~ $ ldapsearch -w  -b 'ou=People,dc=intra,dc=test,dc=com' -H LDAPS://ldap.intra.test.com -D 'uid=test,ou=People,dc=intra,dc=test,dc=com' -d 1
ldap_url_parse_ext(LDAPS://ldap.intra.test.com)
ldap_create
ldap_url_parse_ext(ldaps://ldap.intra.test.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.intra.test.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying fd6d:523c:4aff:a00::2 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS certificate verification: depth: 1, err: 20, subject: /C=CN/O=Test/CN=Test RSA SERVER CA, issuer: /C=CN/O=Test/CN=Test RSA Certification Authority/emailAddress=ca@test.com
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

查看相关man手册man ldap.conf,找到如下关键信息

1
2
3
4
5
6
7
8
9
10
11
TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS session, if any. The <level> can be specified as one of the following keywords:

never The client will not request or check any server certificate.

allow The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.

try The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.

demand | hard
These keywords are equivalent. The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. This is the default setting.

解决方式如下

1
echo 'TLS_REQCERT never' > ~/.ldaprc

or

1
echo 'TLS_REQCERT allow' > ~/.ldaprc

询问和确认得知查询机(客户端)做了系统更新,/etc/ldap/ldap.conf忘了添加TLS_REQCERT相关配置

问题原因: 自签证书