LDAPS가 작동하지 않음: LDAP 서버에 바인딩하지 못했습니다(16.04).

tag-icon tag-icon ldap tls
LDAPS가 작동하지 않음: LDAP 서버에 바인딩하지 못했습니다(16.04).

내 컴퓨터에서는 LDAP가 제대로 작동하지만 LDAPS는 작동하지 않는 것 같습니다. 여러 포럼에서 언급한 대로 TLS_CACERTFILE 및 TLS_CACERT를 사용하여 인증서 이름을 지정하려고 시도했지만 /etc/ldap.conf문제 가 해결되지 않는 것 같습니다. /etc/ldap/ldap.conf동일한 CA 인증서가 다른 Linux 서버(CentOS, Scientific, RHEL)에서 테스트되었으며 모두 지정된 인증서와 바인드를 사용하여 LDAPS로 제대로 인증되었습니다.

실패 로그

 04:22:57  nscd: nss_ldap: could not connect to any LDAP server as <bind account> - Can't contact LDAP server
 04:22:57  nscd: nss_ldap: failed to bind to LDAP server ldaps://example:636: Can't contact LDAP server
 04:22:57  nscd: nss_ldap: reconnecting to LDAP server...
 04:22:57  nscd: nss_ldap: could not connect to any LDAP server as <bind account> - Can't contact LDAP server
 04:22:57  nscd: nss_ldap: failed to bind to LDAP server ldaps://example:636: Can't contact LDAP server
 04:22:57  nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
 04:22:58  nscd: nss_ldap: could not connect to any LDAP server as <bind account> - Can't contact LDAP server
 04:22:58  nscd: nss_ldap: failed to bind to LDAP server ldaps://example:636: Can't contact LDAP server
 04:22:58  nscd: nss_ldap: could not search LDAP server - Server is unavailable

에서논평:

# ldapsearch -x -d5 -H ldaps://example
ldap_url_parse_ext(ldaps://example)
ldap_create
ldap_url_parse_ext(ldaps://example:636/??base) ...............
ldap_int_open_connection
ldap_connect_to_host: TCP example:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying <IP Address>:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0 attempting to connect: connect success TLS: peer cert untrusted or revoked (0x142) TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

LDAP 구성

# cat /etc/ldap.conf
base              o=example.com
uri               ldaps://example:636
ldap_version      3
binddn            bind account
bindpw            bind passwd
pam_password      md5
nss_base_passwd   
nss_base_shadow   
nss_base_group    
nss_base_networks 
nss_base_netgroup 
ssl on
TLS_CACERTFILE  /etc/ldap/cacerts/cacert.pem
DEBUG   1
TLS_REQCERT    demand
# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ldap/cacerts/cacert.pem
TLS_REQCERT demand

BASE    o=example.com
URI     ldaps://example

관련 정보