主页 / server / 问题 / 919133
Accepted
DevAxeQuestion
Asked: 2018-07-03 01:32:30 +0800 CST

LDAP TSL ldap_modify:错误 80

  • 772

我从这个论坛和许多其他论坛中读到了一些建议,并尝试自己解决问题,但没有结果。我需要将证书添加到 ldap 并始终返回错误 80。

我是使用 ldap 向文件夹添加权限:

ls -la /etc/apache2/ssl/
razem 16
drwxrwxr-- 2 root root 4096 cze 29 12:52 .
drwxr-xr-x 9 root root 4096 lip  2 10:33 ..
-rwxrwxr-- 1 root root 1545 gru 22  2017 od.censored.pl.crt
-rwxrwxr-- 1 root root 1704 gru 22  2017 od.censored.pl.key

我正在检查临时目录的权限:

ls -la /var/lib/lda*
razem 708
drwxr-xr-x  2 openldap openldap     4096 lip  2 10:39 .
drwxr-xr-x 79 root     root         4096 cze 30 09:06 ..
-rw-r--r--  1 openldap openldap     4096 cze 29 13:50 alock
-rw-------  1 openldap openldap     8192 kwi 13 11:12 cn.bdb
-rw-------  1 openldap openldap   548863 cze 29 14:20 __db.001
-rw-------  1 openldap openldap   147455 lip  2 10:50 __db.002
-rw-------  1 openldap openldap   114687 cze 29 13:50 __db.003
-rw-r--r--  1 openldap openldap       96 kwi 13 11:12 DB_CONFIG
-rw-------  1 openldap openldap     8192 kwi 13 11:12 dn2id.bdb
-rw-------  1 openldap openldap    32768 kwi 13 12:12 id2entry.bdb
-rw-------  1 openldap openldap 10485759 cze 29 14:20 log.0000000001
-rw-------  1 openldap openldap     8192 kwi 13 11:12 objectClass.bdb

certs.ldif 看起来:

cat -n certs.ldif 
     1  dn: cn=config
     2  changetype: modify
     3  replace: olcTLSCertificateFile
     4  olcTLSCertificateFile: /etc/apache2/ssl/od.censored.pl.crt
     5  
     6  dn: cn=config
     7  changetype: modify
     8  replace: olcTLSCertificateKeyFile
     9  olcTLSCertificateKeyFile: /etc/apache2/ssl/od.censored.pl.key

但我一遍又一遍地看到错误:

ldapmodify -Y EXTERNAL -H ldapi:/// -vvv -f certs.ldif
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
replace olcTLSCertificateFile:
    /etc/apache2/ssl/od.censored.pl.crt
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

添加尝试后的日志:

   195  Jul  4 12:50:49 odps02 slapd[18075]: conn=1005 op=1 RESULT tag=103 err=0 text=
   196  Jul  4 12:50:49 odps02 slapd[18075]: conn=1005 op=2 UNBIND
   197  Jul  4 12:50:49 odps02 slapd[18075]: conn=1005 fd=18 closed
   198  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 fd=18 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
   199  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND dn="" method=163
   200  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
   201  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
   202  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=0 RESULT tag=97 err=0 text=
   203  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 MOD dn="cn=config"
   204  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 MOD attr=olcTLSCertificateFile
   205  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=1 RESULT tag=103 err=80 text=
   206  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 op=2 UNBIND
   207  Jul  4 12:54:57 odps02 slapd[18075]: conn=1006 fd=18 closed

调试导入尝试:

ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/slapd/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=odps02
SASL/EXTERNAL authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x55ab9f63d3f0 ptr=0x55ab9f63d3f0 end=0x55ab9f63d40a len=26
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ber_scanf fmt ({i) ber:
ber_dump: buf=0x55ab9f63d3f0 ptr=0x55ab9f63d3f5 end=0x55ab9f63d40a len=21
  0000:  60 13 02 01 03 04 00 a3  0c 04 08 45 58 54 45 52   `..........EXTER  
  0010:  4e 41 4c 04 00                                     NAL..             
ber_flush2: 26 bytes to sd 4
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ldap_write: want=26, written=26
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ldap_msgfree
ldap_result ld 0x55ab9f63b260 msgid 1
wait4msg ld 0x55ab9f63b260 msgid 1 (infinite timeout)
wait4msg continue ld 0x55ab9f63b260 msgid 1 all 1
** ld 0x55ab9f63b260 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Fri Jul  6 15:04:50 2018


** ld 0x55ab9f63b260 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ab9f63b260 request count 1 (abandoned 0)
** ld 0x55ab9f63b260 Response Queue:
   Empty
  ld 0x55ab9f63b260 response count 0
ldap_chkResponseList ld 0x55ab9f63b260 msgid 1 all 1
ldap_chkResponseList returns ld 0x55ab9f63b260 NULL
ldap_int_select
read1msg: ld 0x55ab9f63b260 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 61 07 0a                            0....a..          
ldap_read: want=6, got=6
  0000:  01 00 04 00 04 00                                  ......            
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d990 end=0x55ab9f61d99c len=12
  0000:  02 01 01 61 07 0a 01 00  04 00 04 00               ...a........      
read1msg: ld 0x55ab9f63b260 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9
  0000:  61 07 0a 01 00 04 00 04  00                        a........         
read1msg: ld 0x55ab9f63b260 0 new referrals
read1msg:  mark request completed, ld 0x55ab9f63b260 msgid 1
request done: ld 0x55ab9f63b260 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: EXTERNAL
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9
  0000:  61 07 0a 01 00 04 00 04  00                        a........         
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d993 end=0x55ab9f61d99c len=9
  0000:  61 07 0a 01 00 04 00 04  00                        a........         
ber_scanf fmt (}) ber:
ber_dump: buf=0x55ab9f61d990 ptr=0x55ab9f61d99c end=0x55ab9f61d99c len=0

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_msgfree
modifying entry "cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x55ab9f640b00 ptr=0x55ab9f640b00 end=0x55ab9f640b58 len=88
  0000:  30 56 02 01 02 66 51 04  09 63 6e 3d 63 6f 6e 66   0V...fQ..cn=conf  
  0010:  69 67 30 44 30 42 0a 01  02 30 3d 04 17 6f 6c 63   ig0D0B...0=..olc  
  0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
  0030:  46 69 6c 65 31 22 04 20  2f 65 74 63 2f 61 70 61   File1". /etc/apa  
  0040:  63 68 65 32 2f 73 73 6c  2f 6f 64 2e 70 67 6e 69   che2/ssl/od.pgni  
  0050:  67 2e 70 6c 2e 63 73 72                            g.pl.csr          
ber_scanf fmt ({) ber:
ber_dump: buf=0x55ab9f640b00 ptr=0x55ab9f640b05 end=0x55ab9f640b58 len=83
  0000:  66 51 04 09 63 6e 3d 63  6f 6e 66 69 67 30 44 30   fQ..cn=config0D0  
  0010:  42 0a 01 02 30 3d 04 17  6f 6c 63 54 4c 53 43 41   B...0=..olcTLSCA  
  0020:  43 65 72 74 69 66 69 63  61 74 65 46 69 6c 65 31   CertificateFile1  
  0030:  22 04 20 2f 65 74 63 2f  61 70 61 63 68 65 32 2f   ". /etc/apache2/  
  0040:  73 73 6c 2f 6f 64 2e 70  67 6e 69 67 2e 70 6c 2e   ssl/od.censored.pl.  
  0050:  63 73 72                                           csr               
ber_flush2: 88 bytes to sd 4
  0000:  30 56 02 01 02 66 51 04  09 63 6e 3d 63 6f 6e 66   0V...fQ..cn=conf  
  0010:  69 67 30 44 30 42 0a 01  02 30 3d 04 17 6f 6c 63   ig0D0B...0=..olc  
  0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
  0030:  46 69 6c 65 31 22 04 20  2f 65 74 63 2f 61 70 61   File1". /etc/apa  
  0040:  63 68 65 32 2f 73 73 6c  2f 6f 64 2e 70 67 6e 69   che2/ssl/od.pgni  
  0050:  67 2e 70 6c 2e 63 73 72                            g.pl.csr          
ldap_write: want=88, written=88
  0000:  30 56 02 01 02 66 51 04  09 63 6e 3d 63 6f 6e 66   0V...fQ..cn=conf  
  0010:  69 67 30 44 30 42 0a 01  02 30 3d 04 17 6f 6c 63   ig0D0B...0=..olc  
  0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
  0030:  46 69 6c 65 31 22 04 20  2f 65 74 63 2f 61 70 61   File1". /etc/apa  
  0040:  63 68 65 32 2f 73 73 6c  2f 6f 64 2e 70 67 6e 69   che2/ssl/od.pgni  
  0050:  67 2e 70 6c 2e 63 73 72                            g.pl.csr          
ldap_result ld 0x55ab9f63b260 msgid 2
wait4msg ld 0x55ab9f63b260 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x55ab9f63b260 msgid 2 all 1
** ld 0x55ab9f63b260 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Fri Jul  6 15:04:50 2018


** ld 0x55ab9f63b260 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ab9f63b260 request count 1 (abandoned 0)
** ld 0x55ab9f63b260 Response Queue:
   Empty
  ld 0x55ab9f63b260 response count 0
ldap_chkResponseList ld 0x55ab9f63b260 msgid 2 all 1
ldap_chkResponseList returns ld 0x55ab9f63b260 NULL
ldap_int_select
read1msg: ld 0x55ab9f63b260 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 02 67 07 0a                            0....g..          
ldap_read: want=6, got=6
  0000:  01 50 04 00 04 00                                  .P....            
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c910 end=0x55ab9f61c91c len=12
  0000:  02 01 02 67 07 0a 01 50  04 00 04 00               ...g...P....      
read1msg: ld 0x55ab9f63b260 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c913 end=0x55ab9f61c91c len=9
  0000:  67 07 0a 01 50 04 00 04  00                        g...P....         
read1msg: ld 0x55ab9f63b260 0 new referrals
read1msg:  mark request completed, ld 0x55ab9f63b260 msgid 2
request done: ld 0x55ab9f63b260 msgid 2
res_errno: 80, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c913 end=0x55ab9f61c91c len=9
  0000:  67 07 0a 01 50 04 00 04  00                        g...P....         
ber_scanf fmt (}) ber:
ber_dump: buf=0x55ab9f61c910 ptr=0x55ab9f61c91c end=0x55ab9f61c91c len=0

ldap_msgfree
ldap_err2string
ldap_modify: Other (e.g., implementation specific) error (80)

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
  0000:  30 05 02 01 03 42 00                               0....B.           
ldap_write: want=7, written=7
  0000:  30 05 02 01 03 42 00                               0....B.           
ldap_free_connection: actually freed

请为任何建议如何解决它。

这个问题对我来说是个大问题,因为我无法完成必要服务器的配置,请寻求帮助。

ubuntu

4 个回答

  1. Best Answer

    如果openldap是运行 OpenLDAP 的 slapd 的系统用户,则问题中列出的此所有权/权限不允许 slap 读取服务器证书和私钥:

    ls -la /etc/apache2/ssl/
razem 16
drwxrwxr-- 2 root root 4096 cze 29 12:52 .
drwxr-xr-x 9 root root 4096 lip  2 10:33 ..
-rwxrwxr-- 1 root root 1545 gru 22  2017 od.censored.pl.crt
-rwxrwxr-- 1 root root 1704 gru 22  2017 od.censored.pl.key

    与例如 Apache slapd相反,即使在使用静态配置文件时,也会在调用后初始化SSLContext 。setuid()并且对于动态配置 (cn=config),无论如何它都必须在处理 LDAP 修改期间读取文件。

    因此尝试这个来修复组所有权:

    chgrp -R openldap /etc/apache2/ssl

    并删除不需要的 exec 权限:

    chmod 0640 /etc/apache2/ssl/od.censored.pl.crt /etc/apache2/ssl/od.censored.pl.key
    • 1

  2. Ubuntu 16.04 - apparmor 不喜欢将证书放在其他地方用于 slapd

    从我们的日志

    audit: type=1400 audit(1576557786.149:51): apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/usr/local/etc/ssl_certs/our.pri_key" pid=15900 comm="slapd" requested_mask="r" denied_mask="r" fsuid=114 ouid=0

    通过禁用 slapd 的 apparmor 并重新启动来修复

    root@alc-jw-test5:~# ls -l /etc/apparmor.d/disable/usr.sbin.slapd
lrwxrwxrwx 1 root root 30 Dec 17 15:43 /etc/apparmor.d/disable/usr.sbin.slapd -> /etc/apparmor.d/usr.sbin.slapd
    • 1

  3. 我解决了这个问题,只是按照正确的顺序使用第一个密钥,然后是证书。它对我有用。

    dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.kart.com.key 

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/myldap.kart.com.cert
    • 1

  4. 我遇到了这个问题,我尝试了很多解决方案,最终得出的结论是这是一个 apparmor 问题。我通过安装重新配置 slapd 配置文件解决了这个问题。

    所以首先我必须安装 app-armor 配置文件

    apt install apparmor-profiles

    其次,我不得不重新配置配置文件。因此,您将需要打开两个 ssh 会话,或者在一个屏幕会话中执行此操作,其中一个运行您的 ldap 命令,一个运行 aa-genprof。

    所以在一个会话中运行

    aa-genprof slapd

    您将看到类似这样的内容 > Profiling: /usr/sbin/slapd


    请在另一个窗口中启动要分析的应用程序并立即使用它的功能。
    完成后,选择下面的“扫描”选项
    以扫描系统日志以查找 AppArmor 事件。
    对于每个 AppArmor 事件,您将有
    机会选择是
    允许还是拒绝访问。
    [(S)可以记录 AppArmor 事件的系统日志] /(F)结束

    现在.. 在您的其他会话中运行您的 ldif 脚本或 ldapmodify 中的命令。

    在您的 genprof 会话中,您将扫描系统日志以查找 AppArmor 事件,您将获得允许该操作的选项....所以简单地说,当您完成并保存新配置文件时,允许它.. 哇哦!

    • 0

相关问题