Мне нужно подключить базу данных ApacheDS с помощью startTLS с клиентом OpenLDAP. Мой файл ldaprc содержит:
URI ldap://127.0.0.1:7323 ldaps://127.0.0.1:7423
SSL start_tls
SASL_MECH plain
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLS_REQCERT allow
Я использовал следующую команду:
ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -Z -d1
Я проверил, мой сервер прослушивает эти порты, я могу подключиться к другим клиентам (например, ldapbrowser, jxplorer), но тесты с OpenLdap не работают:
...
ldap_connect_to_host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7f81d95282a0 msgid 1
wait4msg ld 0x7f81d95282a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f81d95282a0 msgid 1 all 1
** ld 0x7f81d95282a0 Connections:
* host: 127.0.0.1 port: 7323 (default)
refcnt: 2 status: Connected
last used: Tue Dec 8 09:51:45 2015
** ld 0x7f81d95282a0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f81d95282a0 request count 1 (abandoned 0)
** ld 0x7f81d95282a0 Response Queue:
Empty
ld 0x7f81d95282a0 response count 0
ldap_chkResponseList ld 0x7f81d95282a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f81d95282a0 NULL
ldap_int_select
read1msg: ld 0x7f81d95282a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7f81d95282a0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f81d95282a0 0 new referrals
read1msg: mark request completed, ld 0x7f81d95282a0 msgid 1
request done: ld 0x7f81d95282a0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: error:140773F2:SSLroutines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
Есть идеи, что я делаю не так или что мне не хватает?
edit: Как вы меня спросили, я использовал параметр -ZZ и то, что у меня есть:
ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -ZZ -d1 ldap_url_parse_ext(ldap://localhost:7323)
ldap_create
ldap_url_parse_ext(ldap://localhost:7323/??base) ldap_extended_operation_s ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:7323
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7ff278d7e2a0 msgid 1
wait4msg ld 0x7ff278d7e2a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7ff278d7e2a0 msgid 1 all 1
** ld 0x7ff278d7e2a0 Connections:
* host: localhost port: 7323 (default) refcnt: 2 status: Connected
last used: Mon Dec 14 08:48:04 2015
** ld 0x7ff278d7e2a0 Outstanding Requests: * msgid 1, origid 1, status
InProgress outstanding referrals 0, parent count 0 ld 0x7ff278d7e2a0 request count 1 (abandoned 0)
** ld 0x7ff278d7e2a0 Response Queue: Empty ld 0x7ff278d7e2a0 response count 0 ldap_chkResponseList ld 0x7ff278d7e2a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7ff278d7e2a0 NULL
ldap_int_select read1msg: ld 0x7ff278d7e2a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7ff278d7e2a0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7ff278d7e2a0 0 new referrals read1msg: mark request completed, ld 0x7ff278d7e2a0 msgid 1 request done: ld 0x7ff278d7e2a0 msgid 1 res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x)
ber: ber_scanf fmt (}) ber: ldap_msgfree<br/>TLS trace:
SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A<br/> TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv#
alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11) additional info: error:140773F2:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
Я обнаружил, что ApacheDS не поддерживает SSLv2, как и Java 1.7 по умолчанию. Поэтому я отключил SSLv2 в OpenLDAP, добавив также минимальную версию протокола: TLS_PROTOCOL_MIN 3.3. Это был мой обходной путь.