Назад | Перейти на главную страницу

ldap_sasl_bind (ПРОСТОЙ): не удается связаться с сервером LDAP (-1), работающим на Docker openldap osixia / openldap: 1.3.0

Проблема

Когда я запускаю ldapsearch, я получаю статус подключения, за которым следует ошибка. Невозможно связаться с сервером LDAP (-1)

ldapsearch -x -H ldap://localhost:636 -d 1 -ZZ

Невозможно связаться с сервером LDAP (-1)

ldap_url_parse_ext(ldap://localhost:636)
ldap_create
ldap_url_parse_ext(ldap://localhost:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x55a5634972a0 msgid 1
wait4msg ld 0x55a5634972a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x55a5634972a0 msgid 1 all 1
** ld 0x55a5634972a0 Connections:
* host: localhost  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Jun  4 04:39:35 2020


** ld 0x55a5634972a0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55a5634972a0 request count 1 (abandoned 0)
** ld 0x55a5634972a0 Response Queue:
   Empty
  ld 0x55a5634972a0 response count 0
ldap_chkResponseList ld 0x55a5634972a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x55a5634972a0 NULL
ldap_int_select
read1msg: ld 0x55a5634972a0 msgid 1 all 1
ber_get_next
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed

Я следил за предлагаемым решением этой похожей ошибки .... Некоторые системы не могут подключиться к ldap через ldaps, но другие могут, это сертификат подстановки?

Сертификаты

  1. Создайте ключ с -des3 и без него

    openssl genrsa -des3 -out root.key 4096

  2. Создать запрос сертификата без пароля.

    openssl req -new -days 365 -key root.key -out root.csr

  3. Подписал сертификат

    openssl x509 -in root.csr -req -signkey root.key -out root.crt -days 365

  4. Добавлен в хранилище и указан путь в Dockerfile

    sudo dpkg-reconfigure ca-сертификаты

При запуске сервера их ключи правильно отображаются в папке сертификатов на сервере.

Файлы

Файл Docker

FROM osixia/openldap:1.3.0
MAINTAINER dave@daverussell.co.uk

ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD certs /container/service/slapd/assets/certs
ADD environment /container/environment/01-custom

Я создал свои собственные ключи, и сертификаты копируются в каталог сертификатов при создании образа.

docker-compose.yaml

version: '3'
services:
  ldap_jtc:
    build: ./build
    image:  osixia/openldap:1.3.0
    container_name: ldap_jtc
    command: --loglevel debug --copy-service
    environment:
      LDAP_LOG_LEVEL: 256
      LDAP_ORGANISATION: "JTC Ltd"
      LDAP_DOMAIN: ldap_jtc
      LDAP_BASE_DN: ldap_jtc
      LDAP_ADMIN_PASSWORD: admin
      LDAP_CONFIG_PASSWORD: config
      LDAP_READONLY_USER: "false"
      LDAP_RFC2307BIS_SCHEMA: "false"
      LDAP_BACKEND: mdb
      LDAP_TLS: "false"
      LDAP_TLS_CRT_FILENAME: root.crt
      LDAP_TLS_KEY_FILENAME: root.key
      LDAP_TLS_CA_CRT_FILENAME: root.crt
      LDAP_TLS_ENFORCE: "false"
      LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
      LDAP_TLS_PROTOCOL_MIN: 3.1
      LDAP_TLS_VERIFY_CLIENT: try
      LDAP_REPLICATION: "false"
      KEEP_EXISTING_CONFIG: "false"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
      LDAP_SSL_HELPER_PREFIX: ldap
    tty: true
    stdin_open: true
    volumes:
            - "ldap_data:/var/lib/ldap"
            - "ldap_conf:/etc/ldap/slapd.d"
            - "ldap_cert:/container/service/slapd/assets/certs/"
    ports:
      - "389:389"
      - "636:636"
    domainname: "ldap_jtc" # important: same as hostname
    hostname: "ldap_jtc"
volumes:
        ldap_data:
        ldap_conf:
        ldap_cert:

Исправление проблем

Отладка Docker Compose Build and Run

Перед бегом ....

Ввод

docker-compose up --build

Вывод

Creating volume "ldap_ldap_conf" with default driver
Creating volume "ldap_ldap_cert" with default driver
Creating volume "ldap_ldap_data" with default driver
Building ldap_jtc
Step 1/5 : FROM osixia/openldap:1.3.0
1.3.0: Pulling from osixia/openldap
8d691f585fa8: Pull complete
a5325a759667: Pull complete
21608ed88645: Pull complete
43c68a1f13be: Pull complete
24b4bb91f7a0: Pull complete
0e00059d443d: Pull complete
cb38955b6eb8: Pull complete
e930e18e9ac7: Pull complete
96d76b6db5da: Pull complete
Digest: sha256:66bf8dafc3c47a387dfa9d87425acab96acd8a3f2a62a8f6393584c27777cb41
Status: Downloaded newer image for osixia/openldap:1.3.0
 ---> faac9bb59f83
Step 2/5 : MAINTAINER dave@daverussell.co.uk
 ---> Running in 59d607b56ded
Removing intermediate container 59d607b56ded
 ---> 7645d9e22e7a
Step 3/5 : ADD bootstrap /container/service/slapd/assets/config/bootstrap
 ---> f663d14466cb
Step 4/5 : ADD certs /container/service/slapd/assets/certs
 ---> de1da8d9d6f0
Step 5/5 : ADD environment /container/environment/01-custom
 ---> 2426482381ee
Successfully built 2426482381ee
Successfully tagged osixia/openldap:1.3.0
Creating ldap_jtc ... 
Creating ldap_jtc ... done
Attaching to ldap_jtc
ldap_jtc    | *** CONTAINER_LOG_LEVEL = 4 (debug)
ldap_jtc    | *** Copy /container/service to /container/run/service
ldap_jtc    | *** Search service in CONTAINER_SERVICE_DIR = /container/run/service :
ldap_jtc    | *** link /container/run/service/:ssl-tools/startup.sh to /container/run/startup/:ssl-tools
ldap_jtc    | *** link /container/run/service/slapd/startup.sh to /container/run/startup/slapd
ldap_jtc    | *** link /container/run/service/slapd/process.sh to /container/run/process/slapd/run
ldap_jtc    | *** Set environment for startup files
ldap_jtc    | *** ignore : LANG = en_US.UTF-8 (keep LANG = en_US.UTF-8 )
ldap_jtc    | *** ignore : LANGUAGE = en_US.UTF-8 (keep LANGUAGE = en_US:en )
ldap_jtc    | *** Environment files will be proccessed in this order : 
ldap_jtc    | Caution: previously defined variables will not be overriden.
ldap_jtc    | /container/environment/99-default/default.startup.yaml
ldap_jtc    | /container/environment/99-default/default.yaml
ldap_jtc    | 
ldap_jtc    | *** --- process file : /container/environment/99-default/default.startup.yaml ---
ldap_jtc    | *** ignore : LDAP_ORGANISATION = Example Inc. (keep LDAP_ORGANISATION = JTC Ltd )
ldap_jtc    | *** ignore : LDAP_DOMAIN = example.org (keep LDAP_DOMAIN = ldap_jtc )
ldap_jtc    | *** ignore : LDAP_BASE_DN =  (keep LDAP_BASE_DN = ldap_jtc )
ldap_jtc    | *** ignore : LDAP_ADMIN_PASSWORD = admin (keep LDAP_ADMIN_PASSWORD = admin )
ldap_jtc    | *** ignore : LDAP_CONFIG_PASSWORD = config (keep LDAP_CONFIG_PASSWORD = config )
ldap_jtc    | *** ignore : LDAP_READONLY_USER = False (keep LDAP_READONLY_USER = false )
ldap_jtc    | *** ignore : LDAP_RFC2307BIS_SCHEMA = False (keep LDAP_RFC2307BIS_SCHEMA = false )
ldap_jtc    | *** ignore : LDAP_BACKEND = mdb (keep LDAP_BACKEND = mdb )
ldap_jtc    | *** ignore : LDAP_TLS = True (keep LDAP_TLS = false )
ldap_jtc    | *** ignore : LDAP_TLS_CRT_FILENAME = ldap.crt (keep LDAP_TLS_CRT_FILENAME = ldap_jtc.crt )
ldap_jtc    | *** ignore : LDAP_TLS_KEY_FILENAME = ldap.key (keep LDAP_TLS_KEY_FILENAME = ldap_jtc.key )
ldap_jtc    | *** ignore : LDAP_TLS_DH_PARAM_FILENAME = dhparam.pem (keep LDAP_TLS_DH_PARAM_FILENAME = ldap_jtc.csr )
ldap_jtc    | *** ignore : LDAP_TLS_CA_CRT_FILENAME = ca.crt (keep LDAP_TLS_CA_CRT_FILENAME = root_jtc.crt )
ldap_jtc    | *** ignore : LDAP_TLS_ENFORCE = False (keep LDAP_TLS_ENFORCE = false )
ldap_jtc    | *** ignore : LDAP_TLS_CIPHER_SUITE = SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC (keep LDAP_TLS_CIPHER_SUITE = SECURE256:-VERS-SSL3.0 )
ldap_jtc    | *** ignore : LDAP_TLS_VERIFY_CLIENT = demand (keep LDAP_TLS_VERIFY_CLIENT = demand )
ldap_jtc    | *** ignore : LDAP_REPLICATION = False (keep LDAP_REPLICATION = false )
ldap_jtc    | *** ignore : KEEP_EXISTING_CONFIG = False (keep KEEP_EXISTING_CONFIG = false )
ldap_jtc    | *** ignore : LDAP_REMOVE_CONFIG_AFTER_SETUP = True (keep LDAP_REMOVE_CONFIG_AFTER_SETUP = true )
ldap_jtc    | *** ignore : LDAP_SSL_HELPER_PREFIX = ldap (keep LDAP_SSL_HELPER_PREFIX = ldap )
ldap_jtc    | *** --- process file : /container/environment/99-default/default.yaml ---
ldap_jtc    | *** ignore : LDAP_LOG_LEVEL = 256 (keep LDAP_LOG_LEVEL = 256 )
ldap_jtc    | *** Run commands before startup...
ldap_jtc    | *** Running /container/run/startup/:ssl-tools...
ldap_jtc    | *** ------------ Environment dump ------------
ldap_jtc    | *** PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ldap_jtc    | *** HOSTNAME = ldap_jtc
ldap_jtc    | *** TERM = xterm
ldap_jtc    | *** LDAP_LOG_LEVEL = 256
ldap_jtc    | *** LDAP_REPLICATION = false
ldap_jtc    | *** LDAP_TLS_VERIFY_CLIENT = demand
ldap_jtc    | *** LDAP_TLS_CRT_FILENAME = ldap_jtc.crt
ldap_jtc    | *** LDAP_TLS = false
ldap_jtc    | *** LDAP_TLS_PROTOCOL_MIN = 3.1
ldap_jtc    | *** LDAP_ORGANISATION = JTC Ltd
ldap_jtc    | *** LDAP_ADMIN_PASSWORD = admin
ldap_jtc    | *** LDAP_DOMAIN = ldap_jtc
ldap_jtc    | *** LDAP_TLS_DH_PARAM_FILENAME = ldap_jtc.csr
ldap_jtc    | *** KEEP_EXISTING_CONFIG = false
ldap_jtc    | *** LDAP_SSL_HELPER_PREFIX = ldap
ldap_jtc    | *** LDAP_BASE_DN = ldap_jtc
ldap_jtc    | *** LDAP_TLS_CA_CRT_FILENAME = root_jtc.crt
ldap_jtc    | *** LDAP_TLS_ENFORCE = false
ldap_jtc    | *** LDAP_READONLY_USER = false
ldap_jtc    | *** LDAP_TLS_KEY_FILENAME = ldap_jtc.key
ldap_jtc    | *** LDAP_CONFIG_PASSWORD = config
ldap_jtc    | *** LDAP_REMOVE_CONFIG_AFTER_SETUP = true
ldap_jtc    | *** LDAP_TLS_CIPHER_SUITE = SECURE256:-VERS-SSL3.0
ldap_jtc    | *** LDAP_BACKEND = mdb
ldap_jtc    | *** LDAP_RFC2307BIS_SCHEMA = false
ldap_jtc    | *** LANG = en_US.UTF-8
ldap_jtc    | *** LANGUAGE = en_US:en
ldap_jtc    | *** LC_ALL = en_US.UTF-8
ldap_jtc    | *** HOME = /root
ldap_jtc    | *** CONTAINER_SERVICE_DIR = /container/run/service
ldap_jtc    | *** CONTAINER_STATE_DIR = /container/run/state
ldap_jtc    | *** CONTAINER_LOG_LEVEL = 4
ldap_jtc    | *** INITRD = no
ldap_jtc    | *** LC_CTYPE = en_US.UTF-8
ldap_jtc    | *** LDAP_READONLY_USER_USERNAME = readonly
ldap_jtc    | *** LDAP_READONLY_USER_PASSWORD = readonly
ldap_jtc    | *** LDAP_REPLICATION_CONFIG_SYNCPROV = binddn="cn=admin,cn=config" bindmethod=simple credentials="$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
ldap_jtc    | *** LDAP_REPLICATION_DB_SYNCPROV = binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials="$LDAP_ADMIN_PASSWORD" searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
ldap_jtc    | *** LDAP_REPLICATION_HOSTS = #COMPLEX_BASH_ENV:TABLE: LDAP_REPLICATION_HOSTS_ROW_1 LDAP_REPLICATION_HOSTS_ROW_2
ldap_jtc    | *** SSL_HELPER_AUTO_RENEW_SERVICES_IMPACTED = slapd
ldap_jtc    | *** LDAP_NOFILE = 1024
ldap_jtc    | *** DISABLE_CHOWN = False
ldap_jtc    | *** LDAP_REPLICATION_HOSTS_ROW_1 = ldap://ldap.example.org
ldap_jtc    | *** LDAP_REPLICATION_HOSTS_ROW_2 = ldap://ldap2.example.org
ldap_jtc    | *** ------------------------------------------
ldap_jtc    | *** Running /container/run/startup/slapd...
ldap_jtc    | *** ------------ Environment dump ------------
ldap_jtc    | *** CONTAINER_LOG_LEVEL = 4
ldap_jtc    | *** CONTAINER_SERVICE_DIR = /container/run/service
ldap_jtc    | *** CONTAINER_STATE_DIR = /container/run/state
ldap_jtc    | *** DISABLE_CHOWN = False
ldap_jtc    | *** HOME = /root
ldap_jtc    | *** HOSTNAME = ldap_jtc
ldap_jtc    | *** INITRD = no
ldap_jtc    | *** KEEP_EXISTING_CONFIG = false
ldap_jtc    | *** LANG = en_US.UTF-8
ldap_jtc    | *** LANGUAGE = en_US:en
ldap_jtc    | *** LC_ALL = en_US.UTF-8
ldap_jtc    | *** LC_CTYPE = en_US.UTF-8
ldap_jtc    | *** LDAP_ADMIN_PASSWORD = admin
ldap_jtc    | *** LDAP_BACKEND = mdb
ldap_jtc    | *** LDAP_BASE_DN = ldap_jtc
ldap_jtc    | *** LDAP_CONFIG_PASSWORD = config
ldap_jtc    | *** LDAP_DOMAIN = ldap_jtc
ldap_jtc    | *** LDAP_LOG_LEVEL = 256
ldap_jtc    | *** LDAP_NOFILE = 1024
ldap_jtc    | *** LDAP_ORGANISATION = JTC Ltd
ldap_jtc    | *** LDAP_READONLY_USER = false
ldap_jtc    | *** LDAP_READONLY_USER_PASSWORD = readonly
ldap_jtc    | *** LDAP_READONLY_USER_USERNAME = readonly
ldap_jtc    | *** LDAP_REMOVE_CONFIG_AFTER_SETUP = true
ldap_jtc    | *** LDAP_REPLICATION = false
ldap_jtc    | *** LDAP_REPLICATION_CONFIG_SYNCPROV = binddn="cn=admin,cn=config" bindmethod=simple credentials="$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
ldap_jtc    | *** LDAP_REPLICATION_DB_SYNCPROV = binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials="$LDAP_ADMIN_PASSWORD" searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
ldap_jtc    | *** LDAP_REPLICATION_HOSTS = #COMPLEX_BASH_ENV:TABLE: LDAP_REPLICATION_HOSTS_ROW_1 LDAP_REPLICATION_HOSTS_ROW_2
ldap_jtc    | *** LDAP_REPLICATION_HOSTS_ROW_1 = ldap://ldap.example.org
ldap_jtc    | *** LDAP_REPLICATION_HOSTS_ROW_2 = ldap://ldap2.example.org
ldap_jtc    | *** LDAP_RFC2307BIS_SCHEMA = false
ldap_jtc    | *** LDAP_SSL_HELPER_PREFIX = ldap
ldap_jtc    | *** LDAP_TLS = false
ldap_jtc    | *** LDAP_TLS_CA_CRT_FILENAME = root_jtc.crt
ldap_jtc    | *** LDAP_TLS_CIPHER_SUITE = SECURE256:-VERS-SSL3.0
ldap_jtc    | *** LDAP_TLS_CRT_FILENAME = ldap_jtc.crt
ldap_jtc    | *** LDAP_TLS_DH_PARAM_FILENAME = ldap_jtc.csr
ldap_jtc    | *** LDAP_TLS_ENFORCE = false
ldap_jtc    | *** LDAP_TLS_KEY_FILENAME = ldap_jtc.key
ldap_jtc    | *** LDAP_TLS_PROTOCOL_MIN = 3.1
ldap_jtc    | *** LDAP_TLS_VERIFY_CLIENT = demand
ldap_jtc    | *** PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ldap_jtc    | *** SSL_HELPER_AUTO_RENEW_SERVICES_IMPACTED = slapd
ldap_jtc    | *** TERM = xterm
ldap_jtc    | *** ------------------------------------------
ldap_jtc    | Database and config directory are empty...
ldap_jtc    | Init new ldap server...

Показать сертификаты

A. Запуск с хоста

Ввод

openssl s_client -showcerts -connect localhost:636 

Вывод

CONNECTED(00000005)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 311 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

б. Бежать из контейнера

Ввод

sudo docker exec -it ldap_jtc bash

Выполняется в контейнере ...

root@ldap_jtc:/# openssl s_client -showcerts -connect 127.0.0.1:636

Вывод

139636822721664:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139636822721664:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111