아직 SSL 문제를 해결하지 못했습니다. -,.- 정말 몇일 째 삽질을 하네요.
서버 인증서를 잘못 만들었는지 아니면 CA 인증서나 클라이언트 설정 문제인지 모르겠습니다.
사용자 인증을 ldpa 서버를 이용해서 하고있는데, 평문일 때는 잘 되고 StartTLS 나 LDAPS 를 사용하면 애러가 나네요
서버: openldap
클라이언트 : pam_ldap
아래는 서버쪽 디버그 로그입니다.
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=203
connection_get(12): got connid=203
connection_read(12): checking for input on id=203
도움 부탁드립니다.
아래는 설정입니다.
<client>
/etc/ldap.conf
-------------------------
host 192.168.20.4
port 389
base dc=samjung,dc=com
pam_filter objectclass=posixAccount
pam_login_attribute uid
ssl start_tls
#ssl on
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/catest.crt
tls_ciphers TLSv1
---------------------------
/etc/openldap/ldap.conf
---------------------------
BASE dc=samjung, dc=com
URL ldap://192.168.20.4
#TLS_CACERTDIR /work/cert/
TLS_CACERT /work/cert/caimsi.crt
TLS_CERT /work/cert/mario.crt
TLS_KEY /work/cert/mario.prv
<Server>
/etc/openldap/ldap.conf
BASE dc=samjung, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldaps://192.168.20.4
TLS_CACERT /work/cert/caimsi.crt
TLS_REQCERT demand
---------------------------
/etc/openldap/slapd.conf
---------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /work/cert/caimsi.crt
TLSCertificateFile /work/imsi/manager.samjung.com.crt
TLSCertificateKeyFile /work/imsi/manager.samjung.com.prv
TLSVerifyClient never
database bdb
suffix "dc=samjung,dc=com"
rootdn "cn=manager,dc=samjung,dc=com"
rootpw {SSHA}fsVipBgUPaLyxDJsbAHtuY4yo2kzO6GN
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
cachesize 2000
access to dn.subtree="dc=samjung,dc=com" attrs=userPassword
by self write
by * auth
access to dn.subtree="ou=people,dc=samjung,dc=com"
by * read
access to dn.subtree="ou=group,dc=samjung,dc=com"
by * read
access to dn.subtree="ou=hosts,dc=samjung,dc=com"
by * read
access to *
by * auth
replogfile /var/lib/ldap/openldap-master-replog
replica uri=ldap://127.0.0.1:389
suffix="dc=samjung,dc=com"
binddn="cn=replica,dc=samjung,dc=com"
credentials=xxxxxx
bindmethod=simple
tls=yes
|