CentOS OpenLDAP STARTTLS网络

Question

我在为STARTTLS配置CentOS OpenLDAP时遇到了一个非常奇怪的问题。这是怎么回事。

我有一堆用来配置系统的os脚本。我这样做是为了记录一台机器的设置，并确保在硬件更新时以相同的方式设置它。在我将OpenLDAP配置为使用STARTTLS之前，一切都很正常。

我有一个模板LDIF文件，然后使用sed修改该机器的主机名。当我试图修改OpenLDAP配置时，它将失败

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

如果我在命令行(脚本之外)再试一次，它仍然失败。

我可以让它以一种方式工作--如果我用VIM和save编辑后交换配置“段落”，那么ldapmodify就会成功。从一开始，他们的顺序是什么并不重要。他们必须被交换。

其他我试过的事情，仍然失败.

1. 在VIM中打开ldif文件，强制保存，然后退出。
2. 保存成功的LDIF文件并尝试在新机器上安装。

有人能想到为什么我必须在VIM中打开LDIF文件，更改操作顺序，然后重新运行ldapmodify吗？这对我来说毫无意义。

这是我的模板文件

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/SERVERNAME.key

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/SERVERNAME.crt

这是剧本的相关部分。

SERVERNAME=`hostname`
sed -e 's@SERVERNAME@'$SERVERNAME'@g' -i ldap-certs.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/ldap-certs.ldif

下面是sed完成后的LDIF文件。

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/centostest.key

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/centostest.crt

最后，这里是ldapmodify输出的-d 167版本。

ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=centostest
SASL/EXTERNAL authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 26 bytes to sd 4
ldap_write: want=26, written=26
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..
ldap_msgfree
ldap_result ld 0x558654ff7480 msgid 1
wait4msg ld 0x558654ff7480 msgid 1 (infinite timeout)
wait4msg continue ld 0x558654ff7480 msgid 1 all 1
** ld 0x558654ff7480 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Tue May  7 17:24:13 2019


** ld 0x558654ff7480 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x558654ff7480 request count 1 (abandoned 0)
** ld 0x558654ff7480 Response Queue:
   Empty
  ld 0x558654ff7480 response count 0
ldap_chkResponseList ld 0x558654ff7480 msgid 1 all 1
ldap_chkResponseList returns ld 0x558654ff7480 NULL
ldap_int_select
read1msg: ld 0x558654ff7480 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 61 07 0a                            0....a..
ldap_read: want=6, got=6
  0000:  01 00 04 00 04 00                                  ......
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x558654ff7480 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x558654ff7480 0 new referrals
read1msg:  mark request completed, ld 0x558654ff7480 msgid 1
request done: ld 0x558654ff7480 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: EXTERNAL
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_msgfree
modifying entry "cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 91 bytes to sd 4
ldap_write: want=91, written=91
  0000:  30 59 02 01 02 66 54 04  09 63 6e 3d 63 6f 6e 66   0Y...fT..cn=conf
  0010:  69 67 30 47 30 45 0a 01  02 30 40 04 18 6f 6c 63   ig0G0E...0@..olc
  0020:  54 4c 53 43 65 72 74 69  66 69 63 61 74 65 4b 65   TLSCertificateKe
  0030:  79 46 69 6c 65 31 24 04  22 2f 65 74 63 2f 6f 70   yFile1$."/etc/op
  0040:  65 6e 6c 64 61 70 2f 63  65 72 74 73 2f 63 65 6e   enldap/certs/cen
  0050:  74 6f 73 74 65 73 74 2e  6b 65 79                  tostest.key
ldap_result ld 0x558654ff7480 msgid 2
wait4msg ld 0x558654ff7480 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x558654ff7480 msgid 2 all 1
** ld 0x558654ff7480 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Tue May  7 17:24:13 2019


** ld 0x558654ff7480 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x558654ff7480 request count 1 (abandoned 0)
** ld 0x558654ff7480 Response Queue:
   Empty
  ld 0x558654ff7480 response count 0
ldap_chkResponseList ld 0x558654ff7480 msgid 2 all 1
ldap_chkResponseList returns ld 0x558654ff7480 NULL
ldap_int_select
read1msg: ld 0x558654ff7480 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 02 67 07 0a                            0....g..
ldap_read: want=6, got=6
  0000:  01 50 04 00 04 00                                  .P....
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x558654ff7480 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x558654ff7480 0 new referrals
read1msg:  mark request completed, ld 0x558654ff7480 msgid 2
request done: ld 0x558654ff7480 msgid 2
res_errno: 80, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_modify: Other (e.g., implementation specific) error (80)

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
ldap_write: want=7, written=7
  0000:  30 05 02 01 03 42 00                               0....B.
ldap_free_connection: actually freed

Answer 1

尝试在单个LDIF操作中指定两个更改，即：

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/centostest.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/centostest.crt

我怀疑它失败了，因为您要将每个文件更改为单独的LDIF操作，并且在任何更改之后，证书和私钥都不匹配，从而导致错误。通过这种方式，您可以一次性地更改两个文件，因此它们应该匹配。