让CentOS 6信任AD的证书

Question

我正在尝试让我的CentOS服务器信任我从活动目录服务器安装的证书(我之前将.cer转换为.pem )。

当我尝试连接时，调试信息是：

[root@web1 cacerts]# ldapsearch -d1 -v -D SOMEDN\pretenduser01 -w SOMEPASSWORD  -H ldaps://1.2.3.4:636 -x
ldap_url_parse_ext(ldaps://1.2.3.4:636)
ldap_initialize( ldaps://1.2.3.4/??base )
ldap_create
ldap_url_parse_ext(ldaps://1.2.3.4:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 1.2.3.4:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/cacerts prefix .
TLS: loaded CA certificate file /etc/openldap/cacerts/some_pem_file.pem.
TLS: certificate [CN=SRV-DC3-RG.hiddendomain.co.uk] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

我真的不知道在解决这个问题的下一步是什么。没有SSL，我可以连接得很好，但这并不是很好:)

Answer 1

您需要信任签署证书的证书。通常，这将是您可以从运行AD CS的计算机的证书存储中获得的信任根( CA证书)，尽管它也可能是中间的(在这种情况下，应该显示整个链，因此信任根仍然是要信任的根)。您应该能够简单地将证书连接到/etc/openldap/cacerts/some_pem_file.pem的末尾，并使其正常工作。