文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >StartTLS失效的LDAP机制

StartTLS失效的LDAP机制
EN

Ask Ubuntu用户
提问于 2017-10-01 12:24:11
回答 1查看 1.1K关注 0票数 0

我将邮件服务器从Ubuntu14.04升级到16.04,现在StartTLS不再使用LDAP机制了。

代码语言:javascript
复制
% sudo testsaslauthd -u clement -p bar
0: NO "authentication failed"

syslog中没有任何内容,因此我为saslauthd启用了调试模式:

代码语言:javascript
复制
% sudo saslauthd -a ldap -d -m /var/run/saslauthd
saslauthd[6742] :rel_accept_lock : released accept lock
saslauthd[6743] :get_accept_lock : acquired accept lock
saslauthd[6742] :do_auth         : auth failure: [user=clement] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[6742] :do_request      : response: NO

在这里,配置文件

代码语言:javascript
复制
% sudo cat /etc/saslauthd.conf
ldap_servers: ldap://ldap.mydomain.fr/
ldap_bind_dn: uid=postfix,ou=services,dc=mydomain,dc=fr
ldap_bind_pw: foo
ldap_timeout: 10
ldap_time_limit: 10
ldap_scope: sub
ldap_search_base: ou=people,dc=mydomain,dc=fr
ldap_auth_method: bind
ldap_filter: (&(uniqueIdentifier=%u)(mailEnabled=TRUE))
ldap_debug: 0
ldap_verbose: off
ldap_ssl: no
ldap_starttls: yes
ldap_referrals: yes

在这里,来自LDAP服务器的日志:

代码语言:javascript
复制
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: slap_listener_activate(9):
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 busy
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: >>> slap_listener(ldap:///)
Oct  1 14:16:07 ldap slapd[3942]: daemon: listen=9, new connection on 13
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: added 13r (active) listener=(nil)
Oct  1 14:16:07 ldap slapd[3942]: conn=1000 fd=13 ACCEPT from IP=192.168.1.5:51932 (IP=0.0.0.0:389)
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]:  13r
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: daemon: read active on 13
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: connection_get(13)
Oct  1 14:16:07 ldap slapd[3942]: connection_get(13): got connid=1000
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: connection_read(13): checking for input on id=1000
Oct  1 14:16:07 ldap slapd[3942]: op tag 0x60, time 1506860167
Oct  1 14:16:07 ldap slapd[3942]: conn=1000 op=0 do_bind
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: >>> dnPrettyNormal: <uid=saslauthd,ou=services,dc=mydomain,dc=fr>
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]: <<< dnPrettyNormal: <uid=saslauthd,ou=services,dc=mydomain,dc=fr>, <uid=saslauthd,ou=services,dc=mydomain,dc=fr>
Oct  1 14:16:07 ldap slapd[3942]: conn=1000 op=0 BIND dn="uid=saslauthd,ou=services,dc=mydomain,dc=fr" method=128
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: do_bind: version=3 dn="uid=saslauthd,ou=services,dc=mydomain,dc=fr" method=128
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: send_ldap_result: conn=1000 op=0 p=3
Oct  1 14:16:07 ldap slapd[3942]: send_ldap_result: err=13 matched="" text="TLS confidentiality required"
Oct  1 14:16:07 ldap slapd[3942]: send_ldap_response: msgid=1 tag=97 err=13
Oct  1 14:16:07 ldap slapd[3942]: conn=1000 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]:  13r
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: daemon: read active on 13
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: connection_get(13)
Oct  1 14:16:07 ldap slapd[3942]: connection_get(13): got connid=1000
Oct  1 14:16:07 ldap slapd[3942]: connection_read(13): checking for input on id=1000
Oct  1 14:16:07 ldap slapd[3942]: op tag 0x42, time 1506860167
Oct  1 14:16:07 ldap slapd[3942]: ber_get_next on fd 13 failed errno=0 (Success)
Oct  1 14:16:07 ldap slapd[3942]: connection_read(13): input error=-2 id=1000, closing.
Oct  1 14:16:07 ldap slapd[3942]: connection_closing: readying conn=1000 sd=13 for close
Oct  1 14:16:07 ldap slapd[3942]: connection_close: deferring conn=1000 sd=13
Oct  1 14:16:07 ldap slapd[3942]: conn=1000 op=1 do_unbind
Oct  1 14:16:07 ldap slapd[3942]: conn=1000 op=1 UNBIND
Oct  1 14:16:07 ldap slapd[3942]: connection_resched: attempting closing conn=1000 sd=13
Oct  1 14:16:07 ldap slapd[3942]: connection_close: conn=1000 sd=13
Oct  1 14:16:07 ldap slapd[3942]: daemon: removing 13
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: conn=1000 fd=13 closed
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: slap_listener_activate(9):
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 busy
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: >>> slap_listener(ldap:///)
Oct  1 14:16:07 ldap slapd[3942]: daemon: listen=9, new connection on 13
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: added 13r (active) listener=(nil)
Oct  1 14:16:07 ldap slapd[3942]: conn=1001 fd=13 ACCEPT from IP=192.168.1.5:51934 (IP=0.0.0.0:389)
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]:  13r
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: daemon: read active on 13
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: connection_get(13)
Oct  1 14:16:07 ldap slapd[3942]: connection_get(13): got connid=1001
Oct  1 14:16:07 ldap slapd[3942]: connection_read(13): checking for input on id=1001
Oct  1 14:16:07 ldap slapd[3942]: op tag 0x60, time 1506860167
Oct  1 14:16:07 ldap slapd[3942]: conn=1001 op=0 do_bind
Oct  1 14:16:07 ldap slapd[3942]: >>> dnPrettyNormal: <uid=saslauthd,ou=services,dc=mydomain,dc=fr>
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on 1 descriptor
Oct  1 14:16:07 ldap slapd[3942]: <<< dnPrettyNormal: <uid=saslauthd,ou=services,dc=mydomain,dc=fr>, <uid=saslauthd,ou=services,dc=mydomain,dc=fr>
Oct  1 14:16:07 ldap slapd[3942]: conn=1001 op=0 BIND dn="uid=saslauthd,ou=services,dc=mydomain,dc=fr" method=128
Oct  1 14:16:07 ldap slapd[3942]: daemon: activity on:
Oct  1 14:16:07 ldap slapd[3942]: 
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Oct  1 14:16:07 ldap slapd[3942]: do_bind: version=3 dn="uid=saslauthd,ou=services,dc=mydomain,dc=fr" method=128
Oct  1 14:16:07 ldap slapd[3942]: send_ldap_result: conn=1001 op=0 p=3
Oct  1 14:16:07 ldap slapd[3942]: send_ldap_result: err=13 matched="" text="TLS confidentiality required"
Oct  1 14:16:07 ldap slapd[3942]: send_ldap_response: msgid=1 tag=97 err=13
Oct  1 14:16:07 ldap slapd[3942]: conn=1001 op=0 RESULT tag=97 err=13 text=TLS confidentiality required

最相关的部分似乎是

代码语言:javascript
复制
err=13 text=TLS confidentiality required

这让我觉得saslauthd并没有启动StartTLS。

现在,如果我不需要StartTLS in OpenLDAP

代码语言:javascript
复制
% sudo testsaslauthd -u clement -p bar
0: OK "Success."
sasl
server
ldap
openldap
tls
EN

回答 1

Ask Ubuntu用户

发布于 2017-10-20 16:21:21

TLS_REQCERT allow放入/etc/ldap/ldap.conf或确保可以验证您的LDAP服务器证书。

票数 0
EN
页面原文内容由Ask Ubuntu提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://askubuntu.com/questions/961017

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档