Adicione o certificado do servidor LDAP à lista confiável e ative a verificação de certificado

Question

Adicione o certificado do servidor LDAP à lista confiável e ative a verificação de certificado

2

Estou tentando usar uma conexão LDAP segura via TLS ldaps://<server_name>:<port> para vários aplicativos (por exemplo, Gitlab). No entanto, a conexão gera erros de certificado, o que se deve ao fato de que os administradores LDAP usaram certificados autoassinados.

Aqui está o que eu tentei:

curl "ldap://ldapserver.example.com:389/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)" -u [email protected]

Funciona exatamente como esperado e retorna o resultado da consulta desejado, mas é obviamente inseguro.

Quando tentei:

curl -v "ldaps://ldapserver.example.com:636/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)" -u [email protected]

Eu tenho:

* About to connect() to ldapserver.example.com port 636 (#0)
*   Trying 10.10.10.10...
* Connected to ldapserver.example.com (10.10.10.10) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=ldapserver.example.com
*       start date: Jan 14 15:00:00 2018 GMT
*       expire date: Dec 24 14:59:59 2019 GMT
*       common name: ldapserver.example.com
*       issuer: O=EXAMPLE,C=UK
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Tentar o mesmo comando com o sinalizador --insecure , em seguida, conecta-se ao servidor LDAP, mas não retorna nenhum resultado:

* About to connect() to ldapserver.example.com port 636 (#0)
*   Trying 10.10.10.10...
* Connected to ldapserver.example.com (10.10.10.10) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=ldapserver.example.com
*       start date: Jan 14 15:00:00 2018 GMT
*       expire date: Dec 24 14:59:59 2019 GMT
*       common name: ldapserver.example.com
*       issuer: O=EXAMPLE,C=UK
* LDAP local: ldaps://ldapserver.example.com:636/DC=example,DC=com?sAMAccountName?sub?(memberOf=CN=custom-group,DC=example,DC=com)

Tudo bem, tentei agora ldapsearch :

ldapsearch -x -b 'dc=example,dc=com' -D '[email protected]' -H "ldaps://ldapserver.example.com:636" -W '(memberOf=CN=custom-group,DC=example,DC=com)'

E tenho:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Depois de fazer um export LDAPTLS_REQCERT=never e emitir o mesmo comando ldapsearch acima, a consulta retornou um resultado.

Desabilitar a verificação de certificados obviamente não é uma boa opção, especialmente se a autenticação LDAP for usada, por exemplo, no Gitlab.

Eu tentei adicionar o certificado do servidor LDAP aos certificados confiáveis obtendo o certificado com:

echo -n | openssl s_client -connect ldapserver.example.com:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.example.com.pem

Em seguida, coloquei em /etc/pki/ca-trust/source/anchors/ e atualizei o ca-trust

cp ldapserver.example.com.pem /etc/pki/ca-trust/source/anchors/ldapserver.example.com.crt
update-ca-trust extract

No entanto, os comandos acima retornaram o mesmo resultado.

Eu acho que provavelmente preciso adicionar a cadeia CA que consiste efetivamente apenas naquele certificado:

openssl s_client -showcerts -verify -connect ldapserver.example.com:636 < /dev/null

verify depth is 5
CONNECTED(00000003)
depth=0 CN = ldapserver.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ldapserver.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=ldapserver.example.com
   i:/C=UK/O=EXAMPLE
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ldapserver.example.com
issuer=/C=UK/O=EXAMPLE
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 1666 bytes and written 563 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 12345678912345678912345791234567891234567891234579
    Session-ID-ctx:
    Master-Key: 123456789123456789123457912345678912345678912345791234567891234567891234579
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1540914932
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE

Então, minha pergunta é: como adicionar o certificado de maneira que a verificação de certificado funcione? Posso fazer isso ou preciso entrar em contato com nosso administrador LDAP para me fornecer algo para isso?

Encontre abaixo algumas informações sobre o sistema e as ferramentas:

RHEL 7.5

ldapsearch -V -v
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.44 (Apr  3 2018 08:03:33) $
        [email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/clients/tools
        (LDAP library: OpenLDAP 20444)
ldap_initialize( <DEFAULT> )
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

curl -V -v
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.28.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

authentication ssl ldap certificates key-authentication

por bm-bergmotte 30.10.2018 / 17:27

0 respostas

Tags authentication ssl ldap certificates key-authentication

Como fazer ping do convidado do QEMU para um URL externo? Charm crypto library - testes de unidade com o símbolo indefinido: BN_is_negative