- 浏览: 152606 次
- 性别:
- 来自: 北京
文章分类
最新评论
Some AD objects can be modified without running an ldaps connection. Things like passwords however, cannot.
This is a guide to getting ldaps running on a *nix machine.
Install OpenSSL and OpenLDAP
Duh :) I presume you've done this already. If not, check your distribution specific documentation. Check that you have LDAP and OpenSSL support by performing creating a php webpage like:
<?php phpinfo(); ?>
And then viewing it on your server.
Install Certificate Services on your Domain Controller
There are two types of setup you can have here. The first is a Certificate Authority (CA) that is configured as an Enterprise CA on your local domain or as simply a request to a Third Party CA. The second type of CA is a Standalone CA on your local domain.
The request methods are very similar but without precise command line arguments you'll find one or other won't work correctly.
We'll try to document both methods here as best we can. Much of this information has been compiled through trial, error and testing on both development and live Domain Controllers
Enterprise or Third Party CA's
This guide is for using Enterprise or Third Party Certificate Authorities
LDAP over SSL is not enabled by default on domain controllers, you must configure this by installing Certificate Services.
If you follow this guide from Microsoft you should be able to get SSL enabled.
In my own installation I came across a few stumbling blocks that may or may not affect you. If you use an external CA for your SSL certificate, rather than an self-signed one you probably won't get this problem!
After generating the .req request file running the recommended certreq -new request.inf request.req
and then using the Certification Authority console, and attempt to submit the request - no go. Lo and behold, |Microsoft KB 910249 came and bit me.
Certificate Request Processor
The request contains no certificate template information. 0×80094801 (-2146875391)
Denied by Policy Module 0×80094801, the request does not contain a certificate template extension or the Certificate Template request attribute.
Microsoft's resolution: Generate the request some other way.
Stuff that.
Here's the solution I found after 5 minutes with Google
certreq -submit -attrib "CertificateTemplate: DomainController" request.req
The key is the extra attribute we add to force use of the template. The certificate is issued.
However I still had a problem with a DNS error message. In the end I actually used the IIS based certificate manager at http(s)://<IP of server>/certsrv and issued the certificate that way, then back the Microsoft guide.
Standalone CA's
This guide is for running Standalone Certificate Authorities, they cannot follow the same processes as Enterprise level CAs and will result in errors when trying to accept the certificates to the domain controller
This is based on the information from the Microsoft TechNet Article: Advanced Certificate Enrollment and Management
Firstly from your domain controller, run the following .vbs script
Set oArgs = WScript.Arguments Set oShell = WScript.CreateObject("WScript.Shell") ' ' Parse command line ' if oArgs.Count < 1 then sTemplateName = "DomainController" sType = "E" else if ((oArgs(0) = "-?") or (oARgs.Count < 2)) then Wscript.Echo "Usage: reqdccert.vbs [Templatename] [Type]" Wscript.Echo "[Templatename] is the name of a V2 template" Wscript.Echo "[Type] can be E for Email and A for Authentication certificate" Wscript.Echo "If no option is specified, the DomainController certificate template is used." Wscript.Quit 1 else sTemplateName = oArgs(0) sType = oArgs(1) end if end if Set oFilesystem = CreateObject("Scripting.FileSystemObject") Set objSysInfo = CreateObject("ADSystemInfo") Set objDC = GetObject("LDAP://" & objSysInfo.ComputerName) sGUID = objDC.GUID sDNShostname = objDC.DNShostname sHostname = objDC.cn '############################################################################## ' ' Create the ASN.1 file ' '############################################################################## Dim aASNsubstring(2, 5) Const HEX_DATA_LENGTH = 1 Const ASCIIDATA = 2 Const HEXDATA = 3 Const HEX_BLOB_LENGTH = 4 Const HEX_TYPE = 5 aASNsubstring(0, ASCIIDATA) = sDNShostname aASNsubstring(0, HEX_TYPE) = "82" ' ' Convert DNS name into Hexadecimal ' For i = 1 to Len(aASNsubstring(0, ASCIIDATA)) aASNsubstring(0, HEXDATA) = aASNsubstring(0, HEXDATA) & _ Hex(Asc(Mid(aASNsubstring(0, ASCIIDATA), i, 1))) Next aASNsubstring(0, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(0, HEXDATA)) / 2) ' ' Build the ASN.1 blob for DNS name ' sASN = aASNsubstring(0, HEX_TYPE) & _ aASNsubstring(0, HEX_DATA_LENGTH) & _ aASNsubstring(0, HEXDATA) ' ' Append the GUID as other name ' if (sType = "E") then aASNsubstring(1, HEXDATA) = sGUID aASNsubstring(1, HEX_TYPE) = "A0" aASNsubstring(1, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(1, HEXDATA)) / 2) sASN = sASN & _ "A01F06092B0601040182371901" & _ aASNsubstring(1, HEX_TYPE) & _ "120410" & _ aASNsubstring(1, HEXDATA) end if ' ' Write the ASN.1 blob into a file ' Set oFile = oFilesystem.CreateTextFile(sHostname & ".asn") ' ' Put sequence, total length and ASN1 blob into the file ' oFile.WriteLine "30" & ComputeASN1 (Len(sASN) / 2) & sASN oFile.Close ' ' Use certutil to convert the hexadecimal string into bin ' oShell.Run "certutil -f -decodehex " & sHostname & ".asn " & _ sHostname & ".bin", 0, True ' ' Use certutil to convert the bin into base64 ' oShell.Run "certutil -f -encode " & sHostname & ".bin " & _ sHostname & ".b64", 0, True '############################################################################## ' ' Create the INF file ' '############################################################################## Set iFile = oFilesystem.OpenTextFile(sHostname & ".b64") Set oFile = oFilesystem.CreateTextFile(sHostname & ".inf") oFile.WriteLine "[Version]" oFile.WriteLine "Signature= " & Chr(34) & "$Windows NT$" & Chr(34) oFile.WriteLine "" oFile.WriteLine "[NewRequest]" oFile.WriteLine "KeySpec = 1" oFile.WriteLine "KeyLength = 1024" oFile.WriteLine "Exportable = TRUE" oFile.WriteLine "MachineKeySet = TRUE" oFile.WriteLine "SMIME = FALSE" oFile.WriteLine "PrivateKeyArchive = FALSE" oFile.WriteLine "UserProtected = FALSE" oFile.WriteLine "UseExistingKeySet = FALSE" oFile.WriteLine "ProviderName = " & Chr(34) & _ "Microsoft RSA SChannel Cryptographic Provider" & Chr(34) oFile.WriteLine "ProviderType = 12" oFile.WriteLine "RequestType = PKCS10" oFile.WriteLine "KeyUsage = 0xa0" oFile.WriteLine "" oFile.WriteLine "[EnhancedKeyUsageExtension]" oFile.WriteLine "OID=1.3.6.1.5.5.7.3.1" oFile.WriteLine "OID=1.3.6.1.5.5.7.3.2" oFile.WriteLine ";" oFile.WriteLine "; The subject alternative name (SAN) can be included in the INF-file" oFile.WriteLine "; for a Windows 2003 CA." oFile.WriteLine "; You don't have to specify the SAN when submitting the request." oFile.WriteLine ";" oFile.WriteLine "[Extensions]" iLine = 0 Do While iFile.AtEndOfStream <> True sLine = iFile.Readline If sLine = "-----END CERTIFICATE-----" then Exit Do end if if sLine <> "-----BEGIN CERTIFICATE-----" then if iLine = 0 then oFile.WriteLine "2.5.29.17=" & sLine else oFile.WriteLine "_continue_=" & sLine end if iLine = iLine + 1 end if Loop oFile.WriteLine "Critical=2.5.29.17" oFile.WriteLine ";" oFile.WriteLine "; The template name can be included in the INF-file for any CA." oFile.WriteLine "; You don't have to specify the template when submitting the request." oFile.WriteLine ";" oFile.WriteLine ";[RequestAttributes]" oFile.WriteLine ";CertificateTemplate=" & sTemplateName oFile.Close iFile.Close '############################################################################## ' ' Create the certreq.exe command-line to submit the certificate request ' '############################################################################## Set oFile = oFilesystem.CreateTextFile(sHostname & "-req.bat") oFile.WriteLine "CERTREQ -attrib " _ & Chr(34) & "CertificateTemplate:" & sTemplateName _ & Chr(34) & " " & sHostname & ".req" ' ' The GUID structure needs to be reconstructed. The GUID is read ' as a string like f4aaa8576e6828418712b6ca89fbf5bc however the ' format that is required for the certreq command looks like ' 57a8aaf4-686e-4128-8712-b6ca89fbf5bc. The bytes are reordered ' in the following way: ' ' 11111111112222222222333 ' Position 12345678901234567890123456789012 ' |------|--|--|--|--------------| ' Original GUID: f4aaa8576e6828418712b6ca89fbf5bc ' ' 11 1 1111 1112 222222222333 ' Position 78563412 1290 5634 7890 123456789012 ' |------- |--- |--- |--- |----------| ' Reformatted GUID: 57a8aaf4-686e-4128-8712-b6ca89fbf5bc ' oFile.WriteLine "REM " oFile.WriteLine "REM !!! Only valid for Windows 2003 or later versions !!!" oFile.WriteLine "REM If you do not specify certificate extensions in the *.INF file" oFile.WriteLine "REM they can be specified here like the following example" oFile.WriteLine "REM " oFile.WriteLine "REM CERTREQ -submit -attrib " _ & Chr(34) & "CertificateTemplate:" & sTemplateName _ & "\n" _ & "SAN:guid=" _ & Mid(sGUID, 7, 2) _ & Mid(sGUID, 5, 2) _ & Mid(sGUID, 3, 2) _ & Mid(sGUID, 1, 2) & "-" _ & Mid(sGUID, 11, 2) _ & Mid(sGUID, 9, 2) & "-" _ & Mid(sGUID, 15, 2) _ & Mid(sGUID, 13, 2) & "-" _ & Mid(sGUID, 17, 4) & "-" _ & Mid(sGUID, 21, 12) _ & "&DNS=" & sDNShostname & Chr(34) & " " & sHostname & ".req" oFile.Close '############################################################################## ' ' Create the certificate verification script ' '############################################################################## Set oFile = oFilesystem.CreateTextFile(sHostname & "-vfy.bat") oFile.WriteLine "certutil -viewstore " & Chr(34) & objDC.distinguishedname & _ "?usercertificate" & chr(34) oFile.Close '############################################################################## ' ' Compute the ASN1 string ' '############################################################################## Function ComputeASN1 (iStrLen) If Len(Hex(iStrLen)) Mod 2 = 0 then sLength = Hex(iStrLen) else sLength = "0" & Hex(iStrLen) end if if iStrLen > 127 then ComputeASN1 = Hex (128 + (Len(sLength) / 2)) & sLength else ComputeASN1 = sLength End If End Function
This will create the following files
-
DC_Name.asn
-
DC_Name-req.bat
-
DC_Name-vfy.bat
-
DC_Name.b64
-
DC_Name.bin
-
DC_Name.inf
The only two files we are interested in are the .inf and .asn files.
Now from the command line prompt call the following (replacing request.inf with the actual names of your files)
certreq -new request.inf request.req
This will create a file called request.req
We then copy the request.req and the .asn files over to the CA. This is where things get more complicated.
Again from the command line we need to run
certreq -attrib "CertificateTemplate:DomainController" request.req
This will give us a request ID, this is important, make a note of it.
certutil -setextension <RequestID> 2.5.29.17 1 @<dcname>.asn
What Microsoft also doesn’t tell you here, is that if you are using Windows Server 2008, this command will not work unless you have loaded the command prompt with elevated priviledges (UAC). The subject alternative name, which is identified by the object identifier 2.5.29.17, is set with the attributes that are defined in the <dcname>.asn file. The fourth parameter that is set to “1” marks the extension as critical.
The TechNet ‘Processing Domain Controller Certificates‘ article mentions how to validate the certificate request is good, however we are assuming these tests come back as positive so next we need to issue and retrieve the certificate.
From the CA now run
certutil –resubmit <RequestID>
and then finally
CERTREQ -retrieve <RequestID> <dcname>.cer <dcname>.p7b
You will now have a .cer and a .p7b file which you can copy back to the domain controller.
To install the certificate, from the command line on the domain controller
CERTREQ -ACCEPT <dcname>.p7b
Microsoft tells you to restart the Domain Controller. In our experience this was not necessary and SSL over LDAP was available immediately
Export the CA Certificate
Apparently you are supposed to now export the CA certificate, and for some installations you may need to do this, and install it on your web server. I have not had to do this in any of my tests. In my tests, after installing the certificate on the domain controller I was able to connect over LDAPS immediately.
Tell Apache how to use LDAPs
Do a phpinfo() and check where the HOME variable points to in the Apache environment. Create a symbolic link or copy ldap.conf to this location.
If you get a connect error may be because your local OpenSSL installation doesn't recognise the certificate (or its authority) provided by the server. This can be circumvented by adding the following line to ldap.conf on your server or similar:
Change TLS_REQCERT allow
to TLS_REQCERT never
Apache must be able to read ldap.conf, you cannot skip this step.
Troubleshooting
☹
Unable to bind to server: Can't contact LDAP server
This is probably the most generic error. Use the console to check to make sure you can actually get a connection. There's no point chasing problems in PHP if you can't do it from the console.
ldapsearch -H "ldaps://dc01.mydomain.local" -b "" -s base -Omaxssf=0
The ldapsearch should spit back a whole bunch of stuff. If it doesn't, you need to troubleshoot the error message it gives you. Optionally add -d7 (debug level) to the command line above.
From the domain controller itself you can test if LDAP over SSL works
-
Start the Active Directory Administration Tool (Ldp.exe).
-
On the Connection menu, click Connect.
-
Type the name of the domain controller to which you want to connect.
-
Type 636 as the port number.
-
Click OK
RootDSE information should print in the right pane, indicating a successful connection.
发表评论
-
Linux date 命令使用技巧
2011-08-04 17:10 1044date命令 date命令的功能是显示和设置系统日期和时间 ... -
linux shell 自定义函数(定义、返回值、变量作用域)介绍
2011-03-31 15:50 3208linux shell 可以用户定义函数,然后在sh ... -
shell中的加法
2011-03-31 13:43 1535今天搞了半天i=$i+1;因为这句包含在一个较长的shell脚 ... -
Shell #的用法, ${#arrayname[@]}获取数组元素的个数, $arrayname[index]获取属于一个元素 获取数组中的所有元素${arr
2011-03-31 10:35 4040在shell中$#表示输入参数的个数; ... -
设置linux环境变量
2011-03-04 11:29 10171.Linux的变量种类 按变量的生存周期来划分,Lin ... -
Xlib: connection to ":0.0" refused by server的解决方法
2011-03-03 17:00 1098Xlib: connection to ":0.0& ... -
linux的root密码更改
2011-02-24 20:17 907不知道是很久没用的原因还是什么,我的linux的密码竟然 ... -
su与su-的区别(Linux Shell中切换用户)
2011-02-18 12:54 2706前者只是切换了身份,但SHELL环境仍然是原用户的SHEL ... -
在VI编辑器中让所有的字母都变成大写
2011-01-13 10:31 1597在vi中切换到命令行模式(按下ESC),输入以下正则表达 ... -
Linux常用的20个工具
2011-01-06 10:30 1311要监控服务器的运行状况? 尝试一些内建的命令行与少量的外围工具 ... -
tar命令详解
2011-01-05 16:35 860格式: tar 选项 文件目录列表功能: 对文件目录进 ... -
C指针的实质,对底层理解很有好处
2010-12-17 18:06 1622最近对C/C++指针特别感 ... -
网络配置===route命令和netstat命令
2010-12-15 17:03 1288route命令和netstat命令 (netstat - ... -
Linux 网卡配置文件设置
2010-12-15 13:57 12971.配置文件/etc/hosts(本地主机ip地址映射,可以有 ... -
linux设置目录共享
2010-12-10 11:15 9991 vi etc/samba/smb.conf 打开配置文档 ... -
Linux 双击文件夹 不要每次都打开一个新窗口显示
2010-11-25 16:35 1477在打开最顶层文件夹的时候用右键 里面有个浏览文件夹 就可以了 ... -
Linux文件权限详解
2010-11-24 16:24 859一、文件和目录权限概 ...
相关推荐
【Go-ldap-test-tool:一个轻量级的LDAP测试工具】 在信息技术领域,LDAP(Lightweight Directory Access Protocol)是一种用于访问和管理分布式目录服务的标准协议。它被广泛应用于组织内部的身份验证、用户权限...
这个`python_ldap-3.4.4-cp312-cp312-win_amd64.whl`文件是专门为Python 3.12版本编译的Windows 64位平台的Python LDAP库的轮子文件(wheel file)。轮子文件是预编译的Python软件包,旨在简化安装过程,避免了通常...
这个`python_ldap-3.4.4-cp38-cp38-win_amd64.whl`文件是一个预编译的Python轮子(Wheel)包,特别为Python 3.8(cp38)和64位Windows(win_amd64)平台设计。"whl"是一种二进制分发格式,它简化了Python库的安装...
python_ldap-3.3.1-cp37-cp37m-win_amd64
python_ldap-3.4.0-cp310-cp310-win_amd64.whl
python_ldap-3.4.4-cp310-cp310-win_amd64.whl python_ldap-3.4.4-cp311-cp311-win_amd64.whl python_ldap-3.4.4-cp312-cp312-win_amd64.whl python_ldap-3.4.4-cp37-cp37m-win_amd64.whl python_ldap-3.4.4-cp38-cp...
这个`python_ldap-3.1.0-cp36-wheel.zip`压缩包包含了适用于Python 3.6版本的Python LDAP库的二进制安装包。"cp36"代表的是Python 3.6的版本标识,而"win32"和"x64"分别表示这些文件是为32位和64位的Windows系统编译...
`python_ldap-3.4.4-cp37-cp37m-win32.whl` 是这个库的一个特定版本的预编译轮子文件,适用于Python 3.7版本,并且是为32位Windows系统优化的。 首先,我们来理解一下什么是`.whl`文件。`.whl`文件是Python的包分发...
spring-ldap-core-1.3.0.RELEASE.jar
"ldap-account-manager-3.7" 是一个专用于管理 Lightweight Directory Access Protocol (LDAP) 用户账户的应用程序。在IT领域,LDAP是一种重要的目录服务协议,它允许用户存储、管理和检索组织内的用户信息,权限和...
这个“python_ldap-3.4.4-cp39-cp39-win32.whl.zip”文件是Python LDAP库的特定版本,适用于Python 3.9解释器,并且是为32位Windows系统编译的。在Python生态系统中,`whl`(Wheel)文件是一种预编译的Python软件包...
python_ldap-3.3.1-cp36-cp36m-win_amd64.whl
python_ldap-3.3.1-cp38-cp38-win_amd64
python_ldap-3.4.0-cp38-cp38-win_amd64.whl
这个特定的压缩包文件 "python_ldap-3.4.4-cp37-cp37m-win_amd64.whl" 是Python的一个二进制分发包,专门针对Python 3.7(cp37)版本,并且适用于64位的Windows系统(amd64)。.whl文件是一种方便的安装包格式,它...
python_ldap-3.4.0-cp311-cp311-win_amd64.whl
Java 连接ldap需要驱动包,否则JDBC无法访问数据库(无法注册驱动),常用的是ldap-connector
python_ldap-3.3.1-cp39-cp39-win32
ldap页面化管理工具,ldap-account-manager-5.0.tar.gz