LDAPS ERR_04120_TLS_HANDSHAKE_ERROR 问题处理

出现这个问题很多时候都是没有客户端证书导致的,在使用 LDAPS 进行访问的时候,只部署了服务器证书,未部署客户端证书。从服务器日志可以看出未找到证书:
2023-05-22 16:30:58 646b2842 conn=1002 fd=13 ACCEPT from IP=172.19.0.1:54042 (IP=0.0.0.0:636)
2023-05-22 16:31:02 TLS: can't accept: No certificate was found..
2023-05-22 16:31:02 646b2846 conn=1002 fd=13 closed (TLS negotiation failure)
ADS 报错截图如下: 报错截图 这个问题对于采用编译部署或二进制部署的用户来说不常遇到,因为 OpenLDAP 默认是不检查客户端证书的,如果有碰到,按官网的指导修改相关参数即可。详见:https://www.openldap.org/doc/admin24/tls.html
16.2.1.9. TLSVerifyClient { never | allow | try | demand } This directive specifies what checks to perform on client certificates in an incoming TLS session, if any. This option is set to never by default, in which case the server never asks the client for a certificate. With a setting of allow the server will ask for a client certificate; if none is provided the session proceeds normally. If a certificate is provided but the server is unable to verify it, the certificate is ignored and the session proceeds normally, as if no certificate had been provided. With a setting of try the certificate is requested, and if none is provided, the session proceeds normally. If a certificate is provided and it cannot be verified, the session is immediately terminated. With a setting of demand the certificate is requested and a valid certificate must be provided, otherwise the session is immediately terminated. 此指令指定在传入的 TLS 会话中对客户端证书执行的检查(如果有的话)。默认情况下,此选项设置为 Never,在这种情况下,服务器从不向客户端请求证书。如果设置为 Allow,服务器将请求客户端证书;如果没有提供客户端证书,则会话正常进行。如果提供了证书,但服务器无法对其进行验证,则该证书将被忽略,会话将正常进行,就像未提供任何证书一样。在设置为 Try 的情况下,将请求证书,如果未提供证书,会话将正常进行。如果提供了证书,但无法对其进行验证,会话将立即终止。如果设置为 Demand,则会请求证书,并且必须提供有效证书,否则会立即终止会话。
如果使用了 osixia/openldap 镜像来部署,并想使用 TLS 访问的话,需要注意设置 LDAP_TLS_VERIFY_CLIENT 参数,因为其默认值是 demand,详见:https://github.com/osixia/docker-openldap#defaultyaml 我也是看到了 Issues 里的问题,才关注到了这个参数,按流程部署的话很难注意到,Issues 地址:https://github.com/osixia/docker-openldap/issues/105 将 LDAP_TLS_VERIFY_CLIENT 参数配置为demand 即可解决相关问题。
消息盒子

# 暂无消息 #

只显示最新10条未读和已读信息