我使用以下 LDIF 文件来激活对 LDAP 服务器的 TLS 支持:
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/CA.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/key.pem
并使用以下 LDIF 强制客户端连接使用 TLS:
dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
在此之后,我不能再使用“-Y EXTERNAL”来读取或修改配置架构。例如,如果我运行,我会收到 SASL 错误:
$ sudo ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: SASL(-4): …