Comprobar que OpenLDAP trabaja con TLS
Estoy de pruebas aprendiendo sobre OpenLDAP con Debian 12. Ya tengo
configurado el servicio y tengo TLS bajo cn=config con los siguientes
atributos:
olcLocalSSF: 128
olcTLSCACertificateFile: /etc/ldap/ca.pem
olcTLSCertificateKeyFile: /etc/ldap/openldap_key.pem
olcTLSCertificateFile: /etc/ldap/openldap_crt.pem
olcTLSVerifyClient: never
Ahora me dispongo a forzar una consulta con -ZZ tipo y funciona sin
problemas:
ldapsearch -x -D cn=admin,dc=oficina,dc=com -W -ZZ -b
ou=Usuarios,dc=oficina,dc=com -ZZ
Pero si no me convence lo hago en modo depuración con `-d 1`pero no veo
en la salida nada que haga referencia a TLS crypt:
i32lelor@openldap:~$ ldapsearch -x -D cn=admin,dc=oficina,dc=com -W -ZZ
-b ou=Usuarios,dc=oficina,dc=com -ZZ -d 1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP openldap.oficina.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.1.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x558df594ce50 msgid 1
wait4msg ld 0x558df594ce50 msgid 1 (infinite timeout)
wait4msg continue ld 0x558df594ce50 msgid 1 all 1
** ld 0x558df594ce50 Connections:
* host: openldap.oficina.com port: 389 (default)
* from: IP=127.0.0.1:36570
refcnt: 2 status: Connected
last used: Sun Mar 10 12:23:49 2024
** ld 0x558df594ce50 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x558df594ce50 request count 1 (abandoned 0)
** ld 0x558df594ce50 Response Queue:
Empty
ld 0x558df594ce50 response count 0
ldap_chkResponseList ld 0x558df594ce50 msgid 1 all 1
ldap_chkResponseList returns ld 0x558df594ce50 NULL
ldap_int_select
read1msg: ld 0x558df594ce50 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_find_request_by_msgid: msgid 1, lr 0x558df594da90 lr->lr_refcnt = 1
read1msg: ld 0x558df594ce50 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x558df594ce50 0 new referrals
read1msg: mark request completed, ld 0x558df594ce50 msgid 1
request done: ld 0x558df594ce50 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x558df594da90, lr 0x558df594da90
ldap_return_request: lrx->lr_msgid 1, lrx->lr_refcnt is now 0, lr is
still present
ldap_free_request (origid 1, msgid 1)
ldap_free_request_int: lr 0x558df594da90 msgid 1 removed
ldap_do_free_request: asked to free lr 0x558df594da90 msgid 1 refcnt 0
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 55 bytes to sd 3
ldap_result ld 0x558df594ce50 msgid 2
wait4msg ld 0x558df594ce50 msgid 2 (infinite timeout)
wait4msg continue ld 0x558df594ce50 msgid 2 all 1
** ld 0x558df594ce50 Connections:
* host: openldap.oficina.com port: 389 (default)
* from: IP=127.0.0.1:36570
refcnt: 2 status: Connected
last used: Sun Mar 10 12:23:53 2024
** ld 0x558df594ce50 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x558df594ce50 request count 1 (abandoned 0)
** ld 0x558df594ce50 Response Queue:
Empty
ld 0x558df594ce50 response count 0
ldap_chkResponseList ld 0x558df594ce50 msgid 2 all 1
ldap_chkResponseList returns ld 0x558df594ce50 NULL
ldap_int_select
read1msg: ld 0x558df594ce50 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_find_request_by_msgid: msgid 2, lr 0x558df596fec0 lr->lr_refcnt = 1
read1msg: ld 0x558df594ce50 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x558df594ce50 0 new referrals
read1msg: mark request completed, ld 0x558df594ce50 msgid 2
request done: ld 0x558df594ce50 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x558df596fec0, lr 0x558df596fec0
ldap_return_request: lrx->lr_msgid 2, lrx->lr_refcnt is now 0, lr is
still present
ldap_free_request (origid 2, msgid 2)
ldap_free_request_int: lr 0x558df596fec0 msgid 2 removed
ldap_do_free_request: asked to free lr 0x558df596fec0 msgid 2 refcnt 0
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <ou=Usuarios,dc=oficina,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 75 bytes to sd 3
ldap_result ld 0x558df594ce50 msgid -1
wait4msg ld 0x558df594ce50 msgid -1 (infinite timeout)
wait4msg continue ld 0x558df594ce50 msgid -1 all 0
** ld 0x558df594ce50 Connections:
* host: openldap.oficina.com port: 389 (default)
* from: IP=127.0.0.1:36570
refcnt: 2 status: Connected
last used: Sun Mar 10 12:23:53 2024
** ld 0x558df594ce50 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x558df594ce50 request count 1 (abandoned 0)
** ld 0x558df594ce50 Response Queue:
Empty
ld 0x558df594ce50 response count 0
ldap_chkResponseList ld 0x558df594ce50 msgid -1 all 0
ldap_chkResponseList returns ld 0x558df594ce50 NULL
ldap_int_select
read1msg: ld 0x558df594ce50 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 100 contents:
ldap_find_request_by_msgid: msgid 3, lr 0x558df59646d0 lr->lr_refcnt = 1
read1msg: ld 0x558df594ce50 msgid 3 message type search-entry
ldap_return_request: lrx 0x558df59646d0, lr 0x558df59646d0
ldap_return_request: lrx->lr_msgid 3, lrx->lr_refcnt is now 0, lr is
still present
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# Usuarios, oficina.com
dn: ou=Usuarios,dc=oficina,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: organizationalUnit
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ou: Usuarios
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x558df594ce50 msgid -1
wait4msg ld 0x558df594ce50 msgid -1 (infinite timeout)
wait4msg continue ld 0x558df594ce50 msgid -1 all 0
** ld 0x558df594ce50 Connections:
* host: openldap.oficina.com port: 389 (default)
* from: IP=127.0.0.1:36570
refcnt: 2 status: Connected
last used: Sun Mar 10 12:23:53 2024
** ld 0x558df594ce50 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x558df594ce50 request count 1 (abandoned 0)
** ld 0x558df594ce50 Response Queue:
Empty
ld 0x558df594ce50 response count 0
ldap_chkResponseList ld 0x558df594ce50 msgid -1 all 0
ldap_chkResponseList returns ld 0x558df594ce50 NULL
ldap_int_select
read1msg: ld 0x558df594ce50 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 417 contents:
ldap_find_request_by_msgid: msgid 3, lr 0x558df59646d0 lr->lr_refcnt = 1
read1msg: ld 0x558df594ce50 msgid 3 message type search-entry
ldap_return_request: lrx 0x558df59646d0, lr 0x558df59646d0
ldap_return_request: lrx->lr_msgid 3, lrx->lr_refcnt is now 0, lr is
still present
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# usuario1, Usuarios, oficina.com
dn: uid=usuario1,ou=Usuarios,dc=oficina,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
cn: usuario1
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
sn: usuario1
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
uid: usuario1
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
loginShell: /bin/bash
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
uidNumber: 2000
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
gidNumber: 2000
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
homeDirectory: /home/usuario1
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
mail: fulanito@milethos.com
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
givenName: Fulanito Appellido1
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
userPassword:: e1NTSEF9MmNXZ0U2Z3ArKzQ5NEZxVytLUWNiQTZMNUZQdTBpUGQ=
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x558df594ce50 msgid -1
wait4msg ld 0x558df594ce50 msgid -1 (infinite timeout)
wait4msg continue ld 0x558df594ce50 msgid -1 all 0
** ld 0x558df594ce50 Connections:
* host: openldap.oficina.com port: 389 (default)
* from: IP=127.0.0.1:36570
refcnt: 2 status: Connected
last used: Sun Mar 10 12:23:53 2024
** ld 0x558df594ce50 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x558df594ce50 request count 1 (abandoned 0)
** ld 0x558df594ce50 Response Queue:
Empty
ld 0x558df594ce50 response count 0
ldap_chkResponseList ld 0x558df594ce50 msgid -1 all 0
ldap_chkResponseList returns ld 0x558df594ce50 NULL
ldap_int_select
read1msg: ld 0x558df594ce50 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 417 contents:
ldap_find_request_by_msgid: msgid 3, lr 0x558df59646d0 lr->lr_refcnt = 1
read1msg: ld 0x558df594ce50 msgid 3 message type search-entry
ldap_return_request: lrx 0x558df59646d0, lr 0x558df59646d0
ldap_return_request: lrx->lr_msgid 3, lrx->lr_refcnt is now 0, lr is
still present
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# usuario2, Usuarios, oficina.com
dn: uid=usuario2,ou=Usuarios,dc=oficina,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
cn: usuario2
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
sn: usuario2
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
uid: usuario2
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
uidNumber: 2001
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
gidNumber: 2001
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
userPassword:: e1NTSEF9WmxqL2J0NzlPVEZnQ1ppNFNkdFVHSU03VVZLbEJxZDY=
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
loginShell: /bin/bash
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
homeDirectory: /home/usuario2
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
mail: fulanito@milethos.com
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
givenName: Fulanito Appellido2
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x558df594ce50 msgid -1
wait4msg ld 0x558df594ce50 msgid -1 (infinite timeout)
wait4msg continue ld 0x558df594ce50 msgid -1 all 0
** ld 0x558df594ce50 Connections:
* host: openldap.oficina.com port: 389 (default)
* from: IP=127.0.0.1:36570
refcnt: 2 status: Connected
last used: Sun Mar 10 12:23:53 2024
** ld 0x558df594ce50 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x558df594ce50 request count 1 (abandoned 0)
** ld 0x558df594ce50 Response Queue:
Empty
ld 0x558df594ce50 response count 0
ldap_chkResponseList ld 0x558df594ce50 msgid -1 all 0
ldap_chkResponseList returns ld 0x558df594ce50 NULL
ldap_int_select
read1msg: ld 0x558df594ce50 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_find_request_by_msgid: msgid 3, lr 0x558df59646d0 lr->lr_refcnt = 1
read1msg: ld 0x558df594ce50 msgid 3 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x558df594ce50 0 new referrals
read1msg: mark request completed, ld 0x558df594ce50 msgid 3
request done: ld 0x558df594ce50 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x558df59646d0, lr 0x558df59646d0
ldap_return_request: lrx->lr_msgid 3, lrx->lr_refcnt is now 0, lr is
still present
ldap_free_request (origid 3, msgid 3)
ldap_free_request_int: lr 0x558df59646d0 msgid 3 removed
ldap_do_free_request: asked to free lr 0x558df59646d0 msgid 3 refcnt 0
# search result
search: 3
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 0 Success
ldap_msgfree
# numResponses: 4
# numEntries: 3
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
i32lelor@openldap:~$
Reply to: