您的位置: 首页  >  技术问答  >  如何使用p12证书连接到LDAP服务器

如何使用p12证书连接到LDAP服务器

分类: 技术问答 2022-04-17 19:53:47
问题描述:

我想使用.p12凭证连线至LDAP伺服器,而不使用使用者名称和密码。这个Java解决方案看起来像

I want to connect to a LDAP server using a .p12 certificate instead of using a username and password. The Java solution for this looks like

String ldapURL = "ldaps://"+host+":"+port;   

System.setProperty("javax.net.ssl.keyStoreType", "PKCS12" );  
System.setProperty("javax.net.ssl.keyStore",keystore);
System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);   

Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapURL);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.REFERRAL, "follow");

try 
{
    // Create initial context
    LdapContext ctx = new InitialLdapContext(env, null);
    // Perform client authentication using TLS credentials
    ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "EXTERNAL");

    SearchControls ctls = new SearchControls();
    // Specify the search filter to match
    String filter = "(objectClass=*)";
    // Search for objects using the filter
NamingEnumeration answer = ctx.search("ou="+elemType[i]+","+siteSpecificBaseDN, filter, ctls);

...

我可以使用python做同样的事吗?我只能找到示例,显示如何使用用户名和密码连接到LDAP服务器与python-ldap,但这不是我需要的。如果不可能使用.p12证书,它也将帮助我,如果有一个解决方案使用x509证书(.pem格式)。

Can I do the same using python? I only could find examples showing how to connect to a LDAP server with python-ldap using a username and a password, but that is not what I need. If it is not possible using .p12 certificate, it would also help me, if there is a solution using x509 certificates (.pem format).

如果使用python-ldap,可以使用 TLS选项来设置这些参数。

If you use python-ldap, you can use the TLS options to set these parameters.

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "/path/to/trustedcerts.pem")
ldap.set_option(ldap.OPT_X_TLS_CERTFILE, "/path/to/usercert.pem")
ldap.set_option(ldap.OPT_X_TLS_KEYFILE, "/path/to/user.key.pem")

ds = ldap.initialize("ldaps://ldap.example.com:port/")
# If using START_TLS instead of ldaps:
# ds = ldap.initialize("ldap://ldap.example.com:port/")
# ds.start_tls_s()

在这种情况下:


  • trustedcerts.pem 等效于信任存储。它是您想要的PEM格式的可信证书的串联。你也可以使用带有 OPT_X_TLS_CACERTFILE 的个人证书的目录,但是我认为它不被GnuTLS支持,所以它取决于Python库python-ldap及其OpenLDAP客户端库被编译。有关 OpenLDAP手册中的基本方针的详细信息。 / li>
  • usercert.pem 是您的用户证书,采用PEM格式(您必须从PKCS#12文件中提取) / li>
  • user.key.pem 是您的私钥(同样,它需要从p12文件中提取)

  • trustedcerts.pem is the equivalent of the trust store. It's a concatenation of the trusted certificates you want in PEM format. You could also use a directory with individual certificates with OPT_X_TLS_CACERTFILE, but I think it's not supported by GnuTLS, so it depends on which TLS library python-ldap and its OpenLDAP client library have been compiled against. More details on the underlying direcives in the OpenLDAP manual.
  • usercert.pem is your user certificate, in PEM format (you'll have to extract it from your PKCS#12 file)
  • user.key.pem is your private key (again, it needs to be extracted from the p12 file)

使用OpenSSL可以从PKCS#12文件中提取证书和密钥:

Certificate and key extraction from a PKCS#12 file can be done with OpenSSL using this:

openssl pkcs12 -in userstore.p12 -clcerts -nokeys -out usercert.pem
openssl pkcs12 -in userstore.p12 -nocerts -nodes -out user.key.pem

注意:如果以这种方式提取私钥(在user.key.pem中) c> -nodes ),不会受密码保护,因此您需要确保此文件不可被其他人读取。我不认为OpenLDAP(甚至更少的Python绑定)让你提交交互式密码来解决这个问题,但我不知道。

Note: if you extract the private key (in user.key.pem) this way (-nodes), it will not be password-protected, so you'll need to make sure this file is not readable by anyone else. I don't think OpenLDAP (and even less its Python binding) let you prompt for a password interactively to get around that problem, but I'm not sure.

相关推荐