OpenLDAP
1 前言
一个问题,一篇文章,一出故事。
今天因为调试KeyCloak与LDAPs集成,由于telnet无法区分路由的回应还是LDAPs服务的回应,因此需要使用tcpdump命令抓包,因此整理本章节。
2 最佳实践
2.1 使用tcpdump命令在ldapsearch请求端监视
tcpdump -nn -tt -i ens192 host dc01.cmdschool.org and port 636
命令显示如下,
dropped privs to tcpdump tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on ens192, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2.2 使用ldapsearh发起请求
ldapsearch -x -H ldaps://dc01.cmdschool.org:636 -w "adminpwd" -D "CN=tmpadmin,CN=Users,DC=cmdschool,DC=org" -b DC=cmdschool,DC=org -o TLS_REQCERT=never "(&(sAMAccountName=will)(objectCategory=person))"
可见如下显示,
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
执行tcpdump命令的终端新增如下显示,
1784283808.229750 IP 10.168.208.186.53212 > 10.168.1.122.636: Flags [S], seq 1521159446, win 32120, options [mss 1460,sackOK,TS val 1532333094 ecr 0,nop,wscale 7], length 0 1784283808.239517 IP 10.168.1.122.636 > 10.168.208.186.53212: Flags [S.], seq 3413595747, ack 1521159447, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 1784283808.239544 IP 10.168.208.186.53212 > 10.168.1.122.636: Flags [.], ack 1, win 251, length 0 1784283808.248370 IP 10.168.208.186.53212 > 10.168.1.122.636: Flags [P.], seq 1:341, ack 1, win 251, length 340 1784283808.248825 IP 10.168.1.122.636 > 10.168.208.186.53212: Flags [R.], seq 1, ack 341, win 251, length 0
没有评论