從System.DirectoryServices使用StartTLS與LDAP

Question

我試圖連接到需要StartTLS但沒有運氣的LDAP服務器 - 每當我使用SessionOptions.StartTransportLayerSecurity（..）或將SessionOptions.SecureSocketLayer設置爲true時，我得到例外。

下面是我使用的代碼：

using (var connection = new LdapConnection(new LdapDirectoryIdentifier(config.LdapServer, config.Port, false, false))) 
{ 
    connection.SessionOptions.ProtocolVersion = 3; 
    connection.Credential = new NetworkCredential(config.BindDN, config.BindPassword); 
    connection.SessionOptions.VerifyServerCertificate += (conn, cert) => {return true;}; 
    connection.AuthType = AuthType.Basic; 
    //connection.SessionOptions.SecureSocketLayer = true; 
    connection.SessionOptions.StartTransportLayerSecurity(null); // throws here, same if done after bind. 
    connection.Bind(); 

    ... do stuff with connection 
} 

產生的例外是「TlsOperationException：出現未知錯誤」，調用StartTransportLayerSecurity方法時發生。

我已經測試了針對OpenLDAP服務器和Active Directory的代碼，但都不起作用。

有誰知道如何讓StartTLS使用System.DirectoryServices？

Answer 1

在這個問題上，我發現我跑了agains更多的工作之後t幾個問題：

1. 在我們的測試套件（doh！）連接到AD時，端口號被錯誤地更改爲SSL端口（636）的代碼中存在一個錯誤。
2. OpenLDAP測試服務器（這是我們客戶的複製品）正在使用openldap-2.4.18--它具有StartTLS的已知問題。

應用補丁的OpenLDAP（如這裏討論 - http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html）後，我們能夠解決＃2 - 在這一點，我們開始收到不同的錯誤「出現了一個本地錯誤」。

雖然最初我們有這樣的代碼：

connection.SessionOptions.VerifyServerCertificate 
    += (conn, cert) => {return true;}; 

測試，因爲OpenLDAP服務器使用自簽名的證書，而我們已經刪除了，這不是一個值得信賴的商店。重新引入回調解決了這個問題，但我們現在將其設置爲可配置選項，即「驗證服務器證書是/否」，以便客戶選擇跳過檢查（主要是供我們的QA團隊使用）。

感謝Steffen指出我在OpenLDAP版本的方向，這導致了我的解決方案。

Answer 2

請閱讀本主題： Binding over a TLS/SSL Encrypted Connection

例19.使用基本身份驗證和SSL/TLS

string hostNameAndSSLPort = "sea-dc-02.fabrikam.com:50001"; 
string userName = "cn=User1,cn=AdamUsers,cn=ap1,dc=fabrikam,dc=com"; 
string password = "adamPassword01!"; 

// establish a connection 
LdapConnection connection = new LdapConnection(hostNameAndSSLPort); 

// create an LdapSessionOptions object to configure session 
// settings on the connection. 
LdapSessionOptions options = connection.SessionOptions; 

options.ProtocolVersion = 3; 

options.SecureSocketLayer = true; 

connection.AuthType = AuthType.Basic; 

NetworkCredential credential = 
     new NetworkCredential(userName, password); 

connection.Credential = credential; 

try 
{ 
    connection.Bind(); 
    Console.WriteLine("\nUser account {0} validated using " + 
     "ssl.", userName); 

    if (options.SecureSocketLayer == true) 
    { 
     Console.WriteLine("SSL for encryption is enabled\nSSL information:\n" + 
     "\tcipher strength: {0}\n" + 
     "\texchange strength: {1}\n" + 
     "\tprotocol: {2}\n" + 
     "\thash strength: {3}\n" + 
     "\talgorithm: {4}\n", 
     options.SslInformation.CipherStrength, 
     options.SslInformation.ExchangeStrength, 
     options.SslInformation.Protocol, 
     options.SslInformation.HashStrength, 
     options.SslInformation.AlgorithmIdentifier); 
    } 

} 
catch (LdapException e) 
{ 
    Console.WriteLine("\nCredential validation for User " + 
     "account {0} using ssl failed\n" + 
     "LdapException: {1}", userName, e.Message); 
} 
catch (DirectoryOperationException e) 
{ 
    Console.WriteLine("\nCredential validation for User " + 
    "account {0} using ssl failed\n" + 
    "DirectoryOperationException: {1}", userName, e.Message); 
} 

而接下來的例子顯示綁定到安全端口50001 ADAM實例「如何使用TLS認證和執行任務」

string hostOrDomainName = "fabrikam.com"; 
string userName = "user1"; 
string password = "password1"; 

// establish a connection to the directory 
LdapConnection connection = new LdapConnection(hostOrDomainName); 

NetworkCredential credential = 
    new NetworkCredential(userName, password, domainName); 

connection.Credential = credential; 

connection.AuthType = AuthType.Basic; 

LdapSessionOptions options = connection.SessionOptions; 

options.ProtocolVersion = 3; 

try 
{ 
    options.StartTransportLayerSecurity(null); 
    Console.WriteLine("TLS started.\n"); 
} 
catch (Exception e) 
{ 
    Console.WriteLine("Start TLS failed with {0}", 
     e.Message); 
    return; 
} 

try 
{ 
    connection.Bind(); 
    Console.WriteLine("Bind succeeded using basic " + 
     "authentication and SSL.\n"); 

    Console.WriteLine("Complete another task over " + 
     "this SSL connection"); 
    TestTask(hostName); 
} 
catch (LdapException e) 
{ 
    Console.WriteLine(e.Message); 
} 

try 
{ 
    options.StopTransportLayerSecurity(); 
    Console.WriteLine("Stop TLS succeeded\n"); 
} 
catch (Exception e) 
{ 
    Console.WriteLine("Stop TLS failed with {0}", e.Message); 
} 

Console.WriteLine("Switching to negotiate auth type"); 
connection.AuthType = AuthType.Negotiate; 

Console.WriteLine("\nRe-binding to the directory"); 
connection.Bind(); 

// complete some action over this non-SSL connection 
// note, because Negotiate was used, the bind request 
// is secure. 
// run a task using this new binding 
TestTask(hostName); 

Answer 3

過去有相當多的微妙的LDAP堆棧不兼容，這仍然適用於您的客戶可能使用的潛在遺留場景。

以下是關於OpenLDAP和微軟的LDAP堆棧 之間不兼容的最常見的問題（我將修改和/或替換這些鏈接，一旦更多信息可用） ：

• OpenLDAP的StartTLS issues (ITS#3037)（在On getting OpenLDAP and Windows LDAP to interop總結）觸發了相應的修補程序：
  • You cannot send Start TLS requests from a computer that is running Windows Server 2003 or Windows XP or Windows Vista to a server that is running OpenLDAP Software
• An extended operation that is sent to an LDAP server by API over the LDAP service causes a protocol error

很顯然，無論是更新OpenLDAP和/或Windows（最好當然兩者）應該解決這些問題，如果他們變成是這裏的罪魁禍首。

祝你好運！