现象:SAMLDAP启动后,未看到侦听389端口,
查看日志发现由于证书过期,服务已经终止:
2025-01-14T17:08:35.706406+8:00 GLPSRV221I Replication of security attributes feature is disabled.
2025-01-14T17:08:35.706471+8:00 GLPSRV200I Initializing primary database and its connections.
2025-01-14T17:08:55.701185+8:00 GLPRDB126I The directory server will not use DB2 selectivity.
2025-01-14T17:08:55.702698+8:00 GLPSRV015I Server configured to use 636 as the secure port.
2025-01-14T17:08:55.703352+8:00 GLPCOM024I The extended Operation plugin is successfully loaded from libloga.so.
2025-01-14T17:08:55.703559+8:00 GLPCOM024I The extended Operation plugin is successfully loaded from libidsfget.so.
2025-01-14T17:08:55.708325+8:00 GLPSRV232I Pass-through authentication is disabled.
2025-01-14T17:08:55.708349+8:00 GLPSRV234I Pass-through support for compare operations is disabled.
2025-01-14T17:08:55.713020+8:00 GLPCOM003I Non-SSL port initialized to 389.
2025-01-14T17:08:55.713051+8:00 GLPCOM004I SSL port initialized to 636.
2025-01-14T17:08:55.716081+8:00 GLPRDB136W The number of ODBC connections is too low for the configured number of workers: 200. The number of ODBC connections will be automatically increased from 200 to 202.
2025-01-14T17:08:58.845743+8:00 GLPRDB139I 202 connections have been established with the database.
2025-01-14T17:08:58.858083+8:00 GLPRPL137I Restricted Access to the replication topology is set to false.
2025-01-14T17:09:00.198621+8:00 GLPSRV098I Directory server audit logging started.
2025-01-14T17:09:00.201346+8:00 GLPCOM039I Suite B mode is disabled.
2025-01-14T17:09:00.203322+8:00 GLPSSL039I Secure communication using the TLS12 protocol is enabled.
2025-01-14T17:09:00.203379+8:00 GLPSSL039I Secure communication using the TLS13 protocol is enabled.
2025-01-14T17:09:00.211829+8:00 GLPSRV256I The SSL setting for GSK_STRICTCHECK_CBCPADBYTES has been enabled.
2025-01-14T17:09:00.211879+8:00 GLPSRV256I The SSL setting for GSK_STRICTCHECK_CBCPADBYTES_SSL has been enabled.
2025-01-14T17:09:00.211911+8:00 GLPSRV257I The SSL setting for GSK_VACCINATE has been disabled.
2025-01-14T17:09:00.211942+8:00 GLPSRV256I The SSL setting for GSK_ENFORCE_TDEA_RESTRICTION has been enabled.
2025-01-14T17:09:00.211974+8:00 GLPSRV257I The SSL setting for GSK_ALLOW_ONLY_EXTENDED_RENEGOTIATION has been disabled.
2025-01-14T17:09:00.212010+8:00 GLPSRV257I The SSL setting for GSK_ALLOW_ABBREVIATED_RENEGOTIATION has been disabled.
2025-01-14T17:09:00.212041+8:00 GLPSRV257I The SSL setting for GSK_ALLOW_ANY_RENEGOTIATION has been disabled.
2025-01-14T17:09:00.237537+8:00 GLPSSL003E Open of SSL key database file GSK_KEYRING_OPEN_ERROR failed.
2025-01-14T17:09:00.237641+8:00 GLPSRV004I Terminating server.
1.检查kdb包含的证书标签:
$ /usr/bin/gsk8capicmd_64 -cert -list -db /tmp/qa10.kdb -pw passw0rd
Certificates found
* default, – personal, ! trusted, # secret key
! ca9
! root
– qa
$ ls -al /opt/samldap/idsslapd-samldap/etc/qa10.kdb
-rw-r—– 1 root root 15088 Jan 15 12:44 /opt/samldap/idsslapd-samldap/etc/qa10.kdb
2.检查证书是否有效:
$ gsk8capicmd_64 -cert -validate -label qa -db /opt/samldap/idsslapd-samldap/etc/qa10.kdb -pw passw0rd
CTGSK2048W The validity period does not include today or does not fall within its issuer’s validity period.
Additional untranslated info:
GSKKM_LAST_VALIDATION_ERROR: GSKVAL_ERR_CERT_EXPIRED (575018)
GSKKM_VALIDATIONFAIL_SUBJECT: [Class=]GSKVALMethod::PKIX[Issuer=]CN=ap01.acme.com,OU=acme,O=acme,L=beijing,ST=beijing,C=CN[#=]7fcf66a6[Subject=]CN=ap01.acme.com,OU=acme,O=acme,L=beijing,ST=beijing,C=CN
CTGSK2048W The validity period does not include today or does not fall within its issuer’s validity period.
解决方法:
替换过期的qa10.kdb和sth之后,samldap服务能正常启动了