如何在使用PowerShell连接到LDAPS时忽略客户端证书提示?

huangapple go评论69阅读模式
英文:

How do ignore client certificate prompt when connecting to LDAPS using PowerShell?

问题

这是你提供的Powershell脚本,我将不翻译代码部分,只翻译注释和问题描述部分:

"I have a simple Powershell script that binds to a non-AD LDAP via LDAPS using anonymous auth and does a simple query. My issue is that when the binds initiate, the LDAP server prompts me for a client certificate and I get a select certificate dialog. If my smartcard is in the reader, it wants to use my client cert and asks for a PIN, if I PIN in, it actually fails with a LDAP server unavailable message. If I take the smartcard out, I can cancel out the certificate prompt a couple of times and the bind continues and I can do the query. I am wondering if there is a session option that will allow me to disable the certificate prompts. I have talked to the directory admins, they said the LDAP server is configured for cert auth when using SSL but it is only optional. The client should handle whether to use cert auth or not. Just wondering if there is a clean way to bypass the cert prompts in PowerShell."

英文:

I have a simple Powershell script that binds to a non-AD LDAP via LDAPS using anonymous auth and does a simple query. My issue is that when the binds initiate, the LDAP server prompts me for a client certificate and I get a select certificate dialog. If my smartcard is in the reader, it wants to use my client cert and asks for a PIN, if I PIN in, it actually fails with a LDAP server unavailable message. If I take the smartcard out, I can cancel out the certificate prompt a couple of times and the bind continues and I can do the query. I am wondering if there is a session option that will allow me to disable the certificate prompts. I have talked to the directory admins, they said the LDAP server is configured for cert auth when using SSL but it is only optional. The client should handle whether to use cert auth or not. Just wondering if there is a clean way to bypass the cert prompts in PowerShell.

Here is my simple code:

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
[System.Reflection.Assembly]::LoadWithPartialName("System.Net")

$c = New-Object System.DirectoryServices.Protocols.LdapConnection "dir.mycompany.com:636"

#Set session options

$c.SessionOptions.SecureSocketLayer = $true;
$c.SessionOptions.ProtocolVersion = 3

$c.AuthType = [System.DirectoryServices.Protocols.AuthType]::Anonymous

$c.Bind();

$basedn = "ou=People,dc=mycompany,dc=com"
$filter = "(uid=testuser1)"
$scope = [System.DirectoryServices.Protocols.SearchScope]::Subtree
$attrlist = ,"employeeID"

$r = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $basedn, $filter, $scope, $attrlist

$re = $c.SendRequest($r);

$re.Entries.count;
$re.Entries;

答案1

得分: 0

SessionOptionsQueryClientCertificate属性用于在需要编写代码来决定要发送哪个客户端证书时,应返回要使用的证书。

我不确定这是否有效,但可以尝试将其返回$null

$c.SessionOptions.QueryClientCertificate = { $null }
英文:

The QueryClientCertificate property of SessionOptions is there if you need to write code to decide which client certificate to send, and it is supposed to return the certificate to use.

I don't know if this will work, but try making that return $null:

$c.SessionOptions.QueryClientCertificate = { $null }

huangapple
  • 本文由 发表于 2023年4月4日 09:13:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/75924795.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定