英文:
How do ignore client certificate prompt when connecting to LDAPS using PowerShell?
问题
这是你提供的Powershell脚本,我将不翻译代码部分,只翻译注释和问题描述部分:
"I have a simple Powershell script that binds to a non-AD LDAP via LDAPS using anonymous auth and does a simple query. My issue is that when the binds initiate, the LDAP server prompts me for a client certificate and I get a select certificate dialog. If my smartcard is in the reader, it wants to use my client cert and asks for a PIN, if I PIN in, it actually fails with a LDAP server unavailable message. If I take the smartcard out, I can cancel out the certificate prompt a couple of times and the bind continues and I can do the query. I am wondering if there is a session option that will allow me to disable the certificate prompts. I have talked to the directory admins, they said the LDAP server is configured for cert auth when using SSL but it is only optional. The client should handle whether to use cert auth or not. Just wondering if there is a clean way to bypass the cert prompts in PowerShell."
英文:
I have a simple Powershell script that binds to a non-AD LDAP via LDAPS using anonymous auth and does a simple query. My issue is that when the binds initiate, the LDAP server prompts me for a client certificate and I get a select certificate dialog. If my smartcard is in the reader, it wants to use my client cert and asks for a PIN, if I PIN in, it actually fails with a LDAP server unavailable message. If I take the smartcard out, I can cancel out the certificate prompt a couple of times and the bind continues and I can do the query. I am wondering if there is a session option that will allow me to disable the certificate prompts. I have talked to the directory admins, they said the LDAP server is configured for cert auth when using SSL but it is only optional. The client should handle whether to use cert auth or not. Just wondering if there is a clean way to bypass the cert prompts in PowerShell.
Here is my simple code:
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
[System.Reflection.Assembly]::LoadWithPartialName("System.Net")
$c = New-Object System.DirectoryServices.Protocols.LdapConnection "dir.mycompany.com:636"
#Set session options
$c.SessionOptions.SecureSocketLayer = $true;
$c.SessionOptions.ProtocolVersion = 3
$c.AuthType = [System.DirectoryServices.Protocols.AuthType]::Anonymous
$c.Bind();
$basedn = "ou=People,dc=mycompany,dc=com"
$filter = "(uid=testuser1)"
$scope = [System.DirectoryServices.Protocols.SearchScope]::Subtree
$attrlist = ,"employeeID"
$r = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $basedn, $filter, $scope, $attrlist
$re = $c.SendRequest($r);
$re.Entries.count;
$re.Entries;
答案1
得分: 0
SessionOptions的QueryClientCertificate属性用于在需要编写代码来决定要发送哪个客户端证书时,应返回要使用的证书。
我不确定这是否有效,但可以尝试将其返回$null:
$c.SessionOptions.QueryClientCertificate = { $null }
英文:
The QueryClientCertificate property of SessionOptions is there if you need to write code to decide which client certificate to send, and it is supposed to return the certificate to use.
I don't know if this will work, but try making that return $null:
$c.SessionOptions.QueryClientCertificate = { $null }
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论