search

dexidp / dex

OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
https://dexidp.io
Apache License 2.0
9.49k stars 1.7k forks source link

ldap insecureSkipVerify - remote error: tls: handshake failure #907

Open yawboateng opened 7 years ago

yawboateng commented 7 years ago

running dex with ldap insecureSkipVerify set to true returns the error below:

017-04-12T14:54:26.707945506Z time="2017-04-12T14:54:26Z" level=error msg="Failed to login user: failed to connect: LDAP Result Code 200 \"\": remote error: tls: handshake failure"

setting the flag to false also returns the same error, any help on what might be causing this? and is it possible to get more information in the logs?

issuer: https://dex.example.com:5556
storage:
  type: kubernetes
  config:
    inCluster: true
web:
  http: 0.0.0.0:5556
  #tlsCert: /etc/dex/tls/tls.crt
  #tlsKey: /etc/dex/tls/tls.key

connectors:
- type: ldap
  id: ldap
  name: ldap
  config:
    host: ldapHost:636
    #rootCA: /etc/dex/cacert.pem
    insecureSkipVerify: true
    bindDN: bindDN
    bindPW: bindPW
    userSearch:
      baseDN: ldapBaseDN
      username: uid
      idAttr: uid
      emailAttr: email

      nameAttr: cn
    groupSearch:
      baseDN: ldapBaseDN
      filter: filter
      userAttr: uid
      groupAttr: group
      nameAttr: cn
oauth2:
  skipApprovalScreen: true

staticClients:
- id: client-id
  redirectURIs:
    - https://client.example.com/callback
  name: clientName
  secret: clientSec
enablePasswordDB: false
ericchiang commented 7 years ago

Why are you providing both insecureSkipVerify and a rootCA? If you have the latter you don't need the former.

We're just printing the error from the LDAP library we're using https://github.com/go-ldap/ldap.

Maybe we're mixing up LDAPS and LDAP with TLS negotiation?[0] What server are you using?

[0] http://www.openldap.org/faq/data/cache/605.html

yawboateng commented 7 years ago

Yea, tested with one of those options at a time, but same error and not much info in the logs

im running IBM Directory Server 6.3

ericchiang commented 7 years ago

There's some more details here: https://github.com/coreos/dex/pull/908

IBM Directory Server should support LDAPS[0]. Do you have ldapsearch available, or an equivalent tool? What happens when you use those to connect to port 636?

[0] https://www.ibm.com/support/knowledgecenter/SSEP7J_10.2.1/com.ibm.swg.ba.cognos.c8pp_inst.10.2.1.doc/t_stp_ssl_ldap.html

yawboateng commented 7 years ago

ldapsearch connects fine with the following: openssl s_client -showcerts -connect <ldapHost>:636 </dev/null | openssl x509 -outform PEM -out /tmp/cacert.pem; env LDAPTLS_CACERT=/tmp/cacert.pem ldapsearch -x -H ldaps://<ldapHost>:636

simple connect response:

# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
ericchiang commented 7 years ago

Is this still an issue?

yawboateng commented 7 years ago

@ericchiang, yes, still an issue. running the latest release. that insecureSkipVerify flag doesnt seem to have any effect.

ericchiang commented 7 years ago

that insecureSkipVerify flag doesnt seem to have any effect.

Little confused by that. Based on my testing this does work https://github.com/coreos/dex/pull/1096