How to ignore TLS certificate for LDAP source?

[DrakeHamString]

Describe your question I cannot connect to our LDAP source because the TLS certificate is expired (since its an internal certificate, my colleagues dont make the efforts to renew it). So I have to stick with that and force the application to ignore the TLS checks.

When actively using the LDAP sync with docker-compose run --rm server ldap_sync *slug of the source* I get this error:

socket ssl wrapping error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1002)

I found no way to force Authentik to ignore the certificate or not to check it... Is it a missing function or can't I find it?

Version and Deployment:

• authentik version: 2023.4.1
• Deployment: docker-compose

[BeryJu]

By default, if no certificate is specified in the LDAP source, then no certificate verification is done: https://github.com/goauthentik/authentik/blob/main/authentik/sources/ldap/models.py#L112

However I think it might still check certificate expiry

Allthough I think the error above looks a bit more like an SSL/StartTLS issue, are you using ldaps://?

[DrakeHamString]

I'm using ldaps:// since port 636 is the only open port here. I'm forced to use it here...

So I'm relying on the option to actively ignore the certificate check here...

[BeryJu]

Could you post the settings of your LDAP Source? Mainly interested in the connection settings, not the DN/etc settings

[DrakeHamString]

Well, on the Server (its a LDAP proxy) with OpenLDAP and slapd.conf:

slapd.conf: (anonymized)

database                ldap
suffix                  "o=BASE"
uri                     "ldaps://ldap-master.xyz"
tls                     ldaps tls_reqcert=never

ldap.conf: (anonymized)

uri                         ldaps://127.0.0.1
base                        o=BASE
bind_policy                 soft
tls_reqcert                 allow

In the slapd-Log I can find those lines: (anonymized)

ACCEPT from IP=123.456.78.9:12345 (IP=0.0.0.0:636)
TLS established tls_ssf=256 ssf=256

[DrakeHamString]

It would be helpful if I could disable the ssl check for LDAP completely

[septatrix]

By default, if no certificate is specified in the LDAP source, then no certificate verification is done: https://github.com/goauthentik/authentik/blob/main/authentik/sources/ldap/models.py#L112

This goes against the "secure by default" mantra. In our case the certificate is a normally signed, globally valid certificate from Let's encrypt. Is there any way to tell authentik to use the default root certificate store?

[vnwnv]

Same Issue here, even no certificate is specified in the LDAP source, but I still get sslv3 alert handshake failure

[BeryJu]

By default, if no certificate is specified in the LDAP source, then no certificate verification is done: main/authentik/sources/ldap/models.py#L112

This goes against the "secure by default" mantra. In our case the certificate is a normally signed, globally valid certificate from Let's encrypt. Is there any way to tell authentik to use the default root certificate store?

You'd have to create a certificate in authentik with the root and select that to validate against. The reason why the default config isn't to validate certs by default is due to a lot of Active Directory installs not having a correctly signed certificate

In general I can't reproduce the issue with sslv3 alert handshake failure, however I'd assume it'd be related to the ldap.tls.ciphers setting, which is by default unset and as such falls back to https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ciphers

[septatrix]

By default, if no certificate is specified in the LDAP source, then no certificate verification is done: main/authentik/sources/ldap/models.py#L112

This goes against the "secure by default" mantra. In our case the certificate is a normally signed, globally valid certificate from Let's encrypt. Is there any way to tell authentik to use the default root certificate store?

You'd have to create a certificate in authentik with the root and select that to validate against.

I mean the default OS certificate store included in the container. Our certificates are properly signed using letsencrypt and there is no proper way to configure this currently. As they change regularly we would need to add certificates from higher up in the chain to the authentik store AFAIK though they can also change from time to time which requires manual intervention. Using the certificate store from the container does not have these problems.

The reason why the default config isn't to validate certs by default is due to a lot of Active Directory installs not having a correctly signed certificate

Not verifying the certificates should be opt-in, it could be as simple as a checkbox when configuring the source. This is just a gaping security hole having it unverified by default! With #6937 also still being open (and no comment from any maintainer about why this security decrease was accepted) authentik has practically no measures against MITM attacks. For some small consuming application this might be tolerable but not for a SSO solution where a MITM would result in compromising basically every connected system!

This sounds dramatic but looking at it objectively this is just the way it is.