search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.54k stars 905 forks source link

LDAPs: Protocol Error #6617

Closed PentaPaetzold closed 1 year ago

PentaPaetzold commented 1 year ago

Describe your question/ Trying to get ldaps working (TLS/SSL).

Relevant infos I have setup up LDAP as written in https://goauthentik.io/docs/providers/ldap/generic_setup This is basically working, i am getting and list when i am connecting locally without ssl using ldapsearch -x -H ldap://localhost:389 -D 'cn=testu123,ou=users,DC=authentik,DC=penta-home,DC=site' -w 'somethingsilly' -b 'DC=authentik,DC=penta-home,DC=site' '(objectClass=user)' -v (btw - the docs for that command could be updated, as -h is not vaild any more and was replaced by -H) but if i do the same thing with ldapsearch -ZZ -d 5 -b 'DC=authentik,DC=penta-home,DC=site' -s sub -D 'cn=testu123,ou=users,DC=authentik,DC=penta-home,DC=site' -H ldaps://authentik.penta-home.site:636 -w "somethingsilly" -x '(objectClass=user)' -x -LLL i get a res_errno: 2, res_error: <Protocol Error>, res_matched: <> see full logs beneath.

maybe i have done something wrong with the parameters. I realised, that it does not make a difference which password i am using, so maybe the authentication itself is not working via ssl/tls as i am doing it right now?

-> And if i only use -Z instead of -ZZ it also works. But i am unsure, if the Connection is encrypted. Maybe this has to do something with self-signed certificate?

Could someone add the ssl- version of ldapsearch to the docs?

Last question would be how to use letsencypt certificates instead of the buildin self-signed ones of authentik?

Logs

daniel@linux:~> ldapsearch -ZZ -d 5 -b 'DC=authentik,DC=penta-home,DC=site' -s sub -D 'cn=testu123,ou=users,DC=authentik,DC=penta-home,DC=site' -H ldaps://authentik.penta-home.site:636 -w "somethingsilly" -x '(objectClass=user)' -x -LLL
ldap_url_parse_ext(ldaps://authentik.penta-home.site:636)
ldap_create
ldap_url_parse_ext(ldaps://authentik.penta-home.site:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP authentik.penta-home.site:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 81.169.165.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 0, err: 20, subject: /CN=authentik.penta-home.site/O=authentik/OU=Self-signed, issuer: /CN=authentik 2023.5.2
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:SSLv3/TLS read server key exchange
TLS trace: SSL_connect:SSLv3/TLS read server done
TLS trace: SSL_connect:SSLv3/TLS write client key exchange
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS read server session ticket
TLS trace: SSL_connect:SSLv3/TLS read change cipher spec
TLS trace: SSL_connect:SSLv3/TLS read finished
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x55725ff57450 msgid 1
wait4msg ld 0x55725ff57450 msgid 1 (infinite timeout)
wait4msg continue ld 0x55725ff57450 msgid 1 all 1
** ld 0x55725ff57450 Connections:
* host: authentik.penta-home.site  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 24 16:01:58 2023

** ld 0x55725ff57450 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55725ff57450 request count 1 (abandoned 0)
** ld 0x55725ff57450 Response Queue:
   Empty
  ld 0x55725ff57450 response count 0
ldap_chkResponseList ld 0x55725ff57450 msgid 1 all 1
ldap_chkResponseList returns ld 0x55725ff57450 NULL
ldap_int_select
read1msg: ld 0x55725ff57450 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 26 contents:
read1msg: ld 0x55725ff57450 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x55725ff57450 0 new referrals
read1msg:  mark request completed, ld 0x55725ff57450 msgid 1
request done: ld 0x55725ff57450 msgid 1
res_errno: 2, res_error: <Protocol Error>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_start_tls: Protocol error (2)
        additional info: Protocol Error
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed

Version and Deployment:

ChandonPierre commented 1 year ago

you should upgrade to 2023.6.xx for startTLS support

BeryJu commented 1 year ago

From the verbose logs it looks like the ldapsearch command tries to do StartTLS after connecting via SSL, which I don't think is actually supported (and also kinda redundant?)

You can basically remove the -Z when using port 636, since 

       -Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.
PentaPaetzold commented 1 year ago

So Port 636 is always SSL- Encrypted also when not TLS- Handshake was successful? If thats true, this is fine.

Last: How do i get rid of Self-Signed- Certificates and use my letsencrpyt ones? In docker they are in another volume, but i could mount it to authentik somewhere, if i know how to use them there. Are there any docs?

PentaPaetzold commented 1 year ago

found the docs. login is working, thank you very much!

K-J-VV commented 1 year ago

@PentaPaetzold could you provide a bit more guidance/info on how you were able to get ldaps working? I've setup my LDAP so that ldapsearch is able to connect via port 389, but cannot figure out how to get SSL/port 636 going.

Is all that is needed to modify the LDAP provider? Are you using the authentik self-signed cert? What are you putting in 'TLS Server Name'? Are you using something like NGINX-PM to forward a domain/cert to your LDAP server?

Any info/help would be greatly appreciated!

PentaPaetzold commented 1 year ago

@MasterKryszn Did you try ldapsearch as above? What does it tell?

For me it was the understanding difference between TLS and SSL. SSL is establisched from the beginning of the Handshake before sending Data (at port 636). The Cert can either be Authentik self signed (is use by default) or set to some valid certificate - which i now use. Look at the certificates- section in the docs. If you import your lets'encrypt directory, they will be shown and be available and you can select the right one for your server. You can check SSL certs and connection is doing fine by running: openssl s_client -connect yourserver.site:636 -showcerts </dev/null

SSL has only one disadvantage: the certificate is fixed - you cannot use different ones if your server serves different domains, as the check will fail then.

This can be archived by TLS - you can connect at 389 Plaintext with at any domain and then it will do an TSL- Upgrade with the given Domain (by client). The parameter -ZZ in ldapsearch will force this upgrade to succeed and return error if it fails. Without -ZZ it will also connect - but the Data won't be encrypted!

It does not make sense to upgrade SSL- Connections by TLS. That is, why it would not work.

So my solution was, to use SSL only and disable TLS completely in the clients-setup. I also got SSSD Login working and now i am waiting impatiencly to have Kerberos- Support in Authentik, which would be Huge :) GL and HF