search

haiwen / seafile

High performance file syncing and sharing, with also Markdown WYSIWYG editing, Wiki, file label and other knowledge management features.
http://seafile.com/
Other
12.25k stars 1.54k forks source link

LDAP over TLS does not work #1774

Closed ghost closed 7 years ago

ghost commented 8 years ago

Hi, I've been trying to debug LDAPS and I'm stumped -- i hope someone here can help with a solution or further debugging steps.

First, to demonstrate LDAP:// works

ccnet.conf:

[LDAP]
HOST = ldap://ldapauth1.xxx.xxx
BASE = ou=Users,ou=xxx,dc=xxx,dc=local
USER_DN = xxx@xxx.local
PASSWORD = xxx
LOGIN_ATTR = mail

ccnet.log shows this when I authenticate with my AD credentials: [10/04/16 13:30:16] ../common/session.c(398): Accepted a local client

Now, simply adding "s" to ldap:// i get this:

[LDAP]
HOST = ldaps://ldapauth1.xxx.xxx
BASE = ou=Users,ou=xxx,dc=xxx,dc=local
USER_DN = xxx@xxx.local
PASSWORD = xxx
LOGIN_ATTR = mail

I now get rejected at login and get this in the logs:

[10/04/16 13:32:58] user-mgr.c(277): ldap_bind failed for user xxx@xxx.local: Can't contact LDAP server.
[10/04/16 13:32:58] user-mgr.c(361): Please check USER_DN and PASSWORD settings.

I've already done the suggested step in documentation and moved away the libraries from the lib directory:

root@seafile:/opt/seafile/xxx/seafile-server-latest/seafile# ls 
bin  disabled_libs  docs  lib  lib64
root@seafile:/opt/seafile/xxx/seafile-server-latest/seafile# ls disabled_libs/
liblber-2.4.so.2  libldap-2.4.so.2  libldap_r-2.4.so.2  libsasl2.so.2
root@seafile:/opt/seafile/xxx/seafile-server-latest/seafile#

What more can I do to fix this?

Using ldapsearch i can bind fine using both ldap:// and ldaps://

killing commented 8 years ago

What OS are you using?

ghost commented 8 years ago

Debian Jessie

dak@seafile:~$ uname -a Linux seafile 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux

The AD server is running Windows something.

qk4l commented 7 years ago

I have several installations with ldaps (AD) all of them works perfect.

I suggest you to test your TLS connectivity first by using openssl s_client and check if FQDN match CN and your system has required CA certificate.

deric commented 7 years ago

Having same issue on Debian 8.

apt install ldap-utils

I'm able to run queries from the same machine with TLS:

ldapsearch -H ldaps://ldap.example.com  -w PASSW0RD -x -b "ou=people,dc=example,dc=com" -D "uid=search,dc=example,dc=com"
...
# search result
search: 2
result: 0 Success

In seafile the only working configuration is with ldap://.

ldap libraries seems to be present:

$ ldd ./seafile/bin/ccnet-server
        linux-vdso.so.1 (0x00007ffd7a7ba000)
        libevent-2.0.so.5 => not found
        libgmodule-2.0.so.0 => not found
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f90f7bc0000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f90f799b000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f90f7784000)
        libgthread-2.0.so.0 => not found
        libffi.so.5 => not found
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f90f757c000)
        libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f90f7180000)
        libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f90f6f7b000)
        libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f90f6cb2000)
        libsearpc.so.1 => not found
        libgio-2.0.so.0 => not found
        libjansson.so.4 => not found
        libgobject-2.0.so.0 => not found
        libglib-2.0.so.0 => not found
        libldap-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap-2.4.so.2 (0x00007f90f6a60000)
        liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f90f6851000)
        libmariadb.so.2 => not found
        libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f90f65f0000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f90f63ec000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f90f60eb000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f90f5ece000)
        libpq.so.5 => not found
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f90f5b23000)
        libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f90f58b5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f90f7ddb000)
        libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f90f5699000)
        libgnutls-deb0.so.28 => /usr/lib/x86_64-linux-gnu/libgnutls-deb0.so.28 (0x00007f90f537a000)
        libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f90f5134000)
        libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f90f4f20000)
        libnettle.so.4 => /usr/lib/x86_64-linux-gnu/libnettle.so.4 (0x00007f90f4cee000)
        libhogweed.so.2 => /usr/lib/x86_64-linux-gnu/libhogweed.so.2 (0x00007f90f4abf000)
        libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f90f483c000)
        libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007f90f4634000)
imwhatiam commented 7 years ago

We tested Seafile with ldaps integration on Debian 8.6 this afternoon, it works well.

As the manual says, we should use these 4 files (liblber-2.4.so.2, libldap-2.4.so.2, libsasl2.so.2, libldap_r-2.4.so.2) from system (NOT from Seafile installation).

But I noticed that libldap_r-2.4.so.2 is missing in your paste, could you check it again?

deric commented 7 years ago

@imwhatiam Thanks, that solves the issue. Sorry, I've overlooked that.