search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.84k stars 287 forks source link

LDAP Certificate Authorization appears non-functional in 0.14.1 #3927

Closed zellio closed 11 months ago

zellio commented 11 months ago

Describe the bug Attempting to use an LDAP auth method with a client cert / key pair fails to decode and initialize the client, even on certificates considered valid by the cli, resulting in a non functional auth method. This holds true on dummy generated certificate / key pair and on those provided by third part vendor.

To Reproduce Generate useless but valid key / cert pair:

openssl \
    req -x509 -keyout key.pem -out cert.pem \
    -nodes -newkey rsa:4096  -sha256 -days 3650 -nodes -subj \
    "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"

Create new ldap auth client:

boundary auth-methods create ldap \
    -name='Dummy LDAP' -scope-id='global' \
    -client-certificate='file://cert.pem' -client-certificate-key='file://key.pem' \
    -urls='ldaps://localhost:636' -user-dn='dc=company,dc=com'

Attempt login:

boundary authenticate ldap ...

Expected behavior Auth client is build-able on valid certificates uploaded by the CLI tool

Additional context Testing was performed against a production deployment and development server:

% boundary -version

Version information:
  Build Date:          2023-10-17T12:25:13Z
  Git Revision:        43221dce887705c2fc3061d04d0e4420f62b58f3
  Version Number:      0.14.1

Example error log lines:

{
  "id": "ya6IWEzUTM",
  "source": "https://hashicorp.com/boundary/notroot/controller+worker",
  "specversion": "1.0",
  "type": "error",
  "data": {
    "error": "ldap.Authenticate: ldap.(Repository).Authenticate: unable to initialize ldap client with auth method retrieved from database: unknown: error #0: ldap.NewClient: ldap.(ClientConfig).validate: failed to parse client X509 key pair: tls: failed to find any PEM data in key input",
    "error_fields": {
      "Code": 0,
      "Msg": "",
      "Op": "ldap.Authenticate",
      "Wrapped": {
        "Code": 0,
        "Msg": "unable to initialize ldap client with auth method retrieved from database",
        "Op": "ldap.(Repository).Authenticate",
        "Wrapped": {}
      }
    },
    "id": "e_nFNkojxHzx",
    "version": "v0.1",
    "op": "ldap.Authenticate",
    "request_info": {
      "id": "gtraceid_EnoARvMFnmyeLPNdRWLa",
      "method": "POST",
      "path": "/v1/auth-methods/amldap_re97gfLjoo:authenticate",
      "client_ip": "127.0.0.1"
    }
  },
  "datacontentype": "text/plain",
  "time": "2023-10-25T18:25:44.644166-04:00"
}
jimlambrt commented 11 months ago

I'm sorry you've run into this issue and thank so much for reporting it. I've reproduced the issue and I'll get a PR opened to hopefully fix the issue.

jimlambrt commented 11 months ago

PR open: https://github.com/hashicorp/boundary/pull/3929

jimlambrt commented 11 months ago

fixed merged to main in #3929