search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
735 stars 252 forks source link

TLS confidentiality required #175

Open rgruyters opened 7 years ago

rgruyters commented 7 years ago

When I enable ssl_check_cert with ssl_ca_file I still get the following message:

http_auth_ldap: Initial bind failed (13: Confidentiality required [TLS confidentiality required])

When I check the LDAP logs:

58eb5c49 conn=101062 fd=47 ACCEPT from IP=10.x.x.x:46488 (IP=0.0.0.0:389)
58eb5c49 conn=101062 op=0 BIND dn="cn=nginx,ou=services,dc=example,dc=local" method=128
58eb5c49 conn=101062 op=0 RESULT tag=97 err=13 text=TLS confidentiality required

I have the following configuration in my NGINX file:

ldap_server test {
  url ldap://ldap.example.local:389/DC=example,DC=local?uid?sub?(objectClass=person);
  binddn "cn=nginx,ou=services,dc=example,dc=local";
  binddn_passwd "<<removed>>";
  ssl_check_cert on;
  ssl_ca_file "/etc/nginx/ssl/ca.pem";
}

I have NGINX running in a Docker container with Alpine version 3.4 running. (because 3.5 has moved to libreSSL and doesn't work with nginx-auth-ldap)

fvm2000 commented 7 years ago

If you're using ssl on ldap, shouldn't you be using "url ldaps://" instead of "url ldap://" ?

rgruyters commented 7 years ago

@fvm2000 I use TLS not SSL. LDAP+TLS is via 389.

tchoutri commented 6 years ago

@kvspb Hi! any news about STARTTLS support? More and more organisations are using it, and I don't want to ditch Nginx in favor of apache just because of that :/

JoeKun commented 5 years ago

Any news on adding StartTLS support to nginx-auth-ldap? It looks like a pretty nifty authentication module, but I just can't use it until it supports StartTLS to connect to the LDAP server.

tchoutri commented 5 years ago

@kvspb hi, can you, like, tell us if you're not working on this project anymore?