Setting X-Ldap-Starttls "true" always gives an error

[btassite]

Hi,

depending on what combination of X-Ldap-URL "ldap(s)://..:" I try, when X-Ldap-Starttls "true" is set I always get an error:

With X-Ldap-URL "ldap://10.1.2.3:3268": Error while initializing LDAP connection: {'info': '(unknown error code)', 'desc': 'Connect error'}, server="ldap://10.1.2.3:3268", login="ldapuser@domain.com"

"ldap://10.1.2.3:389"; Error while initializing LDAP connection: {'info': '(unknown error code)', 'desc': 'Connect error'}, server="ldap://10.1.2.3:389", login="ldapuser@domain.com"

"ldap://..:636": Error while initializing LDAP connection: {'desc': "Can't contact LDAP server"}, server="ldap://10.1.2.3:636", login="ldapuser@domain.com"

I guess ldaps shouldn't be mixed with TLS, but for completeness sake: "ldaps://..:636": Error while initializing LDAP connection: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}, server="ldaps://10.1.2.3:636", login="ldapuser@domain.com"

"ldaps://..:389" and "ldaps://..:3268": Error while initializing LDAP connection: {'info': 'Error in the pull function.', 'desc': "Can't contact LDAP server"}, server="ldaps://10.1.2.3:389", login="ldapuser@domain.com" Error while initializing LDAP connection: {'info': 'Error in the pull function.', 'desc': "Can't contact LDAP server"}, server="ldaps://10.1.2.3:3268", login="ldapuser@domain.com"

Also, when commenting out the line with X-Ldap-Starttls "true", even then only ldap://..:3268 seems to work in our setup.

ldapsearch -ZZ -H ldap://..:389 and -H ldaps://..:636 works fine after adding our AD's cert via dpgk-reconfigure ca-certificates (exported base 64 x.509 .crt in /usr/local/share/ca-certificates/), am I correct in assuming this isn't used by nginx-ldap-auth? Am I doing something wrong or is secure transmission not working at this moment?

nginx config parameters used:

internal; proxy_pass http://127.0.0.1:8888$request_uri; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Ldap-URL "ldap://10.1.2.3:3268"; proxy_set_header X-Ldap-Starttls "true"; proxy_set_header X-Ldap-BaseDN "dc=domain,dc=com"; proxy_set_header X-Ldap-BindDN "ldapuser@domain.com"; proxy_set_header X-Ldap-BindPass "ldapuserspassword"; proxy_set_header X-CookieName "nginxauth"; proxy_set_header Cookie nginxauth=$cookie_nginxauth; proxy_set_header X-Ldap-Template "(&(memberOf=CN=AccessGroup,OU=_Unit,OU=_Department,DC=domain,DC=com)(userPrincipalName=%(username)s))";

This is on Debian 9.3 in combination with a Windows 2012R2 AD.

[vl-homutov]

Hello, you may want to check if your python-ldap package is built with openssl support. Which python version are you using?

[btassite]

Python 2.7.13, print(ldap.TLS_AVAIL) outputs a 1. Raising debug level to 255 clears some things up: ldap_init: trying /etc/ldap/ldap.conf ldap_init: using /etc/ldap/ldap.conf [..] TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code).

If I put TLS_REQCERT ALLOW in /etc/ldap/ldap.conf it works, but this makes it insecure (not sure if connection is even encrypted in this case, or if just any certificate is accepted, enabling a MITM) and doesn't explain why ldapsearch for example has no problems with it even if I set it to DEMAND.

[vl-homutov]

Well, it looks like there is some problem with your certificates. Are you using self-signed certificates? Also, look at https://github.com/nginxinc/nginx-ldap-auth/issues/27

[btassite]

Thanks, you were on the right track, cert is using internal issuer, got it working (with TLS_REQCERT DEMAND) by importing the issuer's cert as well under /etc/ssl/certs/ (but only with port 3268, not 389) :)

For the record, connection is still encrypted with TLS_REQCERT ALLOW, but that would only raise the bar to a MITM.