Closed btassite closed 6 years ago
Hello, you may want to check if your python-ldap package is built with openssl support. Which python version are you using?
Python 2.7.13, print(ldap.TLS_AVAIL) outputs a 1. Raising debug level to 255 clears some things up: ldap_init: trying /etc/ldap/ldap.conf ldap_init: using /etc/ldap/ldap.conf [..] TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code).
If I put TLS_REQCERT ALLOW
in /etc/ldap/ldap.conf it works, but this makes it insecure (not sure if connection is even encrypted in this case, or if just any certificate is accepted, enabling a MITM) and doesn't explain why ldapsearch for example has no problems with it even if I set it to DEMAND.
Well, it looks like there is some problem with your certificates. Are you using self-signed certificates? Also, look at https://github.com/nginxinc/nginx-ldap-auth/issues/27
Thanks, you were on the right track, cert is using internal issuer, got it working (with TLS_REQCERT DEMAND) by importing the issuer's cert as well under /etc/ssl/certs/ (but only with port 3268, not 389) :)
For the record, connection is still encrypted with TLS_REQCERT ALLOW, but that would only raise the bar to a MITM.
Hi,
depending on what combination of X-Ldap-URL "ldap(s)://..:" I try, when X-Ldap-Starttls "true" is set I always get an error:
With X-Ldap-URL "ldap://10.1.2.3:3268":
Error while initializing LDAP connection: {'info': '(unknown error code)', 'desc': 'Connect error'}, server="ldap://10.1.2.3:3268", login="ldapuser@domain.com"
"ldap://10.1.2.3:389";
Error while initializing LDAP connection: {'info': '(unknown error code)', 'desc': 'Connect error'}, server="ldap://10.1.2.3:389", login="ldapuser@domain.com"
"ldap://..:636":
Error while initializing LDAP connection: {'desc': "Can't contact LDAP server"}, server="ldap://10.1.2.3:636", login="ldapuser@domain.com"
I guess ldaps shouldn't be mixed with TLS, but for completeness sake: "ldaps://..:636":
Error while initializing LDAP connection: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}, server="ldaps://10.1.2.3:636", login="ldapuser@domain.com"
"ldaps://..:389" and "ldaps://..:3268":
Error while initializing LDAP connection: {'info': 'Error in the pull function.', 'desc': "Can't contact LDAP server"}, server="ldaps://10.1.2.3:389", login="ldapuser@domain.com"
Error while initializing LDAP connection: {'info': 'Error in the pull function.', 'desc': "Can't contact LDAP server"}, server="ldaps://10.1.2.3:3268", login="ldapuser@domain.com"
Also, when commenting out the line with X-Ldap-Starttls "true", even then only ldap://..:3268 seems to work in our setup.
ldapsearch -ZZ -H ldap://..:389 and -H ldaps://..:636 works fine after adding our AD's cert via dpgk-reconfigure ca-certificates (exported base 64 x.509 .crt in /usr/local/share/ca-certificates/), am I correct in assuming this isn't used by nginx-ldap-auth? Am I doing something wrong or is secure transmission not working at this moment?
nginx config parameters used:
internal; proxy_pass http://127.0.0.1:8888$request_uri; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Ldap-URL "ldap://10.1.2.3:3268"; proxy_set_header X-Ldap-Starttls "true"; proxy_set_header X-Ldap-BaseDN "dc=domain,dc=com"; proxy_set_header X-Ldap-BindDN "ldapuser@domain.com"; proxy_set_header X-Ldap-BindPass "ldapuserspassword"; proxy_set_header X-CookieName "nginxauth"; proxy_set_header Cookie nginxauth=$cookie_nginxauth; proxy_set_header X-Ldap-Template "(&(memberOf=CN=AccessGroup,OU=_Unit,OU=_Department,DC=domain,DC=com)(userPrincipalName=%(username)s))";
This is on Debian 9.3 in combination with a Windows 2012R2 AD.