search

snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
10.85k stars 3.14k forks source link

Cannot Connect to Google Secure LDAP #15255

Open cosmiccricket opened 1 month ago

cosmiccricket commented 1 month ago

Debug mode

Describe the bug

We have ditched some directory services and need to configure Snipe-IT to work with Google Workspace. I am trying to follow the instructions on https://snipe-it.readme.io/docs/hosted-ldap-providers to set up a connection to Google Secure LDAP, but when I test the connection, Snipe-IT will show "Could not bind to LDAP: Can't contact LDAP server" no matter what I do. Snipe-IT was working with our old directory service beforehand.

Things I have tried: -Opened ports 389 and 636 for the EC2 instance's security group -Checked that the relevant network ACL is allowing traffic through -Set LDAPTLS_CIPHER_SUITE='NORMAL:!VERS-TLS1.3'

openssl s_client -connect ldap.google.com:636 from the EC2 instance returned a 0 ldapsearch -H ldaps://ldap.google.com:636 -b dc=,dc=com -D -W '(mail=@.com)' returned error 49. I am copy pasting the LDAP credentials straight from Google Workspace.

I am not sure if this is relevant but the version of SnipeIT we are using does not have a text field for LDAP version in the configuration page.

Reproduction steps

Followed the instructions on https://snipe-it.readme.io/docs/hosted-ldap-providers and the error "Could not bind to LDAP: Can't contact LDAP server" appears under the "Test LDAP Synchronization" button.

Expected behavior

I am expecting the LDAP connection test to be successful with the given credentials.

Screenshots

Screenshot 2024-08-08 at 5 57 06 PM Screenshot 2024-08-08 at 5 58 56 PM Screenshot 2024-08-08 at 5 59 38 PM Screenshot 2024-08-08 at 6 00 32 PM

Snipe-IT Version

6.4.1

Operating System

Ubuntu 20.04.6 LTS

Web Server

nginx

PHP Version

8.1.29

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

This install has been here longer than I have, which is at least a year. As far as i know Snipe-IT was installed via install.sh

uberbrady commented 1 month ago

For your ldapsearch line, you should probably include the SSL key and cert - Google has some docs on this here: https://support.google.com/a/answer/9190869?hl=en#zippy=%2Cldapsearch

Those are typically already on the machine in the ./storage subdirectory, as ldap_client_tls.cert and ldap_client_tls.key.

Your settings look mostly fine, which is good - but we typically do need a username and password - which Google will allow you to generate.

Secure LDAP connectivity testing - Google Workspace Admin Help
Supported editions for this feature: Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Edu
cosmiccricket commented 1 month ago

I will get back with the ldapsearch results, but I am using the user credentials from Google Workspace in SnipeIT, and they do not fix this issue.

Screenshot 2024-08-13 at 9 39 55 AM