openldap unable to simple bind when ldap server uses dual certs

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)

https://trino.io

Apache License 2.0

10.16k stars 2.93k forks source link

openldap unable to simple bind when ldap server uses dual certs #6183

Open wccropper opened 3 years ago

wccropper commented 3 years ago

I am connecting prestosql 346 single node coord+worker to OPENLDAP. I have created a jks for the web-ui SSL. I am configuring the password-authenticator.properties. My LDAP has two certs (ldap+ca). How do I make this work? i can do insecure ldap with my config, but ldaps+cert-bundle (created bundle with ldap.pem+ca.pem) doesn’t seem to work.

DEBUG   http-worker-113 io.prestosql.plugin.password.ldap.LdapAuthenticator Authentication failed for user [username], simple bind failed: ldapserver:636
javax.naming.CommunicationException: simple bind failed: ldapserver:636 [Root exception is java.net.SocketException: Broken pipe (Write failed)]

/etc/presto/password-authenticator.properties

password-authenticator.name=ldap
ldap.ssl-trust-certificate=/etc/openldap/certs/ssl.pem
ldap.url=ldaps://ldapserver/
ldap.user-base-dn=dc=example,dc=com
ldap.user-bind-pattern=uid=${USER},dc=example,dc=com

dain commented 3 years ago

I expect that this would just work. Do you have both certs in the pem file?

wccropper commented 3 years ago

Yes I have the ldap.pem first and the ca.pem 2nd. (cat them into the same file in that order). Also my ldap does not require any binding as anonymous binding is allowed.

dain commented 3 years ago

Why not use anonymous then? If you want to do that, switch to ldap protocol, remove the ssl-trust property, and add ldap.allow-insecure=true

wccropper commented 3 years ago

I want to use ssl+ldap. Insecure is not an option. it is not anonymous binding. All legitimate users can bind. That was a mis-speaking on my part.

dain commented 3 years ago

So, what you have should just work. Assuming your ldap certificate is signed by the CA, you only need the CA certificate in the pem file, but it should be fine to have either or both... the server just needs to trust one certificate from the certificate presented by the server to the signing root in the chain.

BTW, I don't think you need ldap.group-auth-pattern. I don't think that is used in the simple bind pattern setup you have.

If you still can't figure it out, I'd enable ssl debugging (see https://prestosql.io/docs/current/security/ldap.html#ssl-debugging-for-presto-cli) and debug logging for the ldap code io.prestosql.plugin.password.ldap (see https://prestosql.io/docs/current/installation/deployment.html#log-levels)

brianyye commented 2 years ago

I saw the same error. Adding -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to jvm.config made the error go away. This is a temporary fix. The documentation suggests fixing the problem by making sure the LDAP server certificate SAN or certificate subject name matches the LDAP server.