Closed sasjafor closed 6 months ago
wiltonsr
commented
6 months ago Hi, @sasjafor
There is an example for TLS connection in the docs.
If you don't have a CA certificate to provide you can also use insecureSkipVerify.
Please provide all ldapAuth's debug logs if you still have issues.
wiltonsr
commented
6 months ago @sasjafor
By default, the ldapAuth plugin uses TLS 1.2 and TLS 1.3 as min and max versions.
You could check what versions your LDAP server supports using
nmap --script ssl-enum-ciphers -p 636 yourDomain.exampleIf your LDAP only supports TLS 1.1 or TLS 1.0 you could use the minVersionTLS option to set the right value.
Let me know if this works for you.
sasjafor
commented
6 months ago Hello @wiltonsr
Thank you for the quick replies.
I just checked and the server supports TLS 1.0, 1.1 and 1.2. so I think we can rule that out.
I have already tried following the example and it worked without TLS. When I enabled TLS by using ldaps and port 636 it stopped working. I dropped StartTLS: true from my config now as I learnt that actually it's recommended to use port 636 with proper TLS instead of startTLS over the regular port.
I tried the following ldapsearch command in the traefik docker container:
ldapsearch -s base -D "cn=read,dc=company,dc=local" -w <censored> -H "ldaps://mydomain.example:636" -P 3 -LLL -b "ou=groups,dc=company,dc=local"That worked and gave me the following output as expected:
dn: ou=groups,dc=company,dc=local
ou: groups
objectClass: organizationalUnit
objectClass: topHere is the censored log:
INFO: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: Starting ldap_auth@file Middleware...
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: Enabled => 'true'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: LogLevel => 'DEBUG'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: URL => 'ldaps://mydomain.example'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: Port => '636'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: CacheTimeout => '300'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: CacheCookieName => 'ldapAuth_session_token'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: CacheCookiePath => ''
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: CacheCookieSecure => 'false'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: CacheKey => 'super-secret-key'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: StartTLS => 'false'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: CertificateAuthority => ''
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: InsecureSkipVerify => 'true'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: Attribute => 'uid'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: SearchFilter => '(\{\{.Attribute\}\}=\{\{.Username\}\})'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: BaseDN => 'dc=company,dc=local'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: BindDN => 'cn=read,dc=company,dc=local'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: BindPassword => '<censored>'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: ForwardUsername => 'true'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: ForwardUsernameHeader => 'Username'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: ForwardAuthorization => 'false'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: ForwardExtraLdapHeaders => 'false'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: WWWAuthenticateHeader => 'true'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: WWWAuthenticateHeaderRealm => ''
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: EnableNestedGroupFilter => 'false'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: AllowedGroups => '[]'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: AllowedUsers => '[]'
DEBUG: ldapAuth: 2024/03/14 12:46:32 restricted.go:51: Username => ''
DEBUG: ldapAuth: 2024/03/14 12:46:42 restricted.go:51: Session details: &{ map[] 0xc003aad0c0 true {0xc0034aca00 {0xc00370b580 0xc003ab0308 406}} ldapAuth_session_token}
DEBUG: ldapAuth: 2024/03/14 12:46:42 restricted.go:52: [no valid 'Authorization: Basic xxxx' header found in request]
DEBUG: ldapAuth: 2024/03/14 12:46:51 restricted.go:51: Session details: &{ map[] 0xc0039a3b00 true {0xc0034aca00 {0xc00370b580 0xc003a19338 406}} ldapAuth_session_token}
DEBUG: ldapAuth: 2024/03/14 12:46:51 restricted.go:52: No session found! Trying to authenticate in LDAP
DEBUG: ldapAuth: 2024/03/14 12:46:51 restricted.go:51: Connect Address: 'ldaps://mydomain.example:636'
DEBUG: ldapAuth: 2024/03/14 12:46:51 restricted.go:52: [LDAP Result Code 200 "Network Error": remote error: tls: handshake failure]Could you provide the nmap output command? It could be a cipher suite problem.
sasjafor
commented
6 months ago Sure, here you go. I only replaced the domain and removed the IP of the server:
~ nmap --script ssl-enum-ciphers -p 636 mydomain.example
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-15 07:38 CET
Nmap scan report for mydomain.example (<censored>)
Host is up (0.013s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Forward Secrecy not supported by any cipher
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Forward Secrecy not supported by any cipher
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Forward Secrecy not supported by any cipher
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Forward Secrecy not supported by any cipher
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.63 secondsI tested connecting to the public ipa.demo1.freeipa.org from your example. That works with TLS. I ran the nmap command there as well:
$ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-15 08:36 CET
Nmap scan report for ipa.demo1.freeipa.org (52.57.162.88)
Host is up (0.011s latency).
rDNS record for 52.57.162.88: ec2-52-57-162-88.eu-central-1.compute.amazonaws.com
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.39 secondsApart from the differences in the ciphers I noticed that this server has cipher preference: server, whereas the server I'm trying to connect to uses cipher preference: client. Maybe that's also a clue as to why it's not working for my server.
wiltonsr
commented
6 months ago Thanks for your reply.
It's not a cipher suite problem. Many are compatible with crypto/tls.
Unfortunately, I have no more clues on what it's the problem. However, I think the issue is unrelated to the ldapAuth plugin because we use just go-ldap/ldap/v3 that uses crypto/tls module to perform a connection.
wiltonsr
commented
6 months ago Apart from the differences in the ciphers I noticed that this server has
cipher preference: server, whereas the server I'm trying to connect to usescipher preference: client. Maybe that's also a clue as to why it's not working for my server.
The crypto/tls docs say this about the PreferServerCipherSuites option.
// PreferServerCipherSuites is a legacy field and has no effect. // // It used to control whether the server would follow the client's or the // server's preference. Servers now select the best mutually supported // cipher suite based on logic that takes into account inferred client // hardware, server hardware, and security. // // Deprecated: PreferServerCipherSuites is ignored. PreferServerCipherSuites bool
wiltonsr
commented
6 months ago I recommend you test again using the v0.1.7 and setting minVersionTLS and maxVersionTLS to each of the available TLS versions in your server.
VersionTLS10
VersionTLS11
VersionTLS12There are some reports that for some reason the server doesn't accept the TLS1.2 handshake, nor does it properly fall back to another version.
The configs would be:
...
MinVersionTLS: "tls.VersionTLS10"
MaxVersionTLS: "tls.VersionTLS10"
......
MinVersionTLS: "tls.VersionTLS11"
MaxVersionTLS: "tls.VersionTLS11"
......
MinVersionTLS: "tls.VersionTLS12"
MaxVersionTLS: "tls.VersionTLS12"
...Another good test is to use gotlsscan tool to validate compatibility from your server with golangs's crypto/tls.
If possible, please provide the below command output:
wget https://raw.githubusercontent.com/jbardin/gotlsscan/master/main.go
go run main.go -insecure -host yourDomain.example -port 636Thank you for all the help so far. I tried the Min and Max TLS version variables. Thank you for the quick patch on that! Unfortunately, I got the same result on all 3 versions.
Here is the output from gotlsscan:
Testing TLS1.0
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (DISABLED) [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_RC4_128_SHA (DISABLED) [NOT SUPPORTED]
TLS_RSA_WITH_3DES_EDE_CBC_SHA [NOT SUPPORTED]
TLS_RSA_WITH_AES_128_CBC_SHA [OK]
TLS_RSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
TLS_RSA_WITH_AES_128_GCM_SHA256 [NOT SUPPORTED]
TLS_RSA_WITH_AES_256_CBC_SHA [OK]
TLS_RSA_WITH_AES_256_GCM_SHA384 [NOT SUPPORTED]
TLS_RSA_WITH_RC4_128_SHA (DISABLED) [NOT SUPPORTED]
Testing TLS1.1
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (DISABLED) [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_RC4_128_SHA (DISABLED) [NOT SUPPORTED]
TLS_RSA_WITH_3DES_EDE_CBC_SHA [NOT SUPPORTED]
TLS_RSA_WITH_AES_128_CBC_SHA [OK]
TLS_RSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
TLS_RSA_WITH_AES_128_GCM_SHA256 [NOT SUPPORTED]
TLS_RSA_WITH_AES_256_CBC_SHA [OK]
TLS_RSA_WITH_AES_256_GCM_SHA384 [NOT SUPPORTED]
TLS_RSA_WITH_RC4_128_SHA (DISABLED) [NOT SUPPORTED]
Testing TLS1.2
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (DISABLED) [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 [NOT SUPPORTED]
TLS_ECDHE_RSA_WITH_RC4_128_SHA (DISABLED) [NOT SUPPORTED]
TLS_RSA_WITH_3DES_EDE_CBC_SHA [NOT SUPPORTED]
TLS_RSA_WITH_AES_128_CBC_SHA [OK]
TLS_RSA_WITH_AES_128_CBC_SHA256 [OK]
TLS_RSA_WITH_AES_128_GCM_SHA256 [OK]
TLS_RSA_WITH_AES_256_CBC_SHA [OK]
TLS_RSA_WITH_AES_256_GCM_SHA384 [OK]
TLS_RSA_WITH_RC4_128_SHA (DISABLED) [NOT SUPPORTED]
Testing TLS1.3
TLS_AES_128_GCM_SHA256 [NOT SUPPORTED]
TLS_AES_256_GCM_SHA384 [NOT SUPPORTED]
TLS_CHACHA20_POLY1305_SHA256 [NOT SUPPORTED]Could you run the middleware from your machine?
You can check how to do this in the examples folder. Just clone this repository and put your configs in examples/dynamic-conf/ldapAuth-tls-conf.yml and run with
docker-compose -f examples/conf-from-tls-yml-file.yml up
But before running, edit the ldapauth.go file and change this piece of code:
to:
tlsCfg := &tls.Config{
CipherSuites: []uint16{
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
},
InsecureSkipVerify: true,
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
}I just did that and it seems to work for connecting to my LDAP server.
I used the following command to test with
user: abc
password: abc
curl -H "Host: whoami.localhost" -H "Authorization: Basic YWJjOmFiYw==" 127.0.0.1
Then it could connect, don't mind the empty result, there's no actual abc user in the directory:
traefik | DEBUG: ldapAuth: 2024/03/15 15:29:14 restricted.go:52: No session found! Trying to authenticate in LDAP
traefik | DEBUG: ldapAuth: 2024/03/15 15:29:14 restricted.go:51: Connect Address: 'ldaps://mydomain.example:636'
traefik | DEBUG: ldapAuth: 2024/03/15 15:29:14 restricted.go:51: Running in Search Mode
traefik | DEBUG: ldapAuth: 2024/03/15 15:29:14 restricted.go:51: Performing User BindDN Search
traefik | DEBUG: ldapAuth: 2024/03/15 15:29:14 restricted.go:51: Search Filter: '(uid=abc)'
traefik | ERROR: ldapAuth: 2024/03/15 15:29:14 restricted.go:51: search filter return empty result
traefik | ERROR: ldapAuth: 2024/03/15 15:29:14 restricted.go:51: Authentication failed
traefik | DEBUG: ldapAuth: 2024/03/15 15:29:14 restricted.go:52: [search filter return empty result]However, I tried both with and without your suggested change of fixing the cipher and both worked...
wiltonsr
commented
6 months ago However, I tried both with and without your suggested change of fixing the cipher and both worked...
Please try again removing only the ServerName option. If still works, try removing RootCAs too. This way we can find which of them it is the root cause.
sasjafor
commented
6 months ago Even with the following TLS config it still is able to connect
tlsCfg := &tls.Config{
InsecureSkipVerify: false,
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
}The only thing that was able to break it was to set tls.VersionTLS13, since the server doesn't support that.
sasjafor
commented
6 months ago Do you know if it would be possible to edit the go file inside the container while it's live? Then I could quickly test it in the container where I'm having the issue. I tried editing
/plugins-storage/sources/gop-342378020/src/github.com/wiltonsr/ldapAuth/ldapauth.go but that doesn't seem to respect the changes in traefik.
Edit: I will continue debugging on monday
wiltonsr
commented
6 months ago Even with the following TLS config it still is able to connect
tlsCfg := &tls.Config{ InsecureSkipVerify: false, MinVersion: tls.VersionTLS12, MaxVersion: tls.VersionTLS12, }The only thing that was able to break it was to set
tls.VersionTLS13, since the server doesn't support that.
Strange, the option to set
MinVersionTLS: "tls.VersionTLS12"
MaxVersionTLS: "tls.VersionTLS12"Should work. Could you test the plugin without changes in this same environment?
sasjafor
commented
6 months ago When I tested without changes it also worked on my local machine. The only place where it doesn't work is on the Nomad worker where I'm running the Traefik container.
However, there testing is a bit more difficult, since editing the ldapauth.go file directly in the container doesn't seem to load the changes. But I'll try again.
wiltonsr
commented
6 months ago When I tested without changes it also worked on my local machine.
That's enough to validate that the problem isn't with the ldapAuth middleware.
The only place where it doesn't work is on the Nomad worker where I'm running the Traefik container.
Maybe something in this specific network is changing certificates or dropping network packets.
However, there testing is a bit more difficult, since editing the ldapauth.go file directly in the container doesn't seem to load the changes. But I'll try again.
If possible, try to run traefik with the local plugin mode in this server to make changes in the ldapAuth's source code.
Please let me know if I can help you with any other questions.
sasjafor
commented
6 months ago Ok, thanks for the great support in debugging!
wiltonsr
commented
6 months ago If you solve your issue, please post how to. This could help someone else.
sasjafor
commented
6 months ago So far, the only thing that worked was switching to a different LDAP server, sadly.
Regular unencrypted connections work. However, both using SSL and StartTLS fails. This is the error that is shown in the log:
DEBUG: ldapAuth: 2024/03/14 10:53:07 restricted.go:52: [LDAP Result Code 200 "Network Error": TLS handshake failed (remote error: tls: handshake failure)]For SSL I used
ldaps://instead of ldap and port636I am running traefik with the official docker image:
traefik:v2.11.0I was able to install ldapsearch and succesfully connect using SSL and StartTLS in the docker image.
This is the current configuration I'm trying to use with the yml dynamic file provider:
Feel free to ask for more debugging information.