jonmoter
commented
8 years ago Copied from the Google group:
I am trying to setup ldap auth but constantly get the following error:
{"method":"GET","path":"/login","format":"html","controller":"sessions","action":"new","status":200,"duration":31.16,"view":23.78,"db":0.0,"params":{"origin":"/"},"@timestamp":"2016-04-14T05:14:27.735Z","@version":"1","message":"[200] GET /login (sessions#new)"} (ldap) Request phase initiated. (ldap) Callback phase initiated. Deprecation warning: please give :encryption option as a Hash to Net::LDAP.new (ldap) Authentication failure! invalid_credentials encountered. {"method":"GET","path":"/auth/failure","format":"html","controller":"sessions","action":"failure","status":302,"duration":0.96,"view":0.0,"db":0.0,"location":"https://samson.example.com/","params":{"message":"invalid_credentials","origin":"/","strategy":"ldap"},"@timestamp":"2016-04-14T05:14:35.925Z","@version":"1","message":"[302] GET /auth/failure (sessions#failure)"} {"method":"GET","path":"/","format":"html","controller":"projects","action":"index","status":0,"duration":0.72,"view":0.0,"db":0.0,"params":{},"@timestamp":"2016-04-14T05:14:36.253Z","@version":"1","message":"[0] GET / (projects#index)"} {"method":"GET","path":"/login","format":"html","controller":"sessions","action":"new","status":200,"duration":3.64,"view":3.05,"db":0.0,"params":{"origin":"/"},"@timestamp":"2016-04-14T05:14:36.581Z","@version":"1","message":"[200] GET /login (sessions#new)”}The credentials I am using for the user are correct, they work elsewhere so in my mind it comes down to configuration.
#The following settings is required if auth with LDAP is enabled. LDAP_TITLE=“example provider" LDAP_HOST=ldap.example.com LDAP_PORT=389 LDAP_BASE=‘dc=example,dc=com' LDAP_UID=uid LDAP_BINDDN='cn=binduser,dc=example,dc=com' LDAP_PASSWORD=passI found I could run slapd in debug mode and watch the requests, I found this for samson coming in: "570f3328 send_ldap_result: err=13 matched="" text="TLS confidentiality required””, this is a standard error. I get it from ldapsearch for example the you do not have -ZZ.
I am using a self signed cert/ca. So I added it to the local system certs (http://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list), I still get the same error.
TLS is enforced and on that port will ‘upgrade’, port 636 gives 'TLS accept failure error=-1' meaning, bad certificate/self signed CA.
My users are at uid=username,ou=people,${LDAP_BASE} There is no anonymous binding but a user (binduser) for the task.
I believe one solution would be to set encryption = simple_tls (http://www.rubydoc.info/gems/ruby-net-ldap/Net%2FLDAP%3Ainitialize) but how do I do this?
Thanks Jürgen
and then:
So I was able to do this eventually with a few changes, firstly I changed my SSL certificate setup from not using a self signed CA to using a purchased certificate.
This did not seem to help, the same error.
In my ldap OLC configuration for olcDatabase={1}hdb,cn=config I changed olcSecurity='tls=1' olcSecurity='tls=0' and now it works.
But this now means that I am not forcing SSL for connections, I will raise an issue to add ldaps support, so either to have the ability to add a CA file or turn on simple_tls, etc.
Thanks
details here:
https://groups.google.com/d/msg/samson-users/C2rNoTNffAw/_rPV5CXiBgAJ