No way to specify StartTLS for LDAP anymore ?

[dani]

ldap2pg.yml

In previous version of ldap2pg, we could configure LDAP to use StartTLS with something like

ldap:
    binddn: CN=Postgres,OU=Apps,DC=foo,DC=bar
    password: secret
    starttls: true
    uri: ldap://dc1.foo.bar

I can't seem to find a way to specify the same with ldap2pg 6, where only the LDAPxxxx env variable are available. I've configured env vars like this

LDAPBASE=DC=foo,DC=bar
LDAPBINDDN=CN=Postgres,OU=Apps,DC=foo,DC=bar
LDAPPASSWORD=secret
LDAPURI=ldap://dc1.foo.bar:389
LDAPTLS_REQCERT=hard

And ldap2pg fails as it tries to bind without issuing a StartTLS first, so my LDAP server refuses the login

[postgres@pg-dev ~]$ ldap2pg --config /etc/ldap2pg.yml
10:11:54 INFO   Starting ldap2pg                                 version=v6.0 runtime=go1.20.5 commit=023e6933
10:11:54 INFO   Using YAML configuration file.                   path=/etc/ldap2pg.yml
10:11:54 INFO   Running as superuser.                            user=postgres super=true server="PostgreSQL 15.4" cluster="" database=postgres
10:11:54 ERROR  Fatal error.                                     err="LDAP Result Code 8 \"Strong Auth Required\": BindSimple: Transport encryption required."
[postgres@pg-dev ~]$ 

man ldap.conf explains that it's up to the client app to negociate session upgrades with StartTLS, there's no env var to control it

I can work arround this by specifying an ldaps URI (but then I face other errors as ldap2pg tries to use some SASL auth mech, and I couldn't find how to force it to use simple binds)

Expectations

Being able to force StartTLS for LDAP connections.

[bersace]

Hi @dani. Thanks for reaching.

This looks like a regression.

ldap2pg v6 uses DialURL to let user choose through LDAPURI. So ldap2pg v6 should support at least ldaps. Let's fix this in the first place.

What is the error when using ldaps URI ?

ldaputils have a -Z option to trigger starttls. I may add such behaviour but I prefer ldaps which seems more standard and twelve-factor.

[bersace]

The development environment for ldap2pg is TLS + simple bind and it works out of the box :

10:36:40 DEBUG  Found LDAP configuration file.                   path=/etc/ldap/ldap.conf
10:36:40 DEBUG  Ignoring configuration file.                     path=/home/bersace/ldaprc err="stat /home/bersace/ldaprc: no such file or directory"
10:36:40 DEBUG  Ignoring configuration file.                     path=/home/bersace/.ldaprc err="stat /home/bersace/.ldaprc: no such file or directory"
10:36:40 DEBUG  Found LDAP configuration file.                   path=/home/bersace/src/dalibo/ldap2pg/ldaprc
10:36:40 DEBUG  Read LDAP option.                                key=URI value=ldaps://ldap.ldap2pg.docker origin=env
10:36:40 DEBUG  Read LDAP option.                                key=TLS_REQCERT value=allow origin=/home/bersace/src/dalibo/ldap2pg/ldaprc
10:36:40 DEBUG  Read LDAP option.                                key=NETWORK_TIMEOUT value=5 origin=/home/bersace/src/dalibo/ldap2pg/ldaprc
10:36:40 DEBUG  LDAP dial.                                       uri=ldaps://ldap.ldap2pg.docker
10:36:40 DEBUG  Read LDAP option.                                key=TIMEOUT value=5 origin=/home/bersace/src/dalibo/ldap2pg/ldaprc
10:36:40 DEBUG  Read LDAP option.                                key=BINDDN value="cn=admin,dc=ldap,dc=ldap2pg,dc=docker" origin=env
10:36:40 DEBUG  Read LDAP option.                                key=PASSWORD origin=env
10:36:40 DEBUG  LDAP simple bind.                                binddn="cn=admin,dc=ldap,dc=ldap2pg,dc=docker"
10:36:40 DEBUG  Running LDAP whoami.                             cmd="ldapwhoami -H ldaps://ldap.ldap2pg.docker -D cn=admin,dc=ldap,dc=ldap2pg,dc=docker -x -w $LDAPPASSWORD"
10:36:40 INFO   Connected to LDAP directory.                     uri=ldaps://ldap.ldap2pg.docker authzid="dn:cn=admin,dc=ldap,dc=ldap2pg,dc=docker"

I need a more details. Can you share verbose output with ldaps and simple bind ?

Regards

[dani]

When using ldaps URI I'm getting

[postgres@pg-dev ~]$ ldap2pg --config /etc/ldap2pg.yml
10:36:36 INFO   Starting ldap2pg                                 version=v6.0 runtime=go1.20.5 commit=023e6933
10:36:36 INFO   Using YAML configuration file.                   path=/etc/ldap2pg.yml
10:36:36 INFO   Running as superuser.                            user=postgres super=true server="PostgreSQL 15.4" cluster="" database=postgres
10:36:36 ERROR  Fatal error.                                     err="LDAP Result Code 2 \"Protocol Error\": Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported"
[postgres@pg-dev ~]$ 

Trying to debug it, but it looks like related to GSSAPI being used instead of simple binds. My LDAP server is samba4

[dani]

with --verbose

10:41:51 INFO   Running as superuser.                            user=postgres super=true server="PostgreSQL 15.4" cluster="" database=postgres
10:41:51 DEBUG  Fallback owner configured.                       role=postgres
10:41:51 DEBUG  Inspecting roles blacklist.                     
10:41:51 DEBUG  Opening Postgres global connection.              database=postgres
10:41:51 DEBUG  Reading values from YAML.                       
10:41:51 DEBUG  Roles blacklist loaded.                          patterns="[pg_* postgres]"
10:41:51 DEBUG  Ignoring configuration file.                     path=/etc/ldap/ldap.conf err="stat /etc/ldap/ldap.conf: no such file or directory"
10:41:51 DEBUG  Ignoring configuration file.                     path=/var/lib/pgsql/ldaprc err="stat /var/lib/pgsql/ldaprc: no such file or directory"
10:41:51 DEBUG  Ignoring configuration file.                     path=/var/lib/pgsql/.ldaprc err="stat /var/lib/pgsql/.ldaprc: no such file or directory"
10:41:51 DEBUG  Ignoring configuration file.                     path=/var/lib/pgsql/ldaprc err="stat /var/lib/pgsql/ldaprc: no such file or directory"
10:41:51 DEBUG  Read LDAP option.                                key=URI value=ldaps://dc1.foo.bar:636 origin=env
10:41:51 DEBUG  Read LDAP option.                                key=TLS_REQCERT value=hard origin=env
10:41:51 DEBUG  Read LDAP option.                                key=NETWORK_TIMEOUT value=30 origin=default
10:41:51 DEBUG  LDAP dial.                                       uri=ldaps://dc1.foo.bar:636
10:41:51 DEBUG  Read LDAP option.                                key=TIMEOUT value=30 origin=default
10:41:51 DEBUG  Read LDAP option.                                key=BINDDN value="CN=Postgres,OU=Apps,DC=foo,DC=bar" origin=env
10:41:51 DEBUG  Read LDAP option.                                key=PASSWORD origin=env
10:41:51 DEBUG  LDAP simple bind.                                binddn="CN=Postgres,OU=Apps,DC=foo,DC=bar"
10:41:51 DEBUG  Running LDAP whoami.                             cmd="ldapwhoami -H ldaps://dc1.foo.bar:636 -D CN=Postgres,OU=Apps,DC=foo,DC=bar -x -w $LDAPPASSWORD"
10:41:51 DEBUG  Closing Postgres global connection.              database=postgres
10:41:51 ERROR  Fatal error.                                     err="LDAP Result Code 2 \"Protocol Error\": Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported"

[dani]

Mmm, in fact, it's the ldapwhoami command which fails. Looks like samba just does not support the extended operation used by ldapwhoami

[dani]

Opened but #571 to track this, as it's not related to StartTLS

[bersace]

Hi @dani , the whoami operation is removed in master. You can test this with go run github.com/dalibo/ldap2pg/cmd/ldap2pg@master

In your case, ldaps works fine. I'm not sure about why use STARTTLS over direct TLS dial. In ldaputils, one have to use -ZZ to trigger STARTTLS. STARTTLS is not available in ldap.conf. This looks like a pre-URI configuration where you specify STARTTLS along HOST instead of URI.

I'm closing, feel free to reopen.