devpi-ldap icon indicating copy to clipboard operation
devpi-ldap copied to clipboard

Published 20 hours ago verified publisher icon devpi

Unable to use ldaps connectivity

Open bhanu456 opened this issue 9 years ago • 3 comments

HI Team,

Can any body suggest how to use ldap connectivity using ssl, Please provide yaml configuration fo yml file.

my test.yml file

devpi-ldap: url: "ldaps://test.ldap:636" user_search: base: CN=Test User,OU=Test_Accounts,OU=Test PC,DC=test,DC=in filter: (sAMAccountName=ldap) userdn: CN=Test User,OU=Test_Accounts,OU=Test PC,DC=test,DC=in password: xxxxxxxxxxxxxxx attribute_name: CN group_search: base: CN=Test User,OU=Test_Accounts,OU=Test PC,DC=test,DC=in filter: (&(objectClass=group)(member=test)) attribute_name: CN

I am getting the following error

2015-06-18 12:03:13,785 DEBUG BASIC:instantiated Tls: <Tls(validate=0)> 2015-06-18 12:03:13,785 DEBUG BASIC:instantiated Server: <Server(host='test.ldap:636', port=636, use_ssl=True, tls=Tls(validate=0), get_info='NO_INFO')> 2015-06-18 12:03:13,785 DEBUG BASIC:instantiated <SyncStrategy>:

<< messageID=3 << protocolOp=ProtocolOp: << bindResponse=BindResponse: << resultCode='invalidCredentials' << matchedDN= << diagnosticMessage=0x38303039303330383a204c6461704572723a20445349442d30433039303341392c20636f6d6d656e743a204163636570745365637572697479436f6e74657874206572726f722c2064617461203532652c20763164623100 2015-06-18 12:26:56,508 DEBUG PROTOCOL:BIND response <{'dn': '', 'saslCreds': None, 'referrals': None, 'description': 'invalidCredentials', 'result': 49, 'message': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1\x00', 'type': 'bindResponse'}> received via <ldaps://test.ldap.ch.int:636 - ssl - user: LDAP User - unbound - open - <local: 10.11.xx.xx,55673 - remote: 10.21.xxx.xx:636> - tls not started - listening - SyncStrategy> 2015-06-18 12:26:56,508 DEBUG BASIC:done BIND operation, result <False> Result: {"status": "reject"}

Regards, Bhanu Kakarla.

bhanu456 avatar Jun 18 '15 12:06 bhanu456

We use https://pypi.python.org/pypi/ldap3 and as far as I can tell, it automatically detects tls urls. Maybe the docs for it help: http://ldap3.readthedocs.org/ssltls.html

I currently have no way to test and fix this myself.

fschulze avatar Jun 18 '15 12:06 fschulze

I have successful connections with ldaps://, and those "tls not started" are normal - they actually indicate the connection is being upgraded to TLS as a result of noticing it wasn't started yet. I believe the OP's error is a plain ole' bind failure.

mikenerone avatar Jan 15 '16 00:01 mikenerone

I think this can definitely be closed as not a bug the server responded with 'invalidCredentials'

Straight clear text ldap shows like this

<ldap://ipa.home.lab:389 - cleartext - user: LDAP User - not lazy - unbound - open - <local: 192.168.0.100:39428 - remote: 192.168.0.50:389> - tls not started - listening - SyncStrategy>

LDAPS, like this, as what appears for in the OP's issue:

<ldaps://ipa.home.lab:636 - ssl - user: LDAP User - not lazy - unbound - open - <local: 192.168.0.100:39446 - remote: 192.168.0.50:636> - tls not started - listening - SyncStrategy>

and finally TLS

<ldap://ipa.home.lab:389 - cleartext - user: None - not lazy - unbound - open - <local: 192.168.0.100:39468 - remote: 192.168.0.50:389> - tls started - listening - SyncStrategy>

Noting the scheme, ports and indication of cleartext/ssl and also tls started/tls not started. These were run against ipa-server-4.5.0-22.el7.centos.x86_64

00willo avatar Feb 27 '19 11:02 00willo