nginx-auth-ldap icon indicating copy to clipboard operation
nginx-auth-ldap copied to clipboard

Published 20 hours ago verified publisher icon kvspb

TLS confidentiality required

Open rgruyters opened this issue 7 years ago • 5 comments

When I enable ssl_check_cert with ssl_ca_file I still get the following message:

http_auth_ldap: Initial bind failed (13: Confidentiality required [TLS confidentiality required])

When I check the LDAP logs:

58eb5c49 conn=101062 fd=47 ACCEPT from IP=10.x.x.x:46488 (IP=0.0.0.0:389)
58eb5c49 conn=101062 op=0 BIND dn="cn=nginx,ou=services,dc=example,dc=local" method=128
58eb5c49 conn=101062 op=0 RESULT tag=97 err=13 text=TLS confidentiality required

I have the following configuration in my NGINX file:

ldap_server test {
  url ldap://ldap.example.local:389/DC=example,DC=local?uid?sub?(objectClass=person);
  binddn "cn=nginx,ou=services,dc=example,dc=local";
  binddn_passwd "<<removed>>";
  ssl_check_cert on;
  ssl_ca_file "/etc/nginx/ssl/ca.pem";
}

I have NGINX running in a Docker container with Alpine version 3.4 running. (because 3.5 has moved to libreSSL and doesn't work with nginx-auth-ldap)

rgruyters avatar Apr 10 '17 10:04 rgruyters

If you're using ssl on ldap, shouldn't you be using "url ldaps://" instead of "url ldap://" ?

fvm2000 avatar Apr 14 '17 15:04 fvm2000

@fvm2000 I use TLS not SSL. LDAP+TLS is via 389.

rgruyters avatar Apr 18 '17 07:04 rgruyters

@kvspb Hi! any news about STARTTLS support? More and more organisations are using it, and I don't want to ditch Nginx in favor of apache just because of that :/

tchoutri avatar Nov 23 '17 15:11 tchoutri

Any news on adding StartTLS support to nginx-auth-ldap? It looks like a pretty nifty authentication module, but I just can't use it until it supports StartTLS to connect to the LDAP server.

JoeKun avatar Nov 21 '18 20:11 JoeKun

@kvspb hi, can you, like, tell us if you're not working on this project anymore?

tchoutri avatar Nov 21 '18 21:11 tchoutri