samson icon indicating copy to clipboard operation
samson copied to clipboard

Published 20 hours ago verified publisher icon zendesk

add SSL/TLS support to ldap implementation

Open jurgenweber opened this issue 8 years ago • 1 comments

details here:

https://groups.google.com/d/msg/samson-users/C2rNoTNffAw/_rPV5CXiBgAJ

jurgenweber avatar Apr 15 '16 04:04 jurgenweber

Copied from the Google group:

I am trying to setup ldap auth but constantly get the following error:

{"method":"GET","path":"/login","format":"html","controller":"sessions","action":"new","status":200,"duration":31.16,"view":23.78,"db":0.0,"params":{"origin":"/"},"@timestamp":"2016-04-14T05:14:27.735Z","@version":"1","message":"[200] GET /login (sessions#new)"}
(ldap) Request phase initiated.
(ldap) Callback phase initiated.
Deprecation warning: please give :encryption option as a Hash to Net::LDAP.new
(ldap) Authentication failure! invalid_credentials encountered.
{"method":"GET","path":"/auth/failure","format":"html","controller":"sessions","action":"failure","status":302,"duration":0.96,"view":0.0,"db":0.0,"location":"https://samson.example.com/","params":{"message":"invalid_credentials","origin":"/","strategy":"ldap"},"@timestamp":"2016-04-14T05:14:35.925Z","@version":"1","message":"[302] GET /auth/failure (sessions#failure)"}
{"method":"GET","path":"/","format":"html","controller":"projects","action":"index","status":0,"duration":0.72,"view":0.0,"db":0.0,"params":{},"@timestamp":"2016-04-14T05:14:36.253Z","@version":"1","message":"[0] GET / (projects#index)"}
{"method":"GET","path":"/login","format":"html","controller":"sessions","action":"new","status":200,"duration":3.64,"view":3.05,"db":0.0,"params":{"origin":"/"},"@timestamp":"2016-04-14T05:14:36.581Z","@version":"1","message":"[200] GET /login (sessions#new)”}

The credentials I am using for the user are correct, they work elsewhere so in my mind it comes down to configuration.

#The following settings is required if auth with LDAP is enabled.
LDAP_TITLE=“example provider"
LDAP_HOST=ldap.example.com
LDAP_PORT=389
LDAP_BASE=‘dc=example,dc=com'
LDAP_UID=uid
LDAP_BINDDN='cn=binduser,dc=example,dc=com'
LDAP_PASSWORD=pass

I found I could run slapd in debug mode and watch the requests, I found this for samson coming in: "570f3328 send_ldap_result: err=13 matched="" text="TLS confidentiality required””, this is a standard error. I get it from ldapsearch for example the you do not have -ZZ.

I am using a self signed cert/ca. So I added it to the local system certs (http://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list), I still get the same error.

TLS is enforced and on that port will ‘upgrade’, port 636 gives 'TLS accept failure error=-1' meaning, bad certificate/self signed CA.

My users are at uid=username,ou=people,${LDAP_BASE} There is no anonymous binding but a user (binduser) for the task.

I believe one solution would be to set encryption = simple_tls (http://www.rubydoc.info/gems/ruby-net-ldap/Net%2FLDAP%3Ainitialize) but how do I do this?

Thanks Jürgen

and then:

So I was able to do this eventually with a few changes, firstly I changed my SSL certificate setup from not using a self signed CA to using a purchased certificate.

This did not seem to help, the same error.

In my ldap OLC configuration for olcDatabase={1}hdb,cn=config I changed olcSecurity='tls=1' olcSecurity='tls=0' and now it works.

But this now means that I am not forcing SSL for connections, I will raise an issue to add ldaps support, so either to have the ability to add a CA file or turn on simple_tls, etc.

Thanks

jonmoter avatar Apr 15 '16 05:04 jonmoter