[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: LDAP authentication with STARTTLS failing

Is the signing cert an actual CA (what does `openssl x509 -in /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text -noout` show?)

On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser <andre esser voidbridge com> wrote:

I'm having problems getting LDAP authentication with a STARTTLS LDAP server to work on an Openshift Origin installation.

The provider config is as follows:

  - name: "voidbridge_ldap_provider"
    challenge: true
    login: true
    mappingMethod: add
      apiVersion: v1
      kind: LDAPPasswordIdentityProvider
        - uid
        - mail
        - gecos
        - uid
      bindDN: ""
      bindPassword: ""
      ca: /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt
      insecure: false
      url: "ldap://ldap.local.voidbridge \

The LDAP server's cert is self-signed, the CA cert is voidbridge-ca.crt. The LDAP server only accepts STARTTLS connections and performs fine for other services. In particular the command

  ldapwhoami -h ldap.local.voidbridge \
    -D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W

succeeds when the correct password is entered.

Also when I temporarily disable the STARTTLS requirement on the LDAP server and switch to 'insecure: false' in the provider config, the authentication succeeds.

The error in the OpenShift log (via syslog) is:

  Jul 13 15:09:22 osae-master-101 atomic-openshift-master-api:
  E0713 15:09:22.921501   10255 login.go:162] Error authenticating
  "andre.esser" with provider "voidbridge_ldap_provider": LDAP Result
  Code 200 "": TLS handshake failed (EOF)

Any help to get authentication working over STARTTLS would be greatly appreciated,


users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]