[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: LDAP authentication with STARTTLS failing



Is the signing cert an actual CA (what does `openssl x509 -in /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text -noout` show?)

On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser <andre esser voidbridge com> wrote:
Hi,

I'm having problems getting LDAP authentication with a STARTTLS LDAP server to work on an Openshift Origin installation.


The provider config is as follows:

-------------------------------------------------------------
identityProviders:
  - name: "voidbridge_ldap_provider"
    challenge: true
    login: true
    mappingMethod: add
    provider:
      apiVersion: v1
      kind: LDAPPasswordIdentityProvider
      attributes:
        id:
        - uid
        email:
        - mail
        name:
        - gecos
        preferredUsername:
        - uid
      bindDN: ""
      bindPassword: ""
      ca: /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt
      insecure: false
      url: "ldap://ldap.local.voidbridge \
            /ou=people,dc=voidbridge?uid?one"
---------------------------------------------------------------

The LDAP server's cert is self-signed, the CA cert is voidbridge-ca.crt. The LDAP server only accepts STARTTLS connections and performs fine for other services. In particular the command

  ldapwhoami -h ldap.local.voidbridge \
    -D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W

succeeds when the correct password is entered.

Also when I temporarily disable the STARTTLS requirement on the LDAP server and switch to 'insecure: false' in the provider config, the authentication succeeds.

The error in the OpenShift log (via syslog) is:

  Jul 13 15:09:22 osae-master-101 atomic-openshift-master-api:
  E0713 15:09:22.921501   10255 login.go:162] Error authenticating
  "andre.esser" with provider "voidbridge_ldap_provider": LDAP Result
  Code 200 "": TLS handshake failed (EOF)


Any help to get authentication working over STARTTLS would be greatly appreciated,

Andre

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]