[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: LDAP authentication with STARTTLS failing



Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 971[..] (0x86[..])
    Signature Algorithm: sha256WithRSAEncryption
Issuer: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software Limited, CN=Voidbridge CA/emailAddress=admin voidbridge com
        Validity
            Not Before: Apr 12 16:39:00 2015 GMT
            Not After : Apr  9 16:39:00 2025 GMT
Subject: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software Limited, CN=Voidbridge CA/emailAddress=admin voidbridge com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b5:35:[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                76:44:AB:[..]
            X509v3 Authority Key Identifier:
                keyid:76:44:AB:[..]

            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         96:5a:ac:[..]


On 2016-07-13 17:26, Jordan Liggitt wrote:
Is the signing cert an actual CA (what does `openssl x509 -in
/etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text -noout` show?)

On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser
<andre esser voidbridge com <mailto:andre esser voidbridge com>> wrote:

    Hi,

    I'm having problems getting LDAP authentication with a STARTTLS LDAP
    server to work on an Openshift Origin installation.


    The provider config is as follows:

    -------------------------------------------------------------
    identityProviders:
       - name: "voidbridge_ldap_provider"
         challenge: true
         login: true
         mappingMethod: add
         provider:
           apiVersion: v1
           kind: LDAPPasswordIdentityProvider
           attributes:
             id:
             - uid
             email:
             - mail
             name:
             - gecos
             preferredUsername:
             - uid
           bindDN: ""
           bindPassword: ""
           ca: /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt
           insecure: false
           url: "ldap://ldap.local.voidbridge \
                 /ou=people,dc=voidbridge?uid?one"
    ---------------------------------------------------------------

    The LDAP server's cert is self-signed, the CA cert is
    voidbridge-ca.crt. The LDAP server only accepts STARTTLS connections
    and performs fine for other services. In particular the command

       ldapwhoami -h ldap.local.voidbridge \
         -D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W

    succeeds when the correct password is entered.

    Also when I temporarily disable the STARTTLS requirement on the LDAP
    server and switch to 'insecure: false' in the provider config, the
    authentication succeeds.

    The error in the OpenShift log (via syslog) is:

       Jul 13 15:09:22 osae-master-101 atomic-openshift-master-api:
       E0713 15:09:22.921501   10255 login.go:162] Error authenticating
       "andre.esser" with provider "voidbridge_ldap_provider": LDAP Result
       Code 200 "": TLS handshake failed (EOF)


    Any help to get authentication working over STARTTLS would be
    greatly appreciated,

    Andre

    _______________________________________________
    users mailing list
    users lists openshift redhat com
    <mailto:users lists openshift redhat com>
    http://lists.openshift.redhat.com/openshiftmm/listinfo/users




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]