[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: LDAP authentication with STARTTLS failing



RESOLVED:

Our LDAP servers required 256 bit cyphers but OpenShift appears to use 128 bit ones. After setting 'olcTLSCipherSuite' to 'SECURE128' authentication started to work.

Cheers,

Andre


On 2016-07-13 17:50, Andre Esser wrote:
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 971[..] (0x86[..])
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software
Limited, CN=Voidbridge CA/emailAddress=admin voidbridge com
         Validity
             Not Before: Apr 12 16:39:00 2015 GMT
             Not After : Apr  9 16:39:00 2025 GMT
         Subject: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software
Limited, CN=Voidbridge CA/emailAddress=admin voidbridge com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
                     00:b5:35:[...]
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier:
                 76:44:AB:[..]
             X509v3 Authority Key Identifier:
                 keyid:76:44:AB:[..]

             X509v3 Basic Constraints:
                 CA:TRUE
             X509v3 Key Usage:
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
          96:5a:ac:[..]


On 2016-07-13 17:26, Jordan Liggitt wrote:
Is the signing cert an actual CA (what does `openssl x509 -in
/etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text -noout` show?)

On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser
<andre esser voidbridge com <mailto:andre esser voidbridge com>> wrote:

    Hi,

    I'm having problems getting LDAP authentication with a STARTTLS LDAP
    server to work on an Openshift Origin installation.


    The provider config is as follows:

    -------------------------------------------------------------
    identityProviders:
       - name: "voidbridge_ldap_provider"
         challenge: true
         login: true
         mappingMethod: add
         provider:
           apiVersion: v1
           kind: LDAPPasswordIdentityProvider
           attributes:
             id:
             - uid
             email:
             - mail
             name:
             - gecos
             preferredUsername:
             - uid
           bindDN: ""
           bindPassword: ""
           ca: /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt
           insecure: false
           url: "ldap://ldap.local.voidbridge \
                 /ou=people,dc=voidbridge?uid?one"
    ---------------------------------------------------------------

    The LDAP server's cert is self-signed, the CA cert is
    voidbridge-ca.crt. The LDAP server only accepts STARTTLS connections
    and performs fine for other services. In particular the command

       ldapwhoami -h ldap.local.voidbridge \
         -D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W

    succeeds when the correct password is entered.

    Also when I temporarily disable the STARTTLS requirement on the LDAP
    server and switch to 'insecure: false' in the provider config, the
    authentication succeeds.

    The error in the OpenShift log (via syslog) is:

       Jul 13 15:09:22 osae-master-101 atomic-openshift-master-api:
       E0713 15:09:22.921501   10255 login.go:162] Error authenticating
       "andre.esser" with provider "voidbridge_ldap_provider": LDAP
Result
       Code 200 "": TLS handshake failed (EOF)


    Any help to get authentication working over STARTTLS would be
    greatly appreciated,

    Andre

    _______________________________________________
    users mailing list
    users lists openshift redhat com
    <mailto:users lists openshift redhat com>
    http://lists.openshift.redhat.com/openshiftmm/listinfo/users




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]