[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: LDAP authentication with STARTTLS failing



What version of origin are you running with (and if you built it yourself, what version of go did you build with?)

It looks like SECURE256 translates to these ciphers:
TLSv1.2: 
  ciphers: 
    TLS_RSA_WITH_AES_256_CBC_SHA256
    TLS_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384

None of those are supported in go1.4.  TLS_RSA_WITH_AES_256_GCM_SHA384 should work with go1.6.




On Thu, Jul 14, 2016 at 8:54 AM, Andre Esser <andre esser voidbridge com> wrote:
RESOLVED:

Our LDAP servers required 256 bit cyphers but OpenShift appears to use 128 bit ones. After setting 'olcTLSCipherSuite' to 'SECURE128' authentication started to work.

Cheers,

Andre



On 2016-07-13 17:50, Andre Esser wrote:
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 971[..] (0x86[..])
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software
Limited, CN=Voidbridge CA/emailAddress=admin voidbridge com
         Validity
             Not Before: Apr 12 16:39:00 2015 GMT
             Not After : Apr  9 16:39:00 2025 GMT
         Subject: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software
Limited, CN=Voidbridge CA/emailAddress=admin voidbridge com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
                     00:b5:35:[...]
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier:
                 76:44:AB:[..]
             X509v3 Authority Key Identifier:
                 keyid:76:44:AB:[..]

             X509v3 Basic Constraints:
                 CA:TRUE
             X509v3 Key Usage:
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
          96:5a:ac:[..]


On 2016-07-13 17:26, Jordan Liggitt wrote:
Is the signing cert an actual CA (what does `openssl x509 -in
/etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text -noout` show?)

On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser
<andre esser voidbridge com <mailto:andre esser voidbridge com>> wrote:

    Hi,

    I'm having problems getting LDAP authentication with a STARTTLS LDAP
    server to work on an Openshift Origin installation.


    The provider config is as follows:

    -------------------------------------------------------------
    identityProviders:
       - name: "voidbridge_ldap_provider"
         challenge: true
         login: true
         mappingMethod: add
         provider:
           apiVersion: v1
           kind: LDAPPasswordIdentityProvider
           attributes:
             id:
             - uid
             email:
             - mail
             name:
             - gecos
             preferredUsername:
             - uid
           bindDN: ""
           bindPassword: ""
           ca: /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt
           insecure: false
           url: "ldap://ldap.local.voidbridge \
                 /ou=people,dc=voidbridge?uid?one"
    ---------------------------------------------------------------

    The LDAP server's cert is self-signed, the CA cert is
    voidbridge-ca.crt. The LDAP server only accepts STARTTLS connections
    and performs fine for other services. In particular the command

       ldapwhoami -h ldap.local.voidbridge \
         -D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W

    succeeds when the correct password is entered.

    Also when I temporarily disable the STARTTLS requirement on the LDAP
    server and switch to 'insecure: false' in the provider config, the
    authentication succeeds.

    The error in the OpenShift log (via syslog) is:

       Jul 13 15:09:22 osae-master-101 atomic-openshift-master-api:
       E0713 15:09:22.921501   10255 login.go:162] Error authenticating
       "andre.esser" with provider "voidbridge_ldap_provider": LDAP
Result
       Code 200 "": TLS handshake failed (EOF)


    Any help to get authentication working over STARTTLS would be
    greatly appreciated,

    Andre

    _______________________________________________
    users mailing list
    users lists openshift redhat com
    <mailto:users lists openshift redhat com>
    http://lists.openshift.redhat.com/openshiftmm/listinfo/users




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]