[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: LDAP authentication with STARTTLS failing



It's version 1.2.0 and I've installed it using the Advanced Installation instructions from https://docs.openshift.org/latest/install_config/install/advanced_install.html

Andre


On 2016-07-14 15:41, Jordan Liggitt wrote:
What version of origin are you running with (and if you built it
yourself, what version of go did you build with?)

It looks like SECURE256 translates to these ciphers:

|TLSv1.2: ciphers: TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
|


None of those are supported in go1.4.
|TLS_RSA_WITH_AES_256_GCM_SHA384should work with go1.6.|




On Thu, Jul 14, 2016 at 8:54 AM, Andre Esser <andre esser voidbridge com
<mailto:andre esser voidbridge com>> wrote:

    RESOLVED:

    Our LDAP servers required 256 bit cyphers but OpenShift appears to
    use 128 bit ones. After setting 'olcTLSCipherSuite' to 'SECURE128'
    authentication started to work.

    Cheers,

    Andre



    On 2016-07-13 17:50, Andre Esser wrote:

        Certificate:
              Data:
                  Version: 3 (0x2)
                  Serial Number: 971[..] (0x86[..])
              Signature Algorithm: sha256WithRSAEncryption
                  Issuer: C=VG, ST=Tortola, L=Road Town, O=Voidbridge
        Software
        Limited, CN=Voidbridge CA/emailAddress=admin voidbridge com
        <mailto:admin voidbridge com>
                  Validity
                      Not Before: Apr 12 16:39:00 2015 GMT
                      Not After : Apr  9 16:39:00 2025 GMT
                  Subject: C=VG, ST=Tortola, L=Road Town, O=Voidbridge
        Software
        Limited, CN=Voidbridge CA/emailAddress=admin voidbridge com
        <mailto:admin voidbridge com>
                  Subject Public Key Info:
                      Public Key Algorithm: rsaEncryption
                          Public-Key: (4096 bit)
                          Modulus:
                              00:b5:35:[...]
                          Exponent: 65537 (0x10001)
                  X509v3 extensions:
                      X509v3 Subject Key Identifier:
                          76:44:AB:[..]
                      X509v3 Authority Key Identifier:
                          keyid:76:44:AB:[..]

                      X509v3 Basic Constraints:
                          CA:TRUE
                      X509v3 Key Usage:
                          Certificate Sign, CRL Sign
              Signature Algorithm: sha256WithRSAEncryption
                   96:5a:ac:[..]


        On 2016-07-13 17:26, Jordan Liggitt wrote:

            Is the signing cert an actual CA (what does `openssl x509 -in
            /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text
            -noout` show?)

            On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser
            <andre esser voidbridge com
            <mailto:andre esser voidbridge com>
            <mailto:andre esser voidbridge com
            <mailto:andre esser voidbridge com>>> wrote:

                 Hi,

                 I'm having problems getting LDAP authentication with a
            STARTTLS LDAP
                 server to work on an Openshift Origin installation.


                 The provider config is as follows:


            -------------------------------------------------------------
                 identityProviders:
                    - name: "voidbridge_ldap_provider"
                      challenge: true
                      login: true
                      mappingMethod: add
                      provider:
                        apiVersion: v1
                        kind: LDAPPasswordIdentityProvider
                        attributes:
                          id:
                          - uid
                          email:
                          - mail
                          name:
                          - gecos
                          preferredUsername:
                          - uid
                        bindDN: ""
                        bindPassword: ""
                        ca:
            /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt
                        insecure: false
                        url: "ldap://ldap.local.voidbridge \
                              /ou=people,dc=voidbridge?uid?one"

            ---------------------------------------------------------------

                 The LDAP server's cert is self-signed, the CA cert is
                 voidbridge-ca.crt. The LDAP server only accepts
            STARTTLS connections
                 and performs fine for other services. In particular the
            command

                    ldapwhoami -h ldap.local.voidbridge \
                      -D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W

                 succeeds when the correct password is entered.

                 Also when I temporarily disable the STARTTLS
            requirement on the LDAP
                 server and switch to 'insecure: false' in the provider
            config, the
                 authentication succeeds.

                 The error in the OpenShift log (via syslog) is:

                    Jul 13 15:09:22 osae-master-101
            atomic-openshift-master-api:
                    E0713 15:09:22.921501   10255 login.go:162] Error
            authenticating
                    "andre.esser" with provider
            "voidbridge_ldap_provider": LDAP
            Result
                    Code 200 "": TLS handshake failed (EOF)


                 Any help to get authentication working over STARTTLS
            would be
                 greatly appreciated,

                 Andre

                 _______________________________________________
                 users mailing list
            users lists openshift redhat com
            <mailto:users lists openshift redhat com>
                 <mailto:users lists openshift redhat com
            <mailto:users lists openshift redhat com>>
            http://lists.openshift.redhat.com/openshiftmm/listinfo/users





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]