Project

General

Profile

Actions

Support #2435

closed

Unable to authentication with LDAP server using ldaps

Added by Luke Baker over 11 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Hey there,

My specs:

Foreman 1.1
RHEL 6.4

I'm attempting to configure LDAP authentication with Foreman 1.1, I'm able to connect with plain ldap. When ldaps is enabled I get the following message:
@
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

If you feel this is an error with Foreman itself, please open a new issue with Foreman ticketing system, You would probably need to attach the Full trace and relevant log entries.
OpenSSL::SSL::SSLError
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
app/models/auth_source_ldap.rb:135:in `search_for_user_entries'
app/models/auth_source_ldap.rb:40:in `authenticate'
app/models/user.rb:112:in `try_to_login'
app/controllers/users_controller.rb:90:in `login'
lib/foreman/thread_session.rb:31:in `clear_thread'@

I did import the SSL certificate used for ldaps communication into /etc/openldap/certs on my local host (just to be sure), but that didn't help. I feel like I'm missing something obvious, any assist would be appreciated.


Related issues 2 (0 open2 closed)

Related to Foreman - Feature #2414: Remove Puppet from Foreman coreClosedGreg Sutcliffe04/19/2013Actions
Related to Foreman - Bug #10139: Cannot verify LDAPS SSL certificate on Debian installationResolved04/14/2015Actions
Actions #1

Updated by Dominic Cleal over 11 years ago

  • Category set to Authentication
  • Status changed from New to Feedback

This has been coming up quite a bit and I think it's caused by a recent change to Puppet (2.6.18, 2.7.21, 3.1.1) which monkey patched OpenSSL. Since OpenSSL gets used for LDAPS support too and we load Puppet in the app, this change by Puppet now affects Foreman too.

The monkey patch disables SSLv2 support, but also seems to force verification of SSL certificates. Try adding your SSL certificate into the OpenSSL bundle at /etc/pki/tls/certs/ca-bundle.crt, restart Foreman and see if that helps.

Actions #2

Updated by Luke Baker over 11 years ago

  • Status changed from Feedback to Closed

Yep that did it. Thanks!

Actions #3

Updated by François Deppierraz over 11 years ago

For the record, here's how to fix this issue under Ubuntu 12.04.

  1. Copy your CA certificate in /usr/local/share/ca-certificates/MyCA.crt
  2. Run sudo update-ca-certificates
Actions #4

Updated by Mikael Fridh over 11 years ago

Had similar issue with foreman() and smartvar() functions so did this on Puppet master:

export CACERT=/var/lib/puppet/ssl/certs/ca.pem; ln -s $CACERT /etc/pki/tls/certs/$(openssl x509 -noout -hash -in $CACERT).0

Actions #5

Updated by Dominic Cleal over 9 years ago

  • Description updated (diff)

This has returned in Foreman 1.7.4 and 1.8.0-RC2 and above as part of a CVE fix (#9858), so if you come across this and need to trust your LDAP cert, please see this section in our manual for instructions:

http://theforeman.org/manuals/latest/index.html#4.1.1LDAPAuthentication

Actions #6

Updated by Mizuki Kara over 9 years ago

Just upgraded foreman-1.7.1->1.7.4 today and seems to have this issue after that. I imported the both LDAP CA cert & Foreman CA cert to my Debian /usr/local/share/ca-certificates/ and update-ca-certificate. I can verify the certs be added successfully but won't do the trick. What I see on LDAP server side is following:

Apr 8 12:37:19 ns2 slapd2576: conn=809043 fd=21 ACCEPT from IP=10.0.1.59:37084 (IP=0.0.0.0:636)
Apr 8 12:37:19 ns2 slapd2576: conn=809043 fd=21 closed (TLS negotiation failure)

But other services who connect to LDAP servers through LDAPs works just fine. Any hints?

Actions #7

Updated by Dominic Cleal over 9 years ago

Try running: openssl s_client -connect ldap.example.com:636 -CApath /etc/ssl/certs and at the end of the output, it should say, Verify return code: 0 (ok), if not, please pastebin the output.

Actions #8

Updated by Mizuki Kara over 9 years ago

Dominic Cleal wrote:

Try running: openssl s_client -connect ldap.example.com:636 -CApath /etc/ssl/certs and at the end of the output, it should say, Verify return code: 0 (ok), if not, please pastebin the output.

Yes, it does say Verify return code: 0 (ok) indeed.

Actions #9

Updated by Vasil Mikhalenya over 9 years ago

The same issue for me after 1.6 -> 1.7.4 upgrade. Foreman AD through LDAPs auth stopped working.
But certs are trusted
root@v-foreman:~# openssl s_client -CApath /etc/ssl/certs -connect dc.corp.local:636 2>/dev/null |grep Verify
Verify return code: 0 (ok)

Actions #10

Updated by Vasil Mikhalenya over 9 years ago

lsb_release -d
Description: Ubuntu 12.04.4 LTS

Actions #11

Updated by Olivier Widmer over 9 years ago

We have the same problem as Mizuki Kara described. LDAP stopped working after upgrade to Version 1.7.4

lsb_release -d
Description: Ubuntu 14.04.2 LTS

Actions #12

Updated by Dominic Cleal over 9 years ago

  • Related to Bug #10139: Cannot verify LDAPS SSL certificate on Debian installation added
Actions #13

Updated by Marek Hulán over 9 years ago

Just verified steps mentioned in comment 3 on Debian GNU/Linux 7.8 (wheezy), works for me (the cert is self-signed).

You can use following command to find the correct certificate

openssl s_client -connect ldap.example.com:636 -showcerts
Actions #14

Updated by Benjamin Stevenson about 4 years ago

Projects and all citation is pushed for the counting of the norms for all field. Parts of the (help with statistics homework online: https://domyhomeworkfor.me/statistics-homework-help) are argued for the field. Works shred for the terms for the use of the offered data for the axed items for feelings.

Actions

Also available in: Atom PDF