Project

General

Profile

Support #2435

Unable to authentication with LDAP server using ldaps

Added by Luke Baker over 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Triaged:
No
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Hey there,

My specs:

Foreman 1.1
RHEL 6.4

I'm attempting to configure LDAP authentication with Foreman 1.1, I'm able to connect with plain ldap. When ldaps is enabled I get the following message:
@
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

If you feel this is an error with Foreman itself, please open a new issue with Foreman ticketing system, You would probably need to attach the Full trace and relevant log entries.
OpenSSL::SSL::SSLError
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
app/models/auth_source_ldap.rb:135:in `search_for_user_entries'
app/models/auth_source_ldap.rb:40:in `authenticate'
app/models/user.rb:112:in `try_to_login'
app/controllers/users_controller.rb:90:in `login'
lib/foreman/thread_session.rb:31:in `clear_thread'@

I did import the SSL certificate used for ldaps communication into /etc/openldap/certs on my local host (just to be sure), but that didn't help. I feel like I'm missing something obvious, any assist would be appreciated.


Related issues

Related to Foreman - Feature #2414: Remove Puppet from Foreman coreClosed2013-04-19
Related to Foreman - Bug #10139: Cannot verify LDAPS SSL certificate on Debian installationResolved2015-04-14

History

#1 Updated by Dominic Cleal over 5 years ago

  • Category set to Authentication
  • Status changed from New to Feedback

This has been coming up quite a bit and I think it's caused by a recent change to Puppet (2.6.18, 2.7.21, 3.1.1) which monkey patched OpenSSL. Since OpenSSL gets used for LDAPS support too and we load Puppet in the app, this change by Puppet now affects Foreman too.

The monkey patch disables SSLv2 support, but also seems to force verification of SSL certificates. Try adding your SSL certificate into the OpenSSL bundle at /etc/pki/tls/certs/ca-bundle.crt, restart Foreman and see if that helps.

#2 Updated by Luke Baker over 5 years ago

  • Status changed from Feedback to Closed

Yep that did it. Thanks!

#3 Updated by François Deppierraz over 5 years ago

For the record, here's how to fix this issue under Ubuntu 12.04.

  1. Copy your CA certificate in /usr/local/share/ca-certificates/MyCA.crt
  2. Run sudo update-ca-certificates

#4 Updated by Mikael Fridh over 5 years ago

Had similar issue with foreman() and smartvar() functions so did this on Puppet master:

export CACERT=/var/lib/puppet/ssl/certs/ca.pem; ln -s $CACERT /etc/pki/tls/certs/$(openssl x509 -noout -hash -in $CACERT).0

#5 Updated by Dominic Cleal over 3 years ago

  • Description updated (diff)

This has returned in Foreman 1.7.4 and 1.8.0-RC2 and above as part of a CVE fix (#9858), so if you come across this and need to trust your LDAP cert, please see this section in our manual for instructions:

http://theforeman.org/manuals/latest/index.html#4.1.1LDAPAuthentication

#6 Updated by Mizuki Kara over 3 years ago

Just upgraded foreman-1.7.1->1.7.4 today and seems to have this issue after that. I imported the both LDAP CA cert & Foreman CA cert to my Debian /usr/local/share/ca-certificates/ and update-ca-certificate. I can verify the certs be added successfully but won't do the trick. What I see on LDAP server side is following:

Apr 8 12:37:19 ns2 slapd2576: conn=809043 fd=21 ACCEPT from IP=10.0.1.59:37084 (IP=0.0.0.0:636)
Apr 8 12:37:19 ns2 slapd2576: conn=809043 fd=21 closed (TLS negotiation failure)

But other services who connect to LDAP servers through LDAPs works just fine. Any hints?

#7 Updated by Dominic Cleal over 3 years ago

Try running: openssl s_client -connect ldap.example.com:636 -CApath /etc/ssl/certs and at the end of the output, it should say, Verify return code: 0 (ok), if not, please pastebin the output.

#8 Updated by Mizuki Kara over 3 years ago

Dominic Cleal wrote:

Try running: openssl s_client -connect ldap.example.com:636 -CApath /etc/ssl/certs and at the end of the output, it should say, Verify return code: 0 (ok), if not, please pastebin the output.

Yes, it does say Verify return code: 0 (ok) indeed.

#9 Updated by Vasil Mikhalenya over 3 years ago

The same issue for me after 1.6 -> 1.7.4 upgrade. Foreman AD through LDAPs auth stopped working.
But certs are trusted
root@v-foreman:~# openssl s_client -CApath /etc/ssl/certs -connect dc.corp.local:636 2>/dev/null |grep Verify
Verify return code: 0 (ok)

#10 Updated by Vasil Mikhalenya over 3 years ago

lsb_release -d
Description: Ubuntu 12.04.4 LTS

#11 Updated by Olivier Widmer over 3 years ago

We have the same problem as Mizuki Kara described. LDAP stopped working after upgrade to Version 1.7.4

lsb_release -d
Description: Ubuntu 14.04.2 LTS

#12 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #10139: Cannot verify LDAPS SSL certificate on Debian installation added

#13 Updated by Marek Hulán over 3 years ago

Just verified steps mentioned in comment 3 on Debian GNU/Linux 7.8 (wheezy), works for me (the cert is self-signed).

You can use following command to find the correct certificate

openssl s_client -connect ldap.example.com:636 -showcerts

Also available in: Atom PDF