Project

General

Profile

Support #2435

Unable to authentication with LDAP server using ldaps

Added by Luke Baker about 10 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Hey there,

My specs:

Foreman 1.1
RHEL 6.4

I'm attempting to configure LDAP authentication with Foreman 1.1, I'm able to connect with plain ldap. When ldaps is enabled I get the following message:
@
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

If you feel this is an error with Foreman itself, please open a new issue with Foreman ticketing system, You would probably need to attach the Full trace and relevant log entries.
OpenSSL::SSL::SSLError
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
app/models/auth_source_ldap.rb:135:in `search_for_user_entries'
app/models/auth_source_ldap.rb:40:in `authenticate'
app/models/user.rb:112:in `try_to_login'
app/controllers/users_controller.rb:90:in `login'
lib/foreman/thread_session.rb:31:in `clear_thread'@

I did import the SSL certificate used for ldaps communication into /etc/openldap/certs on my local host (just to be sure), but that didn't help. I feel like I'm missing something obvious, any assist would be appreciated.

Related issues

Related to Foreman - Feature #2414: Remove Puppet from Foreman coreClosed2013-04-19
Related to Foreman - Bug #10139: Cannot verify LDAPS SSL certificate on Debian installationResolved2015-04-14

History

#1 Updated by Dominic Cleal about 10 years ago

  • Category set to Authentication
  • Status changed from New to Feedback

This has been coming up quite a bit and I think it's caused by a recent change to Puppet (2.6.18, 2.7.21, 3.1.1) which monkey patched OpenSSL. Since OpenSSL gets used for LDAPS support too and we load Puppet in the app, this change by Puppet now affects Foreman too.

The monkey patch disables SSLv2 support, but also seems to force verification of SSL certificates. Try adding your SSL certificate into the OpenSSL bundle at /etc/pki/tls/certs/ca-bundle.crt, restart Foreman and see if that helps.

#2 Updated by Luke Baker about 10 years ago

  • Status changed from Feedback to Closed

Yep that did it. Thanks!

#3 Updated by François Deppierraz about 10 years ago

For the record, here's how to fix this issue under Ubuntu 12.04.

  1. Copy your CA certificate in /usr/local/share/ca-certificates/MyCA.crt
  2. Run sudo update-ca-certificates

#4 Updated by Mikael Fridh about 10 years ago

Had similar issue with foreman() and smartvar() functions so did this on Puppet master:

export CACERT=/var/lib/puppet/ssl/certs/ca.pem; ln -s $CACERT /etc/pki/tls/certs/$(openssl x509 -noout -hash -in $CACERT).0

#5 Updated by Dominic Cleal about 8 years ago

  • Description updated (diff)

This has returned in Foreman 1.7.4 and 1.8.0-RC2 and above as part of a CVE fix (#9858), so if you come across this and need to trust your LDAP cert, please see this section in our manual for instructions:

http://theforeman.org/manuals/latest/index.html#4.1.1LDAPAuthentication

#6 Updated by Mizuki Kara about 8 years ago

Just upgraded foreman-1.7.1->1.7.4 today and seems to have this issue after that. I imported the both LDAP CA cert & Foreman CA cert to my Debian /usr/local/share/ca-certificates/ and update-ca-certificate. I can verify the certs be added successfully but won't do the trick. What I see on LDAP server side is following:

Apr 8 12:37:19 ns2 slapd2576: conn=809043 fd=21 ACCEPT from IP=10.0.1.59:37084 (IP=0.0.0.0:636)
Apr 8 12:37:19 ns2 slapd2576: conn=809043 fd=21 closed (TLS negotiation failure)

But other services who connect to LDAP servers through LDAPs works just fine. Any hints?

#7 Updated by Dominic Cleal about 8 years ago

Try running: openssl s_client -connect ldap.example.com:636 -CApath /etc/ssl/certs and at the end of the output, it should say, Verify return code: 0 (ok), if not, please pastebin the output.

#8 Updated by Mizuki Kara about 8 years ago

Dominic Cleal wrote:

Try running: openssl s_client -connect ldap.example.com:636 -CApath /etc/ssl/certs and at the end of the output, it should say, Verify return code: 0 (ok), if not, please pastebin the output.

Yes, it does say Verify return code: 0 (ok) indeed.

#9 Updated by Vasil Mikhalenya about 8 years ago

The same issue for me after 1.6 -> 1.7.4 upgrade. Foreman AD through LDAPs auth stopped working.
But certs are trusted
root@v-foreman:~# openssl s_client -CApath /etc/ssl/certs -connect dc.corp.local:636 2>/dev/null |grep Verify
Verify return code: 0 (ok)

#10 Updated by Vasil Mikhalenya about 8 years ago

lsb_release -d
Description: Ubuntu 12.04.4 LTS

#11 Updated by Olivier Widmer about 8 years ago

We have the same problem as Mizuki Kara described. LDAP stopped working after upgrade to Version 1.7.4

lsb_release -d
Description: Ubuntu 14.04.2 LTS

#12 Updated by Dominic Cleal about 8 years ago

  • Related to Bug #10139: Cannot verify LDAPS SSL certificate on Debian installation added

#13 Updated by Marek Hulán about 8 years ago

Just verified steps mentioned in comment 3 on Debian GNU/Linux 7.8 (wheezy), works for me (the cert is self-signed).

You can use following command to find the correct certificate

openssl s_client -connect ldap.example.com:636 -showcerts

#14 Updated by Benjamin Stevenson over 2 years ago

Projects and all citation is pushed for the counting of the norms for all field. Parts of the (help with statistics homework online: https://domyhomeworkfor.me/statistics-homework-help) are argued for the field. Works shred for the terms for the use of the offered data for the axed items for feelings.

Also available in: Atom PDF