Project

General

Profile

Bug #9926

LdapError: unsupported encryption method with LDAP auth source

Added by Alexandre Barth over 5 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

I've juste upgraded from 1.8.0 RC1 to 1.8.0 RC2, when i want to login using an ldap account, i get the following error :

Started POST "/users/login" for 192.168.0.1 at 2015-03-27 14:42:32 +0100
2015-03-27 14:42:32 [I] Processing by UsersController#login as HTML
2015-03-27 14:42:32 [I] Parameters: {"utf8"=>"✓", "authenticity_token"=>"ZOnsMh5ABcz6MEzjE4wRrcLEvnMeYm6hHk+1hnxsUg8=", "login"=>{"login"=>"alexandre.barth", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-03-27 14:42:32 [W] Operation FAILED: LdapError: unsupported encryption method
2015-03-27 14:42:32 [I] Rendered common/500.html.erb within layouts/application (3.7ms)
2015-03-27 14:42:32 [I] Rendered layouts/base.html.erb (1.3ms)
2015-03-27 14:42:32 [I] Completed 500 Internal Server Error in 15ms (Views: 6.4ms | ActiveRecord: 1.7ms)

This was working in 1.8.0 RC1 and all previous versions.


Related issues

Related to Foreman - Bug #9885: CVE-2015-1816 - LDAP server SSL certificate not verifiedClosed2015-03-24

Associated revisions

Revision 5d5e0bb6 (diff)
Added by Marek Hulán over 5 years ago

Fixes #9926 - do not always set LDAP encryption method

Revision 6462c815 (diff)
Added by Marek Hulán over 5 years ago

Fixes #9926 - do not always set LDAP encryption method

(cherry picked from commit 5d5e0bb601ad75a514168a263a6a360c496cb2af)

History

#1 Updated by Dominic Cleal over 5 years ago

  • Subject changed from no more Ldap connection to LdapError: unsupported encryption method with LDAP auth source
  • Category set to Authentication

Is your LDAP auth source in Foreman configured with SSL?

#2 Updated by Dominic Cleal over 5 years ago

  • Related to Bug #9885: CVE-2015-1816 - LDAP server SSL certificate not verified added

#3 Updated by Alexandre Barth over 5 years ago

No, i'm not using ldaps.

#4 Updated by Dominic Cleal over 5 years ago

Ah, I wonder if we're constructing this badly then and all of :encryption should be nil rather than just :method here: https://github.com/theforeman/foreman/blob/1.8.0-RC2/app/models/auth_sources/auth_source_ldap.rb#L83

#5 Updated by Alex Derr over 5 years ago

Dominic Cleal wrote:

Ah, I wonder if we're constructing this badly then and all of :encryption should be nil rather than just :method here: https://github.com/theforeman/foreman/blob/1.8.0-RC2/app/models/auth_sources/auth_source_ldap.rb#L83

The work around that I am using is to just comment out the encryption_config for now:
  1. method = tls ? :simple_tls : nil
  2. { :method => method, :tls_options => { :verify_mode => OpenSSL::SSL::VERIFY_PEER } }
    end
def encryption_config

My LDAP w/o SSL is working again.

#6 Updated by Alex Derr over 5 years ago

  def encryption_config
#    method = tls ? :simple_tls : nil
#    { :method => method, :tls_options => { :verify_mode => OpenSSL::SSL::VERIFY_PEER } }
  end

#7 Updated by The Foreman Bot over 5 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2271 added
  • Pull request deleted ()

#8 Updated by Marek Hulán over 5 years ago

Oh, the hash is used only for simple_tls and start_tls, otherwise encryption is set to nil, I missed this. Alex, could you please test the patch in https://github.com/theforeman/foreman/pull/2271? It should fix it for you but keep SSL working.

#9 Updated by Alex Derr over 5 years ago

Marek Hulán wrote:

Oh, the hash is used only for simple_tls and start_tls, otherwise encryption is set to nil, I missed this. Alex, could you please test the patch in https://github.com/theforeman/foreman/pull/2271? It should fix it for you but keep SSL working.

That seems to be working. Also note, I use LDAP with out SSL. So I can't test if LDAPS is working still or not.

#10 Updated by Dominic Cleal over 5 years ago

  • Assignee set to Marek Hulán

#11 Updated by Marek Hulán over 5 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF