Backlog #3482

TLS LDAP does not support STARTTLS

Added by EOLE Team over 6 years ago. Updated almost 6 years ago.

Status:PendingStart date:01/03/2015
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Drivers - Auth
Target version:-

Description

Hello,

Using ONE 4.8 and 4.10, I try to switch the LDAP authentication to TLS and found that only LDAP over SSL (by default on port 636) is working.

First, a note should be added to the documentation about this issue.

I propose to modify the encryption in configuration file with the following possibilities:

  • :null to disable encryption (by default)
  • :simple_tls to use LDAP over SSL
  • :starttls to use the STARTTLS

With the following configuration example:

server 1:
[...]
    # Ldap server
    :host: localhost

    # No encryption by default on standart port
    # Uncomment this line to use STARTTLS
    #:encryption: :starttls
    :port: 389

    # Uncomment this lines to use LDAP over SSL on ldaps port
    #:encryption: :simple_tls
    #:port: 636
[...]

Thanks.

History

#1 Updated by Ruben S. Montero over 6 years ago

  • Tracker changed from Request to Backlog
  • Category set to Drivers - Auth
  • Priority changed from Normal to High

Pretty interesting, moving it to backlog

#2 Updated by Marc Proe almost 6 years ago

Can confirm (for me, only "simple" works, no SSL).

Adding a backtrace to /usr/lib/one/ruby/opennebula/ldap_auth.rb gives:

Mon Jul 20 11:20:51 2015 [Z0][AuM][I]: no implicit conversion of Symbol into Integer
Mon Jul 20 11:20:51 2015 [Z0][AuM][D]: Message received: LOG I 2 
["/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/connection.rb:92:in `[]'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/connection.rb:92:in `setup_encryption'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/connection.rb:25:in `initialize'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:1223:in `new'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:1223:in `new_connection'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:1209:in `use_connection'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:742:in `block in search'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/instrumentation.rb:19:in `instrument'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:741:in `search'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:1128:in `search_root_dse'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:1194:in `paged_searches_supported?'", 
"/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:734:in `search'", 
"/usr/lib/one/ruby/opennebula/ldap_auth.rb:133:in `find_user'", 
"/var/lib/one/remotes/auth/default/authenticate:73:in `block in <main>'", 
"/var/lib/one/remotes/auth/default/authenticate:61:in `each'", 
"/var/lib/one/remotes/auth/default/authenticate:61:in `<main>'"]

Manually using STARTTLS or SSL via ldapsearch command works fine.

This bug basically blocks productive use (at least for me).

  • ruby 2.0.0p598 (2014-11-13) [x86_64-linux]
  • vOneCloud 1.6.0
  • OpenNebula 4.12.3

Also available in: Atom PDF