On 10/16/2012 09:17 AM, Daniel Gollub wrote:
Hi Matt,
On Sunday, October 14, 2012 11:46:36 AM Matthew Drobnak wrote:
Daniel,
So here's the problem - it looks like OpenLDAP on SuSE is not configured to use the default system ca_bundle.pem file.
I added this line:
TLS_CACERT /etc/ssl/ca-bundle.pem
to /etc/openldap/ldap.conf,
and re-ran the script, and it works perfectly. Good catch! LDAP & TLS is always fun :(
So, of course, I made the config settings match between the script, and the production.rb file. Something is a bit different however, as it does not work with API auth still: My little helper script seems to different in the relevant part. At least I helped a bit so far ....
The TLS vs. SSL handling in my helper script is pretty simplified compared to the LDAP implementation in OBS.
obs01:/srv/www/obs/api/log # /root/obs-ldap.rb Bingo: uid=mdrobnak,ou=People,dc=appnexus,dc=com obs01:/srv/www/obs/api/log # head -n 10 /root/obs-ldap.rb #!/usr/bin/ruby require 'ldap'
LOGIN = "mdrobnak"
LDAP_SEARCH_ATTR = "uid" LDAP_SERVERS = "ldap.local.appnexus.net" LDAP_PORT = 389
LDAP_START_TLS = true LDAP_SSL = :on So this two option might work for my helper script .. but not for OBS. Those are XOR in OBS... :(
obs01:/srv/www/obs/api/log # grep LDAP ../config/environments/production.rb LDAP_MODE = :on # LDAP Servers separated by ':'. LDAP_SERVERS = "ldap.local.appnexus.net" # If you're using LDAP_AUTHENTICATE=:ldap then you should ensure that LDAP_SSL = :on Since you are using TLS: turn LDAP_SSL := off
# Use StartTLS extension of LDAP LDAP_START_TLS = :on ... and keep this LDAP_START_TLS = :on.
This hopefully should do the trick for you. With your current configuration OBS would only try to do plain-SSL chatting on Port 389 which is going to fail since your TLS configured LDAP is expecting TLS handshake.
Still I really wonder why the exception when all this goes fail is completely silenced in the logs ...
But we should definitly introduce a sanity check that warns you having LDAP_SSL and LDAP_START_TLS activated at the same time ... which is usually not what you want. (TLS will turn the initial plain connection into an encrypted one after the TLS handshake thingy ...) Oops. That's what I get for not reading it closely enough. I thought you emulated the OBS logic in your script.
Yes, switching LDAP_SSL to off, and keeping the START_TLS on made things work. Thanks a lot for all your help! Now on to the other issues I have. :) -Matt
# LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS LDAP_PORT=389 LDAP_REFERRALS = :off # Max number of times to attempt to contact the LDAP servers LDAP_MAX_ATTEMPTS = 10 LDAP_SEARCH_BASE = "dc=appnexus,dc=com" # Sam Account Name is the login name for LDAP LDAP_SEARCH_ATTR = "uid" LDAP_NAME_ATTR="cn" LDAP_MAIL_ATTR="mail" Not related so far .. . but maybe this comes next. Make sure all your users in your LDAP tree have this MAIL attribute set ... if not they will also fail to login.
HTH
BR Daniel
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org