On 9 Feb 2022, at 05:43, Fabiano Teixeira
wrote: Hi William,
I got OBS to connect to my Active Directory yesterday. Had to change a few ldap attributes to match with AD, but the most important I had to disable ldap_ssl as I'm not using secure LDAP (636) for my test.
According to the Admin Guide, if option ldap_port is not set, it will use 389 for ldap and 636 for sldap.
I honestly thought OBS would try both ports (as I have not specified any), however with the ldap_ssl option set to enable (on) by default it only tries port 636, causing the "Unable to connect to LDAP server" error (as I dont have any CACERT configuration in place).
Right, it sounds like the issue is your CA configuration rather than anything else. You could try to set 'LDAPTLS_REQCERT=never' in your environment variables when launching OBS, or you could alter /etc/openldap/ldap.conf and set 'TLS_REQCERT never' in there instead. Given that you are likely sending passwords via ldap over the network, TLS is really important to protect this from interception and attacks.
Thanks for the help.
Sincerely, Fabiano T.
-- Sincerely, William Brown Sesion Software Engineer, Identity and Access Management SUSE Labs, Australia