Hi, I have the NAV webfront LDAP authentication working with a Windows AD server, but only with unencrypted traffic on port 389. In the file /etc/nav/webfront/webfront.conf port = 389 encryption = none It works well with search for user in the AD tree and group requirement. But if I change encryption to tls, or port to 636 and encryption to ssl then it fails. Anyone have this working? If yes, what did you have to do to get it to work? I can not use it as it is as both the user account used for binding to the server and the user trying to authenticate have their passwords in cleartext in the packets.
Hi,
We use port = 389 and encryption = tls on our server. This works fine. My guess is that you have some issue with certificate validation.
Best regards, Sigmund
I am not sure what this can be, the AD server have a valid certificate, and the NAV server have the CA (by default) in /etc/ssl/certs.
A packet capture of the LDAP query seems mostly fine until I get a "Ignored Uknown Record" message in Wireshark. Then the client just finishes the connection.
o TCP 3-way handshake o NAV: Req LDAP_START_TLS_OID o AD: Resp LDAP_START_TLS_OID o NAV: Client Hello o AD: Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done o NAV: Certificate o NAV: Client Key Exchange, Change Cipher Spec o NAV: Encrypted Handshake Message o AD: Change Cipher Spec, Encrypted Handshake Message o NAV: Ignored Unknown Record o NAV: FIN,ACK o AD: ACK o AD: RST, ACK
The apache error log is not helpful (for me):
[Wed Sep 27 14:08:40.844212 2017] [wsgi:error] [pid 32247:tid 140541489465088] [ERROR] [pid=32247 nav.web.ldapauth] LDAP server is down [Wed Sep 27 14:08:40.844269 2017] [wsgi:error] [pid 32247:tid 140541489465088] Traceback (most recent call last): [Wed Sep 27 14:08:40.844278 2017] [wsgi:error] [pid 32247:tid 140541489465088] File "/usr/lib/python2.7/dist-packages/nav/web/ldapauth.py", line 101, in open_ldap [Wed Sep 27 14:08:40.844285 2017] [wsgi:error] [pid 32247:tid 140541489465088] lconn.start_tls_s() [Wed Sep 27 14:08:40.844316 2017] [wsgi:error] [pid 32247:tid 140541489465088] File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 564, in start_tls_s [Wed Sep 27 14:08:40.844324 2017] [wsgi:error] [pid 32247:tid 140541489465088] return self._ldap_call(self._l.start_tls_s) [Wed Sep 27 14:08:40.844330 2017] [wsgi:error] [pid 32247:tid 140541489465088] File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call [Wed Sep 27 14:08:40.844336 2017] [wsgi:error] [pid 32247:tid 140541489465088] result = func(*args,**kwargs) [Wed Sep 27 14:08:40.844342 2017] [wsgi:error] [pid 32247:tid 140541489465088] CONNECT_ERROR: {'info': '(unknown error code)', 'desc': 'Connect error'}
The dreaded 'unknown error code'...
Any ideas?
Roger