1 2 Previous Next 19 Replies Latest reply on Jul 18, 2017 1:28 AM by Andrew Waters

    Integrating Discovery with LDAPS

    John D'Antonio

      I am trying to enable LDAPS.  Everything is working perfectly with LDAP.  The certificate (combination of Root and Issuing CA) loads successfully.  After restarting the services, it appears the connection to LDAP is successful (everything displays as green on LDAP configuration page). But when I try to log in as an LDAP user, I cannot log in.  When I return to the LDAP configuration page, I see the following error: Can't contact LDAP server: TLS error -8157: Certificate extension not found.

       

      Not sure if this is related, but when I test ldapsearch from the command line:


      TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
      ldap_msgfree
      ldap_err2string
      ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
             additional info: TLS error -8179:Peer's Certificate issuer is not recognized.

        • 1. Re: Integrating Discovery with LDAPS
          Brice-Emmanuel Loiseaux

          You did not tell which Discovery version you use.

          • 2. Re: Integrating Discovery with LDAPS
            John D'Antonio

            v 11.1.0.1

             

            Also note, we have two appliances in a cluster.  I loaded the certificate from each appliance.

            • 3. Re: Integrating Discovery with LDAPS
              Brice-Emmanuel Loiseaux

              I am not an expert here but I found another thread that could help you: Re: LDAP Connectivity issue

              • 4. Re: Integrating Discovery with LDAPS
                Brice-Emmanuel Loiseaux

                Also, internet search for "TLS error -8157: Certificate extension not found" is barely helpful but the following might help - [SSSD-users] TLS problem (Certificate extension not found). This says that the certificate might not be correctly generated. How did you get yours?

                • 5. Re: Integrating Discovery with LDAPS
                  John D'Antonio

                  I got the certificate from my admin, it is not self signed.  The article you forwarded mentions setting the CN to the FQDN?  Is that for the appliance or the LDAP server?

                  • 6. Re: Integrating Discovery with LDAPS
                    John D'Antonio

                    Admin provided me a CA Root and an Issuing CA certificates.  I tried each one individually and tried to combine them without any luck.  I also have a certificate from the LDAP server (.cer file) but when I try to load that, I get an error message: Invalid certificate file: The file contains a certificate that is not a CA certificate.

                    • 7. Re: Integrating Discovery with LDAPS
                      Andrew Waters

                      That sounds like the signing certificates you are using are not flagged as CA certificates, i.e. do not have the X.509 v3 basicConstraints value CA:True which is used to show the certificate can be used for signing other certificates.

                      • 8. Re: Integrating Discovery with LDAPS
                        John D'Antonio

                        which certificate, the Root / Issuing CA or the certificate from the LDAP server?

                        • 9. Re: Integrating Discovery with LDAPS
                          John D'Antonio

                          quick question, after loading the certificate how can I verify that it was successful?  Where do certificates get stored on appliance?

                          • 10. Re: Integrating Discovery with LDAPS
                            John D'Antonio

                            admin confirmed that CA:True is set

                            • 11. Re: Integrating Discovery with LDAPS
                              Brian Geselbracht

                              To address this, you need to ensure the applicable cert & CA cert for the LDAP directory instance as a trusted cert on the Discovery appliance itself.

                               

                              From a console session, run:

                               

                                   tideway@xxxxxxx ~]$ ldapsearch -d 1 -v -H ldaps://xxxxx.com:636

                               

                              If the certs aren't loaded, you should get an error message that says:

                               

                                   ldap_sasl_interactive_bind_s: Can't contact LDAP Server (-1)

                               

                              Open /etc/openldap/ldap.conf and verify TLS_CACERTDIR. It likely is etc/openldap/certs

                              Copy in the applicable certs into this directory.

                               

                              Run the same ldapsearch command again. It should still fail, but you should see errors that read

                                   TLS: certificate [CN=XXXXXXXXX, DC=XX, DC=XX] is not valid - error 8179:Peer's Certificate issuer is not recognized

                               

                              This is your missing CA cert. Locate & copy this into the TLS_CACERTDIR

                              Add the CA as trusted with:

                                   certutil -A -d /etc/openldap/certs -n "CERTALIAS" -t "CT,C,C" -a -i certname.cer

                               

                              Run the ldapsearch command and you should now see the connection successfully negotiate

                               

                              Log back into the Discovery UI and restart the appliance services. This will pickup the changes made & Discovery will start workin with LDAPS    

                              3 of 3 people found this helpful
                              • 12. Re: Integrating Discovery with LDAPS
                                Bernard Stern

                                Yes, the key is the trusted path.

                                In my company, we have 3 official CA certs (the public key of the CAs) which I appended in a single file and stored in /usr/tideway/etc/ldap_cacert.pem. The certs of the LDAPS servers are also signed by one of those 3 CA certs. The ldap_cacert.pm file is the one you upload in the ADDM GUI in Administration > LDAP > LDAP. You need then to restart the tideway service. You can then configure the rest of the LDAP parameters and run a few tests, all from the GUI. On the command line, you can look at the content of the CA cert with this command: "openssl x509 -in ldap_cacert.pem  -text". Hope this helps. I remember I also spent some time before getting the whole LDAPS configuration right.

                                1 of 1 people found this helpful
                                • 13. Re: Integrating Discovery with LDAPS
                                  RAJAT JAIN

                                  Hello Everyone,

                                   

                                  I tried above but it does not work in my environment. Please suggest.

                                   

                                  After running the suggested commands, please find the few outputs below:

                                   

                                  [root@********** certs]# ls -ltr

                                  total 84

                                  -r--------. 1 root root    45 Dec 14  2016 password

                                  -rw-r--r--. 1 root root 16384 Dec 14  2016 secmod.db

                                  -rw-------. 1 root root  2648 Jul 14 05:19 **********.cer

                                  -rw-r--r--. 1 root root 16384 Jul 14 05:21 key3.db

                                  -rw-r--r--. 1 root root 65536 Jul 14 05:21 cert8.db

                                  ----------------------------------------------------------------------------------------------

                                   

                                  [root@******** tmp]# ldapsearch -d 1 -v -H ldaps://XXXXXXXXX:636

                                  ldap_url_parse_ext(ldaps://XXXXXXXXX:636)

                                  ldap_initialize( ldaps://XXXXXXXXX/??base )

                                  ldap_create

                                  ldap_url_parse_ext(ldaps://XXXXXXXXX/??base)

                                  ldap_pvt_sasl_getmech

                                  ldap_search

                                  put_filter: "(objectclass=*)"

                                  put_filter: simple

                                  put_simple_filter: "objectclass=*"

                                  ldap_send_initial_request

                                  ldap_new_connection 1 1 0

                                  ldap_int_open_connection

                                  ldap_connect_to_host: TCP XXXXXXXXX:636

                                  ldap_new_socket: 3

                                  ldap_prepare_socket: 3

                                  ldap_connect_to_host: Trying 10.*.*.*:636

                                  ldap_pvt_connect: fd: 3 tm: -1 async: 0

                                  attempting to connect:

                                  connect success

                                  TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix=''                  keyPrefix='' flags=readOnly

                                  TLS: using moznss security dir /etc/openldap/certs prefix .

                                  TLS: certificate [CN=********** Root CA,O=****************,L=*********,C=******] i                 s not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the use                 r..

                                  TLS: error: connect - force handshake failure: errno 22 - moznss error -8172

                                  TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted                  by the user..

                                  ldap_msgfree

                                  ldap_err2string

                                  ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

                                          additional info: TLS error -8172:Peer's certificate issuer has been marked as not tru                 sted by the user.

                                   

                                   

                                   

                                  ----------------------------------------------------------------------------------------------------------------------------------------------------------

                                  TLS_CACERTDIR   /etc/openldap/certs

                                   

                                   

                                   

                                  Regards,

                                  Rajat Jain

                                  • 14. Re: Integrating Discovery with LDAPS
                                    Andrew Waters

                                    But it is telling you about the problem. You have an untrusted certificate in your certificate chain. It is even telling you which one.

                                    1 of 1 people found this helpful
                                    1 2 Previous Next