Is the signing cert an actual CA (what does `openssl x509 -in /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text -noout` show?)
On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser <[email protected]> wrote: > Hi, > > I'm having problems getting LDAP authentication with a STARTTLS LDAP > server to work on an Openshift Origin installation. > > > The provider config is as follows: > > ------------------------------------------------------------- > identityProviders: > - name: "voidbridge_ldap_provider" > challenge: true > login: true > mappingMethod: add > provider: > apiVersion: v1 > kind: LDAPPasswordIdentityProvider > attributes: > id: > - uid > email: > - mail > name: > - gecos > preferredUsername: > - uid > bindDN: "" > bindPassword: "" > ca: /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt > insecure: false > url: "ldap://ldap.local.voidbridge \ > /ou=people,dc=voidbridge?uid?one" > --------------------------------------------------------------- > > The LDAP server's cert is self-signed, the CA cert is voidbridge-ca.crt. > The LDAP server only accepts STARTTLS connections and performs fine for > other services. In particular the command > > ldapwhoami -h ldap.local.voidbridge \ > -D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W > > succeeds when the correct password is entered. > > Also when I temporarily disable the STARTTLS requirement on the LDAP > server and switch to 'insecure: false' in the provider config, the > authentication succeeds. > > The error in the OpenShift log (via syslog) is: > > Jul 13 15:09:22 osae-master-101 atomic-openshift-master-api: > E0713 15:09:22.921501 10255 login.go:162] Error authenticating > "andre.esser" with provider "voidbridge_ldap_provider": LDAP Result > Code 200 "": TLS handshake failed (EOF) > > > Any help to get authentication working over STARTTLS would be greatly > appreciated, > > Andre > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
