RESOLVED:
Our LDAP servers required 256 bit cyphers but OpenShift appears to use
128 bit ones. After setting 'olcTLSCipherSuite' to 'SECURE128'
authentication started to work.
Cheers,
Andre
On 2016-07-13 17:50, Andre Esser wrote:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 971[..] (0x86[..])
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software
Limited, CN=Voidbridge CA/[email protected]
Validity
Not Before: Apr 12 16:39:00 2015 GMT
Not After : Apr 9 16:39:00 2025 GMT
Subject: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software
Limited, CN=Voidbridge CA/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b5:35:[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
76:44:AB:[..]
X509v3 Authority Key Identifier:
keyid:76:44:AB:[..]
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
96:5a:ac:[..]
On 2016-07-13 17:26, Jordan Liggitt wrote:
Is the signing cert an actual CA (what does `openssl x509 -in
/etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text -noout` show?)
On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser
<[email protected] <mailto:[email protected]>> wrote:
Hi,
I'm having problems getting LDAP authentication with a STARTTLS LDAP
server to work on an Openshift Origin installation.
The provider config is as follows:
-------------------------------------------------------------
identityProviders:
- name: "voidbridge_ldap_provider"
challenge: true
login: true
mappingMethod: add
provider:
apiVersion: v1
kind: LDAPPasswordIdentityProvider
attributes:
id:
- uid
email:
- mail
name:
- gecos
preferredUsername:
- uid
bindDN: ""
bindPassword: ""
ca: /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt
insecure: false
url: "ldap://ldap.local.voidbridge \
/ou=people,dc=voidbridge?uid?one"
---------------------------------------------------------------
The LDAP server's cert is self-signed, the CA cert is
voidbridge-ca.crt. The LDAP server only accepts STARTTLS connections
and performs fine for other services. In particular the command
ldapwhoami -h ldap.local.voidbridge \
-D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W
succeeds when the correct password is entered.
Also when I temporarily disable the STARTTLS requirement on the LDAP
server and switch to 'insecure: false' in the provider config, the
authentication succeeds.
The error in the OpenShift log (via syslog) is:
Jul 13 15:09:22 osae-master-101 atomic-openshift-master-api:
E0713 15:09:22.921501 10255 login.go:162] Error authenticating
"andre.esser" with provider "voidbridge_ldap_provider": LDAP
Result
Code 200 "": TLS handshake failed (EOF)
Any help to get authentication working over STARTTLS would be
greatly appreciated,
Andre
_______________________________________________
users mailing list
[email protected]
<mailto:[email protected]>
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
