What version of origin are you running with (and if you built it yourself,
what version of go did you build with?)
It looks like SECURE256 translates to these ciphers:
TLSv1.2:
ciphers:
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
None of those are supported in go1.4. TLS_RSA_WITH_AES_256_GCM_SHA384
should work with go1.6.
On Thu, Jul 14, 2016 at 8:54 AM, Andre Esser <[email protected]>
wrote:
> RESOLVED:
>
> Our LDAP servers required 256 bit cyphers but OpenShift appears to use 128
> bit ones. After setting 'olcTLSCipherSuite' to 'SECURE128' authentication
> started to work.
>
> Cheers,
>
> Andre
>
>
>
> On 2016-07-13 17:50, Andre Esser wrote:
>
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 971[..] (0x86[..])
>> Signature Algorithm: sha256WithRSAEncryption
>> Issuer: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software
>> Limited, CN=Voidbridge CA/[email protected]
>> Validity
>> Not Before: Apr 12 16:39:00 2015 GMT
>> Not After : Apr 9 16:39:00 2025 GMT
>> Subject: C=VG, ST=Tortola, L=Road Town, O=Voidbridge Software
>> Limited, CN=Voidbridge CA/[email protected]
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (4096 bit)
>> Modulus:
>> 00:b5:35:[...]
>> Exponent: 65537 (0x10001)
>> X509v3 extensions:
>> X509v3 Subject Key Identifier:
>> 76:44:AB:[..]
>> X509v3 Authority Key Identifier:
>> keyid:76:44:AB:[..]
>>
>> X509v3 Basic Constraints:
>> CA:TRUE
>> X509v3 Key Usage:
>> Certificate Sign, CRL Sign
>> Signature Algorithm: sha256WithRSAEncryption
>> 96:5a:ac:[..]
>>
>>
>> On 2016-07-13 17:26, Jordan Liggitt wrote:
>>
>>> Is the signing cert an actual CA (what does `openssl x509 -in
>>> /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text -noout` show?)
>>>
>>> On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser
>>> <[email protected] <mailto:[email protected]>> wrote:
>>>
>>> Hi,
>>>
>>> I'm having problems getting LDAP authentication with a STARTTLS LDAP
>>> server to work on an Openshift Origin installation.
>>>
>>>
>>> The provider config is as follows:
>>>
>>> -------------------------------------------------------------
>>> identityProviders:
>>> - name: "voidbridge_ldap_provider"
>>> challenge: true
>>> login: true
>>> mappingMethod: add
>>> provider:
>>> apiVersion: v1
>>> kind: LDAPPasswordIdentityProvider
>>> attributes:
>>> id:
>>> - uid
>>> email:
>>> - mail
>>> name:
>>> - gecos
>>> preferredUsername:
>>> - uid
>>> bindDN: ""
>>> bindPassword: ""
>>> ca: /etc/pki/ca-trust/source/anchors/voidbridge-ca.crt
>>> insecure: false
>>> url: "ldap://ldap.local.voidbridge \
>>> /ou=people,dc=voidbridge?uid?one"
>>> ---------------------------------------------------------------
>>>
>>> The LDAP server's cert is self-signed, the CA cert is
>>> voidbridge-ca.crt. The LDAP server only accepts STARTTLS connections
>>> and performs fine for other services. In particular the command
>>>
>>> ldapwhoami -h ldap.local.voidbridge \
>>> -D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W
>>>
>>> succeeds when the correct password is entered.
>>>
>>> Also when I temporarily disable the STARTTLS requirement on the LDAP
>>> server and switch to 'insecure: false' in the provider config, the
>>> authentication succeeds.
>>>
>>> The error in the OpenShift log (via syslog) is:
>>>
>>> Jul 13 15:09:22 osae-master-101 atomic-openshift-master-api:
>>> E0713 15:09:22.921501 10255 login.go:162] Error authenticating
>>> "andre.esser" with provider "voidbridge_ldap_provider": LDAP
>>> Result
>>> Code 200 "": TLS handshake failed (EOF)
>>>
>>>
>>> Any help to get authentication working over STARTTLS would be
>>> greatly appreciated,
>>>
>>> Andre
>>>
>>> _______________________________________________
>>> users mailing list
>>> [email protected]
>>> <mailto:[email protected]>
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>>
>>>
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
