It's version 1.2.0 and I've installed it using the Advanced Installation
instructions from
https://docs.openshift.org/latest/install_config/install/advanced_install.html
Andre
On 2016-07-14 15:41, Jordan Liggitt wrote:
What version of origin are you running with (and if you built it
yourself, what version of go did you build with?)
It looks like SECURE256 translates to these ciphers:
|TLSv1.2: ciphers: TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
|
None of those are supported in go1.4.
|TLS_RSA_WITH_AES_256_GCM_SHA384should work with go1.6.|
On Thu, Jul 14, 2016 at 8:54 AM, Andre Esser <[email protected]
<mailto:[email protected]>> wrote:
RESOLVED:
Our LDAP servers required 256 bit cyphers but OpenShift appears to
use 128 bit ones. After setting 'olcTLSCipherSuite' to 'SECURE128'
authentication started to work.
Cheers,
Andre
On 2016-07-13 17:50, Andre Esser wrote:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 971[..] (0x86[..])
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=VG, ST=Tortola, L=Road Town, O=Voidbridge
Software
Limited, CN=Voidbridge CA/[email protected]
<mailto:[email protected]>
Validity
Not Before: Apr 12 16:39:00 2015 GMT
Not After : Apr 9 16:39:00 2025 GMT
Subject: C=VG, ST=Tortola, L=Road Town, O=Voidbridge
Software
Limited, CN=Voidbridge CA/[email protected]
<mailto:[email protected]>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b5:35:[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
76:44:AB:[..]
X509v3 Authority Key Identifier:
keyid:76:44:AB:[..]
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
96:5a:ac:[..]
On 2016-07-13 17:26, Jordan Liggitt wrote:
Is the signing cert an actual CA (what does `openssl x509 -in
/etc/pki/ca-trust/source/anchors/voidbridge-ca.crt -text
-noout` show?)
On Wed, Jul 13, 2016 at 12:15 PM, Andre Esser
<[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> wrote:
Hi,
I'm having problems getting LDAP authentication with a
STARTTLS LDAP
server to work on an Openshift Origin installation.
The provider config is as follows:
-------------------------------------------------------------
identityProviders:
- name: "voidbridge_ldap_provider"
challenge: true
login: true
mappingMethod: add
provider:
apiVersion: v1
kind: LDAPPasswordIdentityProvider
attributes:
id:
- uid
email:
- mail
name:
- gecos
preferredUsername:
- uid
bindDN: ""
bindPassword: ""
ca:
/etc/pki/ca-trust/source/anchors/voidbridge-ca.crt
insecure: false
url: "ldap://ldap.local.voidbridge \
/ou=people,dc=voidbridge?uid?one"
---------------------------------------------------------------
The LDAP server's cert is self-signed, the CA cert is
voidbridge-ca.crt. The LDAP server only accepts
STARTTLS connections
and performs fine for other services. In particular the
command
ldapwhoami -h ldap.local.voidbridge \
-D uid=andre.esser,ou=people,dc=voidbridge -ZZ -W
succeeds when the correct password is entered.
Also when I temporarily disable the STARTTLS
requirement on the LDAP
server and switch to 'insecure: false' in the provider
config, the
authentication succeeds.
The error in the OpenShift log (via syslog) is:
Jul 13 15:09:22 osae-master-101
atomic-openshift-master-api:
E0713 15:09:22.921501 10255 login.go:162] Error
authenticating
"andre.esser" with provider
"voidbridge_ldap_provider": LDAP
Result
Code 200 "": TLS handshake failed (EOF)
Any help to get authentication working over STARTTLS
would be
greatly appreciated,
Andre
_______________________________________________
users mailing list
[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
