Active directory authentication
-
I need to authenticate users with AD.
First I need to add de root certificate of the domain CA. How can I do this?
How can I test bind?
Is mandatory to use a bind account (Credentials to use before looking for the user record.)??I am gettig this error
plugin.test
{
"id": "auth-ldap",
"data": {
"username": "user@domain",
"password": "* obfuscated *"
}
}
{
"errno": -104,
"code": "ECONNRESET",
"syscall": "read",
"message": "read ECONNRESET",
"name": "Error",
"stack": "Error: read ECONNRESET
at TLSWrap.onStreamRead (node:internal/stream_base_commons:218:20)
at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)"
} -
You should put your root CA in a file accessible on the XO VM (e.g.
/usr/local/share/ca-certificates/ad-root.crt
. Point the CA setting to this part and enable "Check certificate". You must use a service account for binding. -
@dinhngtu said in Active directory authentication:
/usr/local/share/ca-certificates/
Same error. Put the ca root crt in that folder, complete the item with the path of that cert, checked "ckeck certificate" (try starttls on or off). I think XO do not support the enabled protocols, or something like this. Is there any wat to debug this?
-
How did you specify your auth-ldap settings (URI, bind credentials, search parameters)? It worked for me when I used the URI
ldaps://your-domain-controller-fqdn
. -
@dinhngtu
uri: ldaps://ad-server.domain.arCertificate Authorities
item: /usr/local/share/ca-certificates/domain-ca-root.crtcheck certificate: on
starttls: (tested on or off)
base: OU=Usuarios,DC=domain,DC=AR
credentials: xo_ad@domain.ar
password xxxxxxxuser fileter: (userPrincipalName={{name}})
ID attribute*: DN
test data
username: test-user@domain.ar
passwrd: xxxxxxx -
The exact configuration as yours worked fine in my environment. What happens when you try to search LDAP manually with Ldp.exe?
-
@dinhngtu From Windows, ldp.exe works fine
-
@gonzametal ldp, to 636 port and ssl works fine
-
How did you issue LDAPS certificates to your domain controller? Do you get the correct certificate when doing
openssl s_client -connect ad-server.domain.ar:636
?What about ldapsearch from Linux:
LDAPTLS_REQCERT=never ldapsearch -H ldaps://ad-server.domain.ar -x -D xo_ad@domain.ar -w ... -b 'OU=Usuarios,DC=domain,DC=AR' -s sub
? This should give the correct query output. -
@dinhngtu It is strange.
The ldapsearch command returns as expected, but openssl s_client returns "no peer certificate available".openssl s_client --connect server.domain.ar:636
CONNECTED(00000003)
write:errno=104no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 331 bytes
Verification: OKNew, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)No firewall nothing. LDP.exe works fine
-
Did you choose Use SSL in Ldp.exe? Either your AD SSL certificate is misconfigured or something is blocking connection from your Linux host.
-
@dinhngtu LDP is using SSL, and no firewall between, so I think there be a ldaps misconfiguration