XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    LDAP Plugin with start_tls

    Scheduled Pinned Locked Moved Xen Orchestra
    3 Posts 2 Posters 606 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      franc6
      last edited by

      I'm trying to configure the ldap plugin to authenticate against my LDAP server (openldap 2.4), but running a test returns an error from the server which I believe indicates it's not using TLS, which my server requires. It's not using LDAP over an SSL tunnel (ldaps); but the server is configured to require TLS. For most of my unix clients, that means adding "ssl start_tls" to the relevant ldap.conf file. I also set the location of the certificateAuthorities. IIUC, that should be the name of a file on the system which contains the root certificate of the certificate used by the LDAP server.

      The error in the log is:

      confidentiality required Code: 0xd

      Any idea how I can confirm if I've correctly identified the problem, and if so how to configure it properly?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • F Offline
        franc6
        last edited by

        Answering my own questions: It doesn't work. The plugin uses ldapts which requires an explicit call to startTLS(). Since there's no explicit call to that method that I can find, it seems likely that this just isn't supported.

        1 Reply Last reply Reply Quote 0
        • olivierlambertO Offline
          olivierlambert Vates 🪐 Co-Founder CEO
          last edited by

          Linking the issue here: https://github.com/vatesfr/xen-orchestra/issues/4999

          franc6 created this issue in vatesfr/xen-orchestra

          closed Feature Request to support TLS for auth-ldap plugin #4999

          1 Reply Last reply Reply Quote 0

          Hello! It looks like you're interested in this conversation, but you don't have an account yet.

          Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

          With your input, this post could be even better 💗

          Register Login
          • First post
            Last post