Active directory authentication
-
I need to authenticate users with AD.
First I need to add de root certificate of the domain CA. How can I do this?
How can I test bind?
Is mandatory to use a bind account (Credentials to use before looking for the user record.)??I am gettig this error
plugin.test
{
"id": "auth-ldap",
"data": {
"username": "user@domain",
"password": "* obfuscated *"
}
}
{
"errno": -104,
"code": "ECONNRESET",
"syscall": "read",
"message": "read ECONNRESET",
"name": "Error",
"stack": "Error: read ECONNRESET
at TLSWrap.onStreamRead (node:internal/stream_base_commons:218:20)
at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)"
} -
You should put your root CA in a file accessible on the XO VM (e.g.
/usr/local/share/ca-certificates/ad-root.crt. Point the CA setting to this part and enable "Check certificate". You must use a service account for binding. -
@dinhngtu said in Active directory authentication:
/usr/local/share/ca-certificates/
Same error. Put the ca root crt in that folder, complete the item with the path of that cert, checked "ckeck certificate" (try starttls on or off). I think XO do not support the enabled protocols, or something like this. Is there any wat to debug this?
-
How did you specify your auth-ldap settings (URI, bind credentials, search parameters)? It worked for me when I used the URI
ldaps://your-domain-controller-fqdn. -
@dinhngtu
uri: ldaps://ad-server.domain.arCertificate Authorities
item: /usr/local/share/ca-certificates/domain-ca-root.crtcheck certificate: on
starttls: (tested on or off)
base: OU=Usuarios,DC=domain,DC=AR
credentials: xo_ad@domain.ar
password xxxxxxxuser fileter: (userPrincipalName={{name}})
ID attribute*: DN
test data
username: test-user@domain.ar
passwrd: xxxxxxx -
The exact configuration as yours worked fine in my environment. What happens when you try to search LDAP manually with Ldp.exe?
-
@dinhngtu From Windows, ldp.exe works fine
-
@gonzametal ldp, to 636 port and ssl works fine
-
How did you issue LDAPS certificates to your domain controller? Do you get the correct certificate when doing
openssl s_client -connect ad-server.domain.ar:636?What about ldapsearch from Linux:
LDAPTLS_REQCERT=never ldapsearch -H ldaps://ad-server.domain.ar -x -D xo_ad@domain.ar -w ... -b 'OU=Usuarios,DC=domain,DC=AR' -s sub? This should give the correct query output. -
@dinhngtu It is strange.
The ldapsearch command returns as expected, but openssl s_client returns "no peer certificate available".openssl s_client --connect server.domain.ar:636
CONNECTED(00000003)
write:errno=104no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 331 bytes
Verification: OKNew, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)No firewall nothing. LDP.exe works fine
-
Did you choose Use SSL in Ldp.exe? Either your AD SSL certificate is misconfigured or something is blocking connection from your Linux host.
-
@dinhngtu LDP is using SSL, and no firewall between, so I think there be a ldaps misconfiguration
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login