Active directory authentication

gonzametal

I need to authenticate users with AD.
First I need to add de root certificate of the domain CA. How can I do this?
How can I test bind?
Is mandatory to use a bind account (Credentials to use before looking for the user record.)??

I am gettig this error
plugin.test
{
"id": "auth-ldap",
"data": {
"username": "user@domain",
"password": "* obfuscated *"
}
}
{
"errno": -104,
"code": "ECONNRESET",
"syscall": "read",
"message": "read ECONNRESET",
"name": "Error",
"stack": "Error: read ECONNRESET
at TLSWrap.onStreamRead (node:internal/stream_base_commons:218:20)
at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)"
}

dinhngtu

You should put your root CA in a file accessible on the XO VM (e.g. /usr/local/share/ca-certificates/ad-root.crt. Point the CA setting to this part and enable "Check certificate". You must use a service account for binding.

gonzametal

dinhngtu said in Active directory authentication:

/usr/local/share/ca-certificates/

Same error. Put the ca root crt in that folder, complete the item with the path of that cert, checked "ckeck certificate" (try starttls on or off). I think XO do not support the enabled protocols, or something like this. Is there any wat to debug this?

dinhngtu

How did you specify your auth-ldap settings (URI, bind credentials, search parameters)? It worked for me when I used the URI ldaps://your-domain-controller-fqdn.

gonzametal

dinhngtu
uri: ldaps://ad-server.domain.ar

Certificate Authorities
item: /usr/local/share/ca-certificates/domain-ca-root.crt

check certificate: on

starttls: (tested on or off)

base: OU=Usuarios,DC=domain,DC=AR

credentials: xo_ad@domain.ar
password xxxxxxx

user fileter: (userPrincipalName={{name}})

ID attribute*: DN

test data
username: test-user@domain.ar
passwrd: xxxxxxx

dinhngtu

The exact configuration as yours worked fine in my environment. What happens when you try to search LDAP manually with Ldp.exe?

gonzametal

dinhngtu From Windows, ldp.exe works fine

gonzametal

gonzametal ldp, to 636 port and ssl works fine

dinhngtu

How did you issue LDAPS certificates to your domain controller? Do you get the correct certificate when doing openssl s_client -connect ad-server.domain.ar:636 ?

What about ldapsearch from Linux: LDAPTLS_REQCERT=never ldapsearch -H ldaps://ad-server.domain.ar -x -D xo_ad@domain.ar -w ... -b 'OU=Usuarios,DC=domain,DC=AR' -s sub ? This should give the correct query output.

gonzametal

dinhngtu It is strange.
The ldapsearch command returns as expected, but openssl s_client returns "no peer certificate available".

openssl s_client --connect server.domain.ar:636
CONNECTED(00000003)
write:errno=104

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 331 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

No firewall nothing. LDP.exe works fine

dinhngtu

Did you choose Use SSL in Ldp.exe? Either your AD SSL certificate is misconfigured or something is blocking connection from your Linux host.

gonzametal

dinhngtu LDP is using SSL, and no firewall between, so I think there be a ldaps misconfiguration