LDAP configuration - help needed


#1

Hello everyone !
I’m running my mastodon instance through Yunohost, but current install doesn’t configure LDAP by default. So I’m trying to figure out the proper config.
Here is what I have done :

Snip of my .env.production :

# LDAP authentication (optional)
LDAP_ENABLED=true
LDAP_HOST=127.0.0.1
LDAP_PORT=389
LDAP_TLS_NO_VERIFY=true
LDAP_METHOD=start_tls
LDAP_BASE=ou=users,dc=yunohost,dc=org
LDAP_BIND_DN=ou=admin,dc=yunohost,dc=org
LDAP_PASSWORD=<redacted_password_of_admin>
LDAP_UID=uid
#LDAP_SEARCH_FILTER="%{uid}=%{email}"

I’m no ldap guru but I manage to connect ldap using admin credentials through ldapsearch cli. So url, port, account and passowrd seem correct.

I don’t have logs in mastodon/live/log, neither in /var/log.
Here is what systemctl returns :

$ sudo systemctl status mastodon-web
[...]
oct. 27 12:41:51 taboulisme.com bundle[16189]: [7e22fab3-b147-4bb7-8607-f330c73503e2] method=POST path=/auth/sign_in format=html controller=Auth::SessionsController action=create status
oct. 27 12:41:51 taboulisme.com bundle[16189]: [7e22fab3-b147-4bb7-8607-f330c73503e2]
oct. 27 12:41:51 taboulisme.com bundle[16189]: [7e22fab3-b147-4bb7-8607-f330c73503e2] Net::LDAP::Error (start_tls failed: 2):
oct. 27 12:41:51 taboulisme.com bundle[16189]: [7e22fab3-b147-4bb7-8607-f330c73503e2]
oct. 27 12:41:51 taboulisme.com bundle[16189]: [7e22fab3-b147-4bb7-8607-f330c73503e2] lib/devise/ldap_authenticatable.rb:29:in `authenticate!'
oct. 27 12:41:51 taboulisme.com bundle[16189]: [7e22fab3-b147-4bb7-8607-f330c73503e2] app/controllers/concerns/localized.rb:14:in `set_locale'

I already asked yunohost community (there) which advised me to ask here… :grin:

Can someone help me figure this out ? Thanks :slight_smile:


#2

Also, I had another clue here : [Feature] LDAP Integration · Issue #67 · YunoHost-Apps/mastodon_ynh · GitHub
So, maybe related to Net::LDAP simple method not supported · Issue #6991 · tootsuite/mastodon · GitHub


#3

Hi, have you turned off the TLS verification on your ldap ?
from openldap, in ldap.conf TLS_REQCERT allow
https://www.openldap.org/doc/admin21/tls.html


#4

Sorry for the delay, I just tried it but it’s the same :confused:
I’m somehow convinced this is related to mastodon not supporting Plain method for LDAP connection…
Here is what I have with plain :

févr. 13 14:33:24 taboulisme.com bundle[31988]: [127612f8-d44e-4372-a057-fff7163a3b35] method=GET path=/about format=html controller=AboutController action=show sta
févr. 13 14:33:25 taboulisme.com bundle[31988]: [04b602f5-35b4-4190-801f-9b37441b41f1] method=GET path=/api/v1/timelines/public format=html controller=Api::V1::Time
févr. 13 14:33:30 taboulisme.com bundle[31988]: [78165195-4fd9-47e9-9ace-63cb01d174b5] method=POST path=/auth/sign_in format=html controller=Auth::SessionsControlle
févr. 13 14:33:30 taboulisme.com bundle[31988]: [78165195-4fd9-47e9-9ace-63cb01d174b5]
févr. 13 14:33:30 taboulisme.com bundle[31988]: [78165195-4fd9-47e9-9ace-63cb01d174b5] Net::LDAP::Error (unsupported encryption method plain):
févr. 13 14:33:30 taboulisme.com bundle[31988]: [78165195-4fd9-47e9-9ace-63cb01d174b5]
févr. 13 14:33:30 taboulisme.com bundle[31988]: [78165195-4fd9-47e9-9ace-63cb01d174b5] lib/devise/ldap_authenticatable.rb:29:in `authenticate!'
févr. 13 14:33:30 taboulisme.com bundle[31988]: [78165195-4fd9-47e9-9ace-63cb01d174b5] app/controllers/concerns/localized.rb:14:in `set_locale'

While plain is the method used by yunohost (my LDAP server).