LDAP Issue help needed

#1

Hello !
I’m running a new mastodon instance and ant configure LDAP authentication. My LDAP Host is a remote Host and only allows simple bind over 389.

Snip of my .env.production :
#LDAP authentication (optional)
LDAP_ENABLED=true
LDAP_HOST=remote adress (can retrieve any objects over ldapsearch)
LDAP_PORT=389
LDAP_TLS_NO_VERIFY=true
LDAP_METHOD=simple_tls
LDAP_BASE=<dc=my,dc=domain>
LDAP_BIND_DN=uid=administrator,cn=users,dc=myl,dc=domain
LDAP_PASSWORD=
LDAP_UID=uid
LDAP_SEARCH_FILTER="%{uid}=%{email}"

I get this error from mastodon-web:

mastodon bundle[11805]: [fc302fc5-4db6-4d09-a1b0-a40ea82f749f] method=POST path=/auth/sign_in format=html controller=Auth::SessionsController action=create status=500 error='Net::LDAP::Error: SSL_connect SYSCALL returned=
mastodon bundle[11805]: [fc302fc5-4db6-4d09-a1b0-a40ea82f749f] Net::LDAP::Error (SSL_connect SYSCALL returned=5 errno=0 state=SSLv3/TLS write client hello):

Please help me to figure this out
System:
Ubuntu 18.04.2
Mastodon version: 2.7.4

Thanks

0 Likes

#2

Looks like it has a problem connecting via SSL. Are you running SSL-enabled LDAP on port 389? Do you have pure SSL/TLS LDAP enabled on port 636 by chance? What happens if you do

openssl s_client -connect ldap.host:636  -showcerts
0 Likes

#3

Hi @saper,

SSL is enabled.
result of openssl s_client:

CONNECTED(00000003)
write:errno=0

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 176 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1554711744
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
0 Likes

#4

That does not look to me. You have to check your LDAP server SSL configuration. Are you sure it is a full output?

0 Likes

#5

Thanks!

it works. I had somme errors with the SSL configurtaion (not the right certificate path)

0 Likes

closed #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

0 Likes