access to LDAP secure connection

[Sergio Blanco]

I have an installation of simpleSAMLphp version 19.

I need to make a connection to an ldap through a secure connection through port 636 as seen below.

     'XXXX-ldap' => array (

     'ldap: LDAP',

     / * The hostname of the LDAP server. * /

     'hostname' => 'ldap: //389ds01.alpha.ucr.ac.cr',

     / * Whether SSL / TLS should be used when contacting the LDAP server. * /

     'enable_tls' => TRUE,

     // The port used when accessing the LDAP server. // The default is 389.

     'port' => 636,

 

However, I cannot find how to specify in the ldap module configuration the path of the certificate that is used to connect to the LDAP.

Can you help me?

Thanks

[Peter Schober]

* Sergio Blanco <sergi...@gmail.com> [2021-06-23 02:54]:

> However, I cannot find how to specify in the ldap module
> configuration the path of the certificate that is used to connect to
> the LDAP.

You mean you want to authenticate your SimpleSAMLphp (as LDAP client)
with a client certificate to the LDAP server?

Or did you mean your SimpleSAMLphp (as LDAP client) doesn't trust your
LDAP server (likely because the LDAP server uses a certificate from a
private CA or a self-signed certificate)?

-peter

[Sergio Blanco]

My SimpleSAMLphp (as an LDAP client) cannot connect to the LDAP server because it uses a self-signed certificate, so I have to indicate the certificate to use to establish communication.

[Peter Schober]

* Sergio Blanco <sergi...@gmail.com> [2021-06-23 15:46]:

> My SimpleSAMLphp (as an LDAP client) cannot connect to the LDAP
> server because it uses a self-signed certificate, so I have to
> indicate the certificate to use to establish communication.

This is still undocumented[1] as I pointed out in 2017 in the thread
"How do I properly configure SimpleSAMLphp to use LDAPS?" on this list
which btw also contains an explanation and points the way to figure
this out.

First of all your PHP build needs to have LDAP enabled which is not
the default[0]. I'm mentioning this here because it explains that
everything that follows is OS and platform dependent.
(Which explains why it's not easy to document this within
SimpleSAMLphp but doesn't justify not saying anythign at all.)

Details depend on where the PHP LDAP extension looks for the ldap.conf
configuration file. That's where you'd specify the TLS trust
parameters for the LDAP libary which in turn would also be used by the
LDAP code in SimplesSAMLphp.

Not only the SimpleSAMLphp documentation silent on this matter, also
the PHP documentation itself is severly lacking in this regard:
https://www.php.net/manual/en/function.ldap-start-tls.php

"Warning
This function is currently not documented; only its argument list is available."

Though below that warning you may find additonalal user-generated
comments and hints.

-peter

[0] https://www.php.net/manual/en/ldap.installation.php
[1] https://github.com/simplesamlphp/simplesamlphp-module-ldap/blob/master/docs/ldap.md

[Peter Schober]

* Peter Schober <peter....@univie.ac.at> [2021-06-23 16:08]:

> Details depend on where the PHP LDAP extension looks for the ldap.conf
> configuration file. That's where you'd specify the TLS trust
> parameters for the LDAP libary which in turn would also be used by the
> LDAP code in SimplesSAMLphp.

Assuming the PHP LDAP extension was built against the OpenLDAP
libraries the man page for ldap.conf shows the default locations where
that file would be looked for:
https://www.openldap.org/software/man.cgi?query=ldap.conf
(see section FILES at the end)

Note that these are the defaults from the OpenLDAP project and that OS
vendors and GNU/Linux distributions may change those!

-peter

[Tim van Dijen]

I can tell you from experience that using the OpenLDAP certificate store is really inconvenient when you have multiple certs from multiple CAs.

You can just add the certificate(-chain) to the OS trust store..

In my case (RHEL & CentOS), I put the cert or chain in /etc/pki/ca-trust/source/anchors (make sure to use base64 / PEM-format).

Then I run 'update-ca-trust force-enable' followed by 'update-ca-trust extract'. Finally you restart php-fpm or httpd depending on your setup.

Other OS'es may work differently and this is exactly the reason this is not documented on the SSP side.

- Tim

Op woensdag 23 juni 2021 om 16:15:05 UTC+2 schreef Peter Schober:

[Peter Schober]

* Tim van Dijen <tvd...@gmail.com> [2021-06-23 16:37]:

> I can tell you from experience that using the OpenLDAP certificate
> store is really inconvenient when you have multiple certs from
> multiple CAs.

What's "the OpenLDAP certificate store"? Do you mean the default paths
an OS vendor may have set where the OpenLDAP libraries look for CA
certificates?

> You can just add the certificate(-chain) to the OS trust store..

Simply finding (or pointing out, from the perspective of the
documentation) the right place to configure this would be sufficient,
IMO.
And I might prefer not trust the private CA from the LDAP service on
the global/OS level.

> In my case (RHEL & CentOS), I put the cert or chain in
> /etc/pki/ca-trust/source/anchors (make sure to use base64 /
> PEM-format). Then I run 'update-ca-trust force-enable' followed by
> 'update-ca-trust extract'. Finally you restart php-fpm or httpd
> depending on your setup.

On RHEL & CentOS the file to configure alternative locations for the
trust store would be /etc/openldap/ldap.conf, from a quick web search.

> Other OS'es may work differently

On Debian, Ubuntu & friends it's /etc/ldap/ldap.conf.

In all cases pointing TLS_CACERT to the trunst anchor your LDAP server
uses for LDAPS/LDAP+STARTTLS would suffice.
(On platforms not linking OpenLDAP against GnuTLS you could also use
TLS_CACERTDIR but that's more involved that pointing to a single file,
and again, doesn't work everywhere.)

> this is exactly the reason this is not documented on the SSP side.

To me the fact that we have to talk about this and share examples
clearly illustrates why this should to be documented (if only by
reference to a usable external resource, if one exists). ;)

What could always be said (and would have helped the OP) is:

* what needs to be done (point TLS_CACERT to the trust anchor;
maybe explain or reference something that explains what the trust
anchor is/should be),

* where this needs to be done (pointing to `man ldap.conf` of the
OS/distribution; Debian's man pages are)

-peter

[Tim van Dijen]

>  What's "the OpenLDAP certificate store"?

I mean the TLS_CACERTDIR in /etc/openldap/ldap.conf you mentioned.

> To me the fact that we have to talk about this and share examples
> clearly illustrates why this should to be documented (if only by
> reference to a usable external resource, if one exists). ;)

I really disagree, because this has nothing to do with SimpleSAMLphp..

We don't even know if people are using the PHP ext-ldap module, or something completely different.

> What could always be said (and would have helped the OP) is: [...]

That's already very specific to a specific OS/configuration,
I wouldn't go much further then to say that 'if you use ext-ldap, you should be aware that you need to configure openldap as well'..

- Tim

Op donderdag 24 juni 2021 om 10:12:44 UTC+2 schreef Peter Schober:

[Peter Schober]

* Tim van Dijen <tvd...@gmail.com> [2021-06-24 10:27]:

> I really disagree, because this has nothing to do with
> SimpleSAMLphp.

Not having done anything with PHP and LDAP in a long time even I was
unaware (before searching) you'd have to configure this according to
the OpenLDAP libraries as used by that PHP extension.
(This could also be read as a request for SimpleSAMLphp to provide its
own code/configuration to make this much easier, btw.)

If you have to do *something* in order to access an LDAPS or
LDAP+STARTTLS server that's using a self-signed or private CA-issued
server certificate from SimpleSAMLphp (which seems like a very common
requirement when using SimpleSAMLphp as an IDP/OP[1]) why would you
prefer to *not* tell the people what it is they'd have to do?
Because it's not easy to make universal statements?

> I wouldn't go much further then to say that 'if you use ext-ldap,
> you should be aware that you need to configure openldap as well'..

That's already more than there is today (so is an improvement).
Maybe we can hash out the wording in an issue.

-peter

[1] Using the OS-provided WebPKI trust store for purely internal
non-web services (LDAP, here) where you also control all the clients
may not be the only or necessarily the best choice.

[Tim van Dijen]

> (This could also be read as a request for SimpleSAMLphp to provide its
> own code/configuration to make this much easier, btw.)

With our limited resources I wouldn't want to spend time on writing our own ldap-client..

There's a handful of pure PHP ldap-libraries but they don't seem very well maintained.

- Tim

Op donderdag 24 juni 2021 om 13:23:34 UTC+2 schreef Peter Schober:

[Sergio Blanco]

Thanks. I could solve it

With the reference "How do I properly configure SimpleSAMLphp to use LDAPS?" it helped me a lot.

I managed to do the tests in tests and I am making the connection in production, however it is presenting me with an error.

which is the following:

Authentication error in origin 'ldap'. The reason was: 'Library - LDAP getAttributes (): Could not get first entry from DN \' uid = XXXX, cn = users, cn = accounts, dc = ucr, dc = ac, dc = cr \ ''

Any recommendation

[Peter Schober]

* Sergio Blanco <sergi...@gmail.com> [2021-06-24 22:43]:

> Authentication error in origin 'ldap'. The reason was: 'Library - LDAP
> getAttributes (): Could not get first entry from DN \' uid = XXXX, cn =
> users, cn = accounts, dc = ucr, dc = ac, dc = cr \ ''

I don't understand the error message but in general you should test
your exact search parameters using ldapsearch(1) on the command line.

-peter

[Tim van Dijen]

Try setting in your LDAP-authsource 'debug' => false, and hopefully you get more details.
It sounds like the search query resulted in more than one result..

- Tim

Op vrijdag 25 juni 2021 om 14:52:48 UTC+2 schreef Peter Schober:

[Sergio Blanco]

On command line   ldapsearch work

[Sergio Blanco]

it's logs generate. 

[Sergio Blanco]

It's  the authsources.php config 

$config = array(

    // This is a authentication source which handles admin authentication.

    'admin' => array(

        // The default is to use core:AdminPassword, but it can be replaced with

        // any authentication source.

        'core:AdminPassword',

    ),

   'redUCR-ldap' => array(

    'ldap:LDAP',

    /* The hostname of the LDAP server. */

    #

    'hostname' => 'ldaps://XXXXXX.ucr.ac.cr'   ,

    #

    /* Whether SSL/TLS should be used when contacting the LDAP server. */

    'enable_tls' => TRUE,

    'debug' => TRUE,

    'attributes' => NULL,

    'attributes.binary' => ['jpegPhoto', 'objectGUID', 'objectSid', 'mS-DS-ConsistencyGuid'],

    

     'dnpattern' => 'uid=%username%,cn=users,cn=accounts,dc=ucr,dc=ac,dc=cr',

    

    'search.enable' => TRUE,

  

    'search.base' => 'cn=users,cn=accounts,dc=ucr,dc=ac,dc=cr',

            /*

             * The scope of the search. Valid values are 'subtree' and 'onelevel' and 'base',

             * first one being the default if no value is set.

             */

    'search.scope' => 'subtree',

 

    'search.attributes' => array('uid', 'mail'),

 

      

    'search.username' => 'uid=XXXXXX,ou=Special Users,dc=ucr,dc=ac,dc=cr',

    'search.password' => 'XXXXXXXXXXXXXXXXXXXXXXXXX',

    

    'timeout' => 30,

    'debug' => true,

    ),

);