Unable to force TLS
692 views
Skip to first unread message
sholikhin sy
Mar 16, 2016, 11:14:16 PM3/16/16
to SimpleSAMLphp
Hello All,
I'm new to simplesamlphp. This is my first simplesamlphp installation and I want it to act as idP server againts our LDAP server. So far, everything look fine in testing mode (I'm running this on ubuntu 14 and simplesamlphp version 1.14, no TLS during testing, succesfully authenticate user in the LDAP). But, after enabling the TLS option I got this error :
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 0 /var/simplesamlphp/www/module.php:170 (N/A) Caused by: SimpleSAML_Error_Exception: Library - LDAP __construct(): Unable to force TLS Backtrace: 6 /var/simplesamlphp/lib/SimpleSAML/Auth/LDAP.php:147 (SimpleSAML_Auth_LDAP::makeException) 5 /var/simplesamlphp/lib/SimpleSAML/Auth/LDAP.php:112 (SimpleSAML_Auth_LDAP::__construct) 4 /var/simplesamlphp/modules/ldap/lib/ConfigHelper.php:188 (sspmod_ldap_ConfigHelper::login) 3 /var/simplesamlphp/modules/ldap/lib/Auth/Source/LDAP.php:51 (sspmod_ldap_Auth_Source_LDAP::login) 2 /var/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:253 (sspmod_core_Auth_UserPassBase::handleLogin) 1 /var/simplesamlphp/modules/core/www/loginuserpass.php:67 (require) 0 /var/simplesamlphp/www/module.php:127 (N/A)
I've done a few thing to verify this issue using ldapsearch utility (with the -ZZ and -d1 option). At first, ldapsearch failed to connect to ldap server with error message "can't connect to server" but after copying certificate from ldap I managed to connect to ldap but still got error "peer cert is untrusted or revoked". Next step I edit the /etc/ldap/ldap.conf and add "TLS_REQCERT allow" in there. After this step ldapsearch with -ZZ option run just find but simplesamlphp still complaining with error "Unable to force TLS". Am I missing something here ?. Is there any step that I need to do in order to tell simplesamlphp to trust the certificate ?
Thanks in advance for your help,
regards,
Sholikhin sy
John Danner
Mar 16, 2016, 11:32:34 PM3/16/16
to simple...@googlegroups.com
Might need to create an ldaprc file for the user the web server runs as.
http://manpages.ubuntu.com/manpages/hardy/man5/ldap.conf.5.html
IIRC php doesn't pick up the system ldap.conf sometimes.
Mearl
--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
sholikhin sy
Mar 16, 2016, 11:39:33 PM3/16/16
to SimpleSAMLphp
I've looked into saml20_idp_hosted.php and realized that in this file there's "privatekey" and "certificate" option here. Currently I set it to the key & certificate from the apache2 ssl where I run this simplesamlphp on. Should I change it to the one that come with ldap server ?.
John Danner
Mar 16, 2016, 11:46:54 PM3/16/16
to simple...@googlegroups.com
Your ldap problem is with the php ldap apis. It's not specifically a simplesamlphp issue. I don't think any changes in the ssp config will help the ldap issue you are experiencing.
--
sholikhin sy
Mar 17, 2016, 12:08:28 AM3/17/16
to SimpleSAMLphp
On Wednesday, March 16, 2016 at 8:32:34 PM UTC-7, John Danner wrote:
Might need to create an ldaprc file for the user the web server runs as.
http://manpages.ubuntu.com/manpages/hardy/man5/ldap.conf.5.html
IIRC php doesn't pick up the system ldap.conf sometimes.
Mearl
Thanks for your quick reply.
I've added ldaprc (and even .ldaprc) in home folder of user www-data, but the problem persist "unable to force TLS".
I'm sure that those user can read those file (chown to this user)
John Danner
Mar 17, 2016, 12:13:11 AM3/17/16
to simple...@googlegroups.com
Have you tried port 636 on the ldap server rather than forcing TLS on 389?
What ldap server are you using?
sholikhin sy
Mar 17, 2016, 12:17:21 AM3/17/16
to SimpleSAMLphp
On Wednesday, March 16, 2016 at 9:13:11 PM UTC-7, John Danner wrote:
Have you tried port 636 on the ldap server rather than forcing TLS on 389?
What ldap server are you using?
Indeed I have modified the config (in simplesamlphp) to 636. I've verified using nmap that the ldap listen on 2 port : 389 and 636. My LDAP server is on centos 5.11
John Danner
Mar 17, 2016, 12:23:29 AM3/17/16
to simple...@googlegroups.com
That's all I have.
Sorry, maybe someone else will have an answer.
sholikhin sy
Mar 17, 2016, 3:50:10 AM3/17/16
to SimpleSAMLphp
Finally I solved this. It turn out to be configuration problem. Desperately trying everything :
- Edit LDAP.php and add putenv('LDAPTLS_REQCERT=never'); and it failed.
- Edit LDAP.php and add putenv('LDAPTLS_REQCERT=allow'); and it still failed.
- Start php in interactive mode (php -a) and type the command directly reveal that php is OK too.
Just realized that LDAP in initial connection still need port 389 and not 636 (this port will be used after succesfull initialization). Change the setting back to 389 in authsources.php and everything work as expected.
Tim van Dijen
Mar 17, 2016, 4:01:47 AM3/17/16
to SimpleSAMLphp
Create a directory within /etc/openldap/certs and put in a certificate file that hold the complete certificate chain for your LDAP-store.
Edit /etc/openldap/ldap.conf and change te following:
#TLS_CACERTDIR /etc/openldap/certs <- comment this line
TLS_REQCERT allow <- Uncomment this line
TLS_CACERT
/etc/openldap/certs/ldap/ldap-chain.crt <- Uncomment this line and fill in the right path
Save the file and run the following command:
/usr/sbin/cacertdir_rehash /etc/openldap/certs/ldap
Restart Apache:
service httpd restartAt this point you should be able to succesfully run ldapsearch:
ldapsearch -x -H ldaps://<FDQN-LDAP-STORE> -D "CN=admin,DC=example,DC=org" "(objectClass=User)"
Make sure that in your authsources.php you have:
'AD-LDAP' => array(
'ldap:LDAP',
[...]
// The hostname of the LDAP server.
'hostname' => 'ldaps://<FQDN-LDAP-STORE>',
// The port used when accessing the LDAP server.
// The default is 389.
'port' => 636,
// Whether SSL/TLS should be used when contacting the LDAP server.
'enable_tls' => TRUE,
[...]
If ldapsearch works, SSP should work too when configured this way.
- Tim
sholikhin sy
Mar 17, 2016, 4:22:52 AM3/17/16
to SimpleSAMLphp
Thanks for your reply. What I've done is almost identical with your step, even the 636 part (set the LDAP port to 636). It turn out that those part that need to be corrected (in my case). It may work that way in other case but not in my case (ubuntu 14.04, apache2, php5.5.9, simplesamlphp 1.14.1) and ldap server on centos5.11.
Peter Schober
Mar 17, 2016, 8:58:12 AM3/17/16
to SimpleSAMLphp
* sholikhin sy <sholi...@gmail.com> [2016-03-17 08:50]:
is nothing you could do on LDAP port 389 (with or without StartTLS
there) that would change one bit of what happens if you connect to the
(non-standard) LDAPS port afterwards.
So I'd say whatever you think that change did, the above is not an
adequat description of what happens, so the fix is not what you think
it is (but something else).
* sholikhin sy <sholi...@gmail.com> [2016-03-17 05:17]:
for another year). 5.0 was released 9 years ago.
-peter
> Just realized that LDAP in initial connection still need port 389
> and not 636 (this port will be used after succesfull
> initialization).
No, that doesn't even make any sense. LDAP is connection based, there
> and not 636 (this port will be used after succesfull
> initialization).
is nothing you could do on LDAP port 389 (with or without StartTLS
there) that would change one bit of what happens if you connect to the
(non-standard) LDAPS port afterwards.
So I'd say whatever you think that change did, the above is not an
adequat description of what happens, so the fix is not what you think
it is (but something else).
* sholikhin sy <sholi...@gmail.com> [2016-03-17 05:17]:
> My LDAP server is on centos 5.11
I'm shocked to see that such ancient software is still kept alive (and
for another year). 5.0 was released 9 years ago.
-peter
sholikhin sy
Mar 17, 2016, 10:45:17 PM3/17/16
to SimpleSAMLphp, peter....@univie.ac.at
On Thursday, March 17, 2016 at 5:58:12 AM UTC-7, Peter Schober wrote:
* sholikhin sy <sholi...@gmail.com> [2016-03-17 08:50]:
> Just realized that LDAP in initial connection still need port 389
> and not 636 (this port will be used after succesfull
> initialization).
No, that doesn't even make any sense. LDAP is connection based, there
is nothing you could do on LDAP port 389 (with or without StartTLS
there) that would change one bit of what happens if you connect to the
(non-standard) LDAPS port afterwards.
So I'd say whatever you think that change did, the above is not an
adequat description of what happens, so the fix is not what you think
it is (but something else).
All my conclusion is based on my experiment (based on my current configuration, probably differ somewhere else). I started the php in interactive mode (php -a and then set debug level to 7) and type the code interactively line by line, imitating all the code in suspect (connect to ldap, start tls, etc). I'm convinced that it still connect to port 389 (i even tried to connect directly to 636 and it failed during those interactive session). All my configuration change afteward is based on this experiment. I also convinced that my php is capturing all setting from /etc/ldap/ldap.conf during those interactive session. That's the reason why I changed the port number back to 389 in my configuration. All are based on experiment.
* sholikhin sy <sholi...@gmail.com> [2016-03-17 05:17]:
> My LDAP server is on centos 5.11
I'm shocked to see that such ancient software is still kept alive (and
for another year). 5.0 was released 9 years ago.
-peter
Too lazy to change something that has served us well for years
Reply all
Reply to author
Forward
0 new messages