Ldap encryption problem

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

Post Reply
hassan1
Posts: 15
Joined: Mon Feb 12, 2007 11:55 am

Ldap encryption problem

Post by hassan1 »

I am running cacti version 0.8.7b, on sles10, with ldap authentication enable which works. However when I enable TLS or SSL, I get the error messages “LDAP Search Error: Protocol error, unable to start TLS communications”


With encryption disabled ldap authentication works fine but does not work with encryption.

I am running php version 5.2.0, apache 2.2.8

Here is my cacti Ldap setting:

Server: 181.74.x.x
Port Standard: 389
Port SSL : 636
Protocol Version : 3
Encryption : TLS
Referrals : Enable
Mode : Anonymous Searching

Distinguished Name (DN) : o=aol
Search Base: o=aol
Search filter: (&(objectClass=posixAccount)(cn=<username>))
Search Distinguished Name (DN): o=aol

Unfortunately Encryption either by TLS or SSL does not work for me.
Can you help? Please.
User avatar
TheWitness
Developer
Posts: 17047
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

Do you have the Open SSL modules installed? What does your Apache error_log indicate if anything?

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
hassan1
Posts: 15
Joined: Mon Feb 12, 2007 11:55 am

Post by hassan1 »

Thanks for your response. I am running Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m PHP/5.2.0 mod_auth_tkt/2.0.0rc2. Unfortunately my apache error log does not log anything regarding cacti tls/ssl failed login.

How can I troubleshoot the problem?
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Oh my.... :-?

I barely got this to work when I implemented the code and never got it fully tested. I'm not 100% sure that the TLS/SSL works for php-ldap.

That being said, I will render as much assistance as I can on this issue, because I would like to see it working.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
bitgod
Posts: 25
Joined: Thu Mar 31, 2005 2:03 pm
Location: Texas, USA

Post by bitgod »

I've run into the same issue with Novell LDAP and Cacti 0.8.7d all patched up running on W2k3. When using the TLS option I always get:

LDAP Error: Protocol error, unable to start TLS communications

With the encryption set to NONE, it authenticates fine every time, so we know the other settings are okay. The Novell admin won't leave non-encrypted connections enabled, so I have to get either TLS or SSL working. TLS seemed to be the easier option... and we use it for other services but I'll have to get past this error.

Any ideas? What kind of information may I provide to help hammer through the problem?
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Does SSL work on the standard port?
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
bitgod
Posts: 25
Joined: Thu Mar 31, 2005 2:03 pm
Location: Texas, USA

Post by bitgod »

Got around to toying with SSL today. I'm not having any luck with SSL either, while NONE still works. Digging through forums for SSL LDAP threads now... Will update the SSL findings asap.
Phytius
Posts: 5
Joined: Tue Jul 31, 2007 2:49 am

Post by Phytius »

I got my LDAPS service today and played a while:
Cacti 0.8.7b, server SUSE Enterprise Server 9

* get public Root CA certificate and copy it to /etc/ssl/certs/
run "c_rehash"
(other distributions may use different directories and configuration files)

* check SSL using sth. like:
"openssl s_client -showcerts -connect server.test.domain:12345 -CApath /etc/ssl/certs/"
(non standard port 12345)

end of command output should look like this:

New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 123(snip)
Session-ID-ctx:
Master-Key: 123 (snip)
Key-Arg : None
Start Time: 1240844427
Timeout : 300 (sec)
Verify return code: 0 (ok)
---


* in /etc/openldap/ldap.conf add
TLS_REQCERT allow
TLS_CACERTDIR /etc/ssl/certs

* check LDAPS (or let it be):
ldapsearch -x -H "server.test.domain:12345" -b "dc=company, dc=com" -D "uid=aUser,ou=something,ou=users,dc=com" -W "(&(|(objectClass=atestperson)(objectClass=atestaccount))(uid=ncc1701))

* configure cati:
set encryption to SSL (TLS not working in my environment)
overwrite "Port Standard = 382" setting with LDAPS port (default/standard 636), "Port SSL" setting will be ignored by Cacti (see trace/tcpdump)

* restart Apache
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Phytius wrote: * configure cati:
set encryption to SSL (TLS not working in my environment)
overwrite "Port Standard = 382" setting with LDAPS port (default/standard 636), "Port SSL" setting will be ignored by Cacti (see trace/tcpdump)
Please email me proof that it's ignoring the port designation.

If so, I will fix it.

Thanks,
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Phytius
Posts: 5
Joined: Tue Jul 31, 2007 2:49 am

Post by Phytius »

Sorry, I forgot this yesterday:

In lib/ldap.php you will find

-- SNIP ---
if ($ldap_encryption == "1") {
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port;
$ldap_port = $ldap_port_ssl;
}else{
-- SNAP ---

It should be
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port_ssl;
or
$ldap_port = $ldap_port_ssl;
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port;
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Email me a patch, I will forget to come back here... :(
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests