Ldap encryption problem
Moderators: Developers, Moderators
Ldap encryption problem
I am running cacti version 0.8.7b, on sles10, with ldap authentication enable which works. However when I enable TLS or SSL, I get the error messages “LDAP Search Error: Protocol error, unable to start TLS communications”
With encryption disabled ldap authentication works fine but does not work with encryption.
I am running php version 5.2.0, apache 2.2.8
Here is my cacti Ldap setting:
Server: 181.74.x.x
Port Standard: 389
Port SSL : 636
Protocol Version : 3
Encryption : TLS
Referrals : Enable
Mode : Anonymous Searching
Distinguished Name (DN) : o=aol
Search Base: o=aol
Search filter: (&(objectClass=posixAccount)(cn=<username>))
Search Distinguished Name (DN): o=aol
Unfortunately Encryption either by TLS or SSL does not work for me.
Can you help? Please.
With encryption disabled ldap authentication works fine but does not work with encryption.
I am running php version 5.2.0, apache 2.2.8
Here is my cacti Ldap setting:
Server: 181.74.x.x
Port Standard: 389
Port SSL : 636
Protocol Version : 3
Encryption : TLS
Referrals : Enable
Mode : Anonymous Searching
Distinguished Name (DN) : o=aol
Search Base: o=aol
Search filter: (&(objectClass=posixAccount)(cn=<username>))
Search Distinguished Name (DN): o=aol
Unfortunately Encryption either by TLS or SSL does not work for me.
Can you help? Please.
- TheWitness
- Developer
- Posts: 17047
- Joined: Tue May 14, 2002 5:08 pm
- Location: MI, USA
- Contact:
Do you have the Open SSL modules installed? What does your Apache error_log indicate if anything?
TheWitness
TheWitness
True understanding begins only when we realize how little we truly understand...
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Oh my....
I barely got this to work when I implemented the code and never got it fully tested. I'm not 100% sure that the TLS/SSL works for php-ldap.
That being said, I will render as much assistance as I can on this issue, because I would like to see it working.
I barely got this to work when I implemented the code and never got it fully tested. I'm not 100% sure that the TLS/SSL works for php-ldap.
That being said, I will render as much assistance as I can on this issue, because I would like to see it working.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
I've run into the same issue with Novell LDAP and Cacti 0.8.7d all patched up running on W2k3. When using the TLS option I always get:
LDAP Error: Protocol error, unable to start TLS communications
With the encryption set to NONE, it authenticates fine every time, so we know the other settings are okay. The Novell admin won't leave non-encrypted connections enabled, so I have to get either TLS or SSL working. TLS seemed to be the easier option... and we use it for other services but I'll have to get past this error.
Any ideas? What kind of information may I provide to help hammer through the problem?
LDAP Error: Protocol error, unable to start TLS communications
With the encryption set to NONE, it authenticates fine every time, so we know the other settings are okay. The Novell admin won't leave non-encrypted connections enabled, so I have to get either TLS or SSL working. TLS seemed to be the easier option... and we use it for other services but I'll have to get past this error.
Any ideas? What kind of information may I provide to help hammer through the problem?
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Does SSL work on the standard port?
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
I got my LDAPS service today and played a while:
Cacti 0.8.7b, server SUSE Enterprise Server 9
* get public Root CA certificate and copy it to /etc/ssl/certs/
run "c_rehash"
(other distributions may use different directories and configuration files)
* check SSL using sth. like:
"openssl s_client -showcerts -connect server.test.domain:12345 -CApath /etc/ssl/certs/"
(non standard port 12345)
end of command output should look like this:
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 123(snip)
Session-ID-ctx:
Master-Key: 123 (snip)
Key-Arg : None
Start Time: 1240844427
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* in /etc/openldap/ldap.conf add
TLS_REQCERT allow
TLS_CACERTDIR /etc/ssl/certs
* check LDAPS (or let it be):
ldapsearch -x -H "server.test.domain:12345" -b "dc=company, dc=com" -D "uid=aUser,ou=something,ou=users,dc=com" -W "(&(|(objectClass=atestperson)(objectClass=atestaccount))(uid=ncc1701))
* configure cati:
set encryption to SSL (TLS not working in my environment)
overwrite "Port Standard = 382" setting with LDAPS port (default/standard 636), "Port SSL" setting will be ignored by Cacti (see trace/tcpdump)
* restart Apache
Cacti 0.8.7b, server SUSE Enterprise Server 9
* get public Root CA certificate and copy it to /etc/ssl/certs/
run "c_rehash"
(other distributions may use different directories and configuration files)
* check SSL using sth. like:
"openssl s_client -showcerts -connect server.test.domain:12345 -CApath /etc/ssl/certs/"
(non standard port 12345)
end of command output should look like this:
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 123(snip)
Session-ID-ctx:
Master-Key: 123 (snip)
Key-Arg : None
Start Time: 1240844427
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* in /etc/openldap/ldap.conf add
TLS_REQCERT allow
TLS_CACERTDIR /etc/ssl/certs
* check LDAPS (or let it be):
ldapsearch -x -H "server.test.domain:12345" -b "dc=company, dc=com" -D "uid=aUser,ou=something,ou=users,dc=com" -W "(&(|(objectClass=atestperson)(objectClass=atestaccount))(uid=ncc1701))
* configure cati:
set encryption to SSL (TLS not working in my environment)
overwrite "Port Standard = 382" setting with LDAPS port (default/standard 636), "Port SSL" setting will be ignored by Cacti (see trace/tcpdump)
* restart Apache
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Please email me proof that it's ignoring the port designation.Phytius wrote: * configure cati:
set encryption to SSL (TLS not working in my environment)
overwrite "Port Standard = 382" setting with LDAPS port (default/standard 636), "Port SSL" setting will be ignored by Cacti (see trace/tcpdump)
If so, I will fix it.
Thanks,
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Sorry, I forgot this yesterday:
In lib/ldap.php you will find
-- SNIP ---
if ($ldap_encryption == "1") {
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port;
$ldap_port = $ldap_port_ssl;
}else{
-- SNAP ---
It should be
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port_ssl;
or
$ldap_port = $ldap_port_ssl;
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port;
In lib/ldap.php you will find
-- SNIP ---
if ($ldap_encryption == "1") {
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port;
$ldap_port = $ldap_port_ssl;
}else{
-- SNAP ---
It should be
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port_ssl;
or
$ldap_port = $ldap_port_ssl;
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port;
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Email me a patch, I will forget to come back here...
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Who is online
Users browsing this forum: No registered users and 7 guests