LDAP ca-bundle ignored

I’ve just upgraded to 4.13.3 Community. We are using our own TLS CA for ldap authentication, as usual I’ve updated: .rccontrol-profile/etc/ca-bundle.crt

The rhodecode refuses to authenticate:

2018-10-22 09:27:28.350 ERROR [rhodecode.authentication.plugins.auth_ldap] Other exception
Traceback (most recent call last):
File “/opt/rhodecode/store/ipcj0gidz2w06h2aij7nygn728z5piyx-python2.7-rhodecode-enterprise-ce-4.13.3/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py”, line 464, in auth
(user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
File “/opt/rhodecode/store/ipcj0gidz2w06h2aij7nygn728z5piyx-python2.7-rhodecode-enterprise-ce-4.13.3/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py”, line 313, in authenticate_ldap
ldap_conn = self._get_ldap_conn()
File “/opt/rhodecode/store/ipcj0gidz2w06h2aij7nygn728z5piyx-python2.7-rhodecode-enterprise-ce-4.13.3/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py”, line 266, in _get_ldap_conn
File “/opt/rhodecode/store/cfkmkq6jm0h87fy7ffhf2lwxg22iv7ia-python2.7-python-ldap-3.1.0/lib/python2.7/site-packages/ldap/ldapobject.py”, line 864, in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File “/opt/rhodecode/store/cfkmkq6jm0h87fy7ffhf2lwxg22iv7ia-python2.7-python-ldap-3.1.0/lib/python2.7/site-packages/ldap/ldapobject.py”, line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File “/opt/rhodecode/store/cfkmkq6jm0h87fy7ffhf2lwxg22iv7ia-python2.7-python-ldap-3.1.0/lib/python2.7/site-packages/ldap/ldapobject.py”, line 313, in _ldap_call
result = func(*args,**kwargs)
CONNECT_ERROR: {‘info’: u’error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)’, ‘desc’: u’Connect error’}

admin->settings->system info reports:

RhodeCode Certificate: /home/rhode/.rccontrol-profile/etc/ca-bundle.crt

I checked auth_ldap.py and saw that it was making reference to “/etc/openldap/cacerts”. We are running on Ubuntu 1604 server, I created ran the following as root:
mkdir /etc/openldap
ln -s /etc/ssl/certs /etc/openldap/cacerts

Rhodecode now accepts authentication requests, obviously I have the appropriate CA cert in the ssl/certs directory. I’m not entirely sure why .rccontrol-profile/etc/ca-bundle.crt is now ignored, is this a know issue?




Thanks for reporting this. It’s not a known issue. From what version you have upgraded ?

Might be that some things changed in ldap drivers that we haven’t noticed.


Previous version:

vcsserver/community 4.12.4

I noticed python-ldap has had a but of a bump:

There’s no notice about certificate behaviour change in python-ldap library.
Also based on the code::


This seems to not change between 4.12 and 4.13. This is odd…


I have the same problem since I upgraded from 4.12 to 4.13 a few months ago. Then I moved to 4.15 and 4.15.2 and the issue is still there.

I edited auth_ldap.py to disable the certificate request but that’s not a very elegant solution…

Since 4.15.X LDAP plugin has a new option to specify the Certificate directory or PEM file.

Have you tried to set this ?

It works, thanks a lot!