LDAP ca-bundle ignored

zzxtty · October 22, 2018, 10:11am

I’ve just upgraded to 4.13.3 Community. We are using our own TLS CA for ldap authentication, as usual I’ve updated: .rccontrol-profile/etc/ca-bundle.crt

The rhodecode refuses to authenticate:

2018-10-22 09:27:28.350 ERROR [rhodecode.authentication.plugins.auth_ldap] Other exception
Traceback (most recent call last):
File “/opt/rhodecode/store/ipcj0gidz2w06h2aij7nygn728z5piyx-python2.7-rhodecode-enterprise-ce-4.13.3/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py”, line 464, in auth
(user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
File “/opt/rhodecode/store/ipcj0gidz2w06h2aij7nygn728z5piyx-python2.7-rhodecode-enterprise-ce-4.13.3/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py”, line 313, in authenticate_ldap
ldap_conn = self._get_ldap_conn()
File “/opt/rhodecode/store/ipcj0gidz2w06h2aij7nygn728z5piyx-python2.7-rhodecode-enterprise-ce-4.13.3/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py”, line 266, in _get_ldap_conn
ldap_conn.start_tls_s()
File “/opt/rhodecode/store/cfkmkq6jm0h87fy7ffhf2lwxg22iv7ia-python2.7-python-ldap-3.1.0/lib/python2.7/site-packages/ldap/ldapobject.py”, line 864, in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File “/opt/rhodecode/store/cfkmkq6jm0h87fy7ffhf2lwxg22iv7ia-python2.7-python-ldap-3.1.0/lib/python2.7/site-packages/ldap/ldapobject.py”, line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File “/opt/rhodecode/store/cfkmkq6jm0h87fy7ffhf2lwxg22iv7ia-python2.7-python-ldap-3.1.0/lib/python2.7/site-packages/ldap/ldapobject.py”, line 313, in _ldap_call
result = func(*args,**kwargs)
CONNECT_ERROR: {‘info’: u’error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)’, ‘desc’: u’Connect error’}

admin->settings->system info reports:

RhodeCode Certificate: /home/rhode/.rccontrol-profile/etc/ca-bundle.crt

I checked auth_ldap.py and saw that it was making reference to “/etc/openldap/cacerts”. We are running on Ubuntu 1604 server, I created ran the following as root:
mkdir /etc/openldap
ln -s /etc/ssl/certs /etc/openldap/cacerts

Rhodecode now accepts authentication requests, obviously I have the appropriate CA cert in the ssl/certs directory. I’m not entirely sure why .rccontrol-profile/etc/ca-bundle.crt is now ignored, is this a know issue?

Tnks,

C

rhodecode-support · October 22, 2018, 10:47am

Hi,

Thanks for reporting this. It’s not a known issue. From what version you have upgraded ?

Might be that some things changed in ldap drivers that we haven’t noticed.

Best,

zzxtty · October 22, 2018, 11:28am

Previous version:

vcsserver/community 4.12.4
rhodecode-control-1.18.0

I noticed python-ldap has had a but of a bump:
python2.7-python-ldap-3.1.0
python2.7-python-ldap-2.4.45

rhodecode-support · October 22, 2018, 11:46am

There’s no notice about certificate behaviour change in python-ldap library.
Also based on the code::

https://code.rhodecode.com/rhodecode-enterprise-ce/files/59b28fe5e1537b44b6be2a8c706f64a8f7af0e6f/rhodecode/authentication/plugins/auth_ldap.py#L243-247

This seems to not change between 4.12 and 4.13. This is odd…

bbasic · February 6, 2019, 4:25pm

Hi,

I have the same problem since I upgraded from 4.12 to 4.13 a few months ago. Then I moved to 4.15 and 4.15.2 and the issue is still there.

I edited auth_ldap.py to disable the certificate request but that’s not a very elegant solution…

rhodecode-support · February 7, 2019, 7:46am

Since 4.15.X LDAP plugin has a new option to specify the Certificate directory or PEM file.

Have you tried to set this ?

bbasic · February 7, 2019, 11:42am

It works, thanks a lot!