LDAPS fails to contact server (LDAP works)

andrin · February 24, 2020, 2:37pm

Hi

I tried to switch from plaintext LDAP to LDAPS with the following config:

[LDAP]
HOST = ldaps://dc02.example.com:636/
#old
#HOST = ldap://dc02.example.com/
BASE = OU=1_All_Users,DC=example,DC=com
USER_DN = seafile_admin@example.com
PASSWORD = XXXXXX
LOGIN_ATTR = userPrincipalName

However the login fails with a very unspecific error message in the ccnet log:

[02/24/20 15:13:31] user-mgr.c(300): ldap_bind failed for user xxxx: Can’t contact LDAP server.
[02/24/20 15:13:31] user-mgr.c(385): Please check USER_DN and PASSWORD settings.
[02/24/20 15:13:31] user-mgr.c(300): ldap_bind failed for user xxxx: Can’t contact LDAP server.
[02/24/20 15:13:31] user-mgr.c(385): Please check USER_DN and PASSWORD settings.

SELinux is not blocking any connections (tested with permissive mode). LDAPSearch with LDAP from the same host works flawlessly:

[root@hostname conf]#/usr/bin/ldapsearch -H ldaps[url]:636 -D ldapuser -W -b “OU=1_All_Users,DC=x,DC=x” -s base
Enter LDAP Password:
#extended LDIF

#LDAPv3
#base <OU=1_All_Users,DC=x,DC=x> with scope baseObject
#filter: (objectclass=*)
#requesting: ALL

#1_All_Users, x
dn: OU=1_All_Users,DC=x,DC=x
objectClass: top
objectClass: organizationalUnit
ou: 1_All_Users
distinguishedName: OU=1_All_Users,DC=x,DC=x
instanceType: 4
whenCreated: 20160301133305.0Z
whenChanged: 20180320155404.0Z
uSNCreated: 16577
uSNChanged: 16577
name: 1_All_Users
objectGUID:: /CCpY23SIEeZ2qc4p5lGVA==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC
=com
dSCorePropagationData: 20190826102818.0Z
dSCorePropagationData: 20190826102818.0Z
dSCorePropagationData: 20190826102818.0Z
dSCorePropagationData: 16010101181632.0Z

#search result
search: 2
result: 0 Success

#numResponses: 2
#numEntries: 1

The CA Cert is imported into the systemwide certificate store (via /etc/pki/ca-trust/source/anchors/) and is marked as valid when i run openssl s_client -connect. OpenSSL version installed:

Installed Packages
Name : openssl
Arch : x86_64
Epoch : 1
Version : 1.0.2k
Release : 19.el7
Size : 814 k
Repo : installed
From repo : base

OS is: CentOS Linux release 7.7.1908
Seafile version: 7.0.5

andrin · February 25, 2020, 7:23am

I’d like to mention that my LDAP Server is MS AD on Windows Server 2016. LDAPS is necessary due to the upcoming disabling of the plain-text LDAP protocol.

andi-blafasl · February 27, 2020, 3:44pm

I can confirm this problem. Same error in ccnet.log, ldapsearch is working, CA-Certificate is in place, openssl client connect test is working.

I’m running Seafile Server 7.0.5 on Ubuntu 18.04

sysinit · February 28, 2020, 7:44am

Hi!

Did you move the libraries as described in the manual at the end of this page: https://download.seafile.com/published/seafile-manual/deploy/using_ldap.md?

Regards,
Daniel

andrin · February 28, 2020, 12:26pm

Hi Daniel

According to the manual I don’t have to because I’m using Centos 7:

The current version of Seafile Linux server package is compiled on CentOS
But since different Linux distributions have different path or configuration for OpenSSL library, sometimes Seafile is unable to connect to the directory server with TLS.

I assumed, I won’t have to move the libraries because I’m not using a different Linux distribution.

Should I move it?

Regards,
Andrin

uosseafile · March 2, 2020, 9:38am

We use seafile on Scientific Linux 7 with an openldap server. ldaps is no problem. The only difference is, that our CA certificates are stored under /etc/pki/tls/certs.

andrin · March 2, 2020, 9:43am

My CA Certificate is included in /etc/pki/tls/certs/ca-bundle.crt. Did you had to move the libraries for it to work?

uosseafile · March 4, 2020, 7:41am

No, but we alsways create symbolic links to the hash of the certificate:

# cd /etc/pki/tls/certs
# openssl x509 -hash -in rootcert.pem -noout
12ab34cd
# ln -s rootcert.pem 12ab34cd.0

andrin · March 5, 2020, 1:55pm

I followed the official Red Hat Documentation for installing the Certificate: How to install a CA certificate on Red Hat Enterprise Linux 6 - Red Hat Customer Portal

OpenSSL verifies the certificate if I manually copy it:

openssl verify /tmp/testcert.crt
/tmp/testcert.crt: OK

I don’t really think that the CA is not trusted since the log says it can’t connect.

However i tested your symlink which did not result in any changes (error message stayed the same):

cd /etc/pki/tls/certs
openssl x509 -hash -in /etc/pki/ca-trust/source/anchors/ca.pem -noout
ln -s /etc/pki/ca-trust/source/anchors/ca.pem e1e66c66.0

andrin · March 11, 2020, 1:02pm

Moving the library solves the issue:

cd seafile-server-latest/seafile/lib
mkdir disabled_libs_use_local_ones_instead
mv libnssutil3.so disabled_libs_use_local_ones_instead/

LesterPan · March 12, 2020, 8:28am

Applogize for reopen this ticket.

I have found the same issue, unfortunately, the solution is not working for me.

System: CentOS 7.7

Ccnet.conf below:
[LDAP]
HOST = ldap://dc2.org/
BASE = OU=OU1,OU=OU,dc=org,dc=org;OU=OU2,dc=org,dc=org
USER_DN = adminaccount
PASSWORD = adminpassword
LOGIN_ATTR = userPrincipalName

[LDAP_SYNC]
ENABLE_GROUP_SYNC = true
GROUP_OBJECT_CLASS = group
ROLE_NAME_ATTR = title
ENABLE_USER_SYNC = true
ACTIVATE_USER_WHEN_IMPORT = true
DEACTIVE_USER_IF_NOTFOUND = true
SYNC_INTERVAL = 60
USER_OBJECT_CLASS = person
ENABLE_EXTRA_USER_INFO_SYNC = true
FIRST_NAME_ATTR = givenName
LAST_NAME_ATTR = sn
USER_NAME_REVERSE = true
UID_ATTR = sAMAccountName

Lib folder below:
ls libnspr4.so
Display all 106 possibilities? (y or n)

I am not finding libnssutil3.so file

The LDAP account import to Seafile successfully, but LDAP user could not logon, ccnet log below:
[03/12/20 00:13:36] user-mgr.c(1506): Cannot find user aaaa in LDAP.
[03/12/20 00:15:12] user-mgr.c(1506): Cannot find user aaaa in LDAP.

Seeking your help.

Appreciated.

Lester

andrin · March 12, 2020, 11:30am

Hi Lester

Are you sure this is the same issue? Seems you are using plaintext LDAP.
My LDAP worked, just encrypted LDAPS didn’t work.

Regards,
Andrin