Tuesday, 23 October 2018

LDAP - ldapsearch and SSL - what fun

Having set up a new Microsoft Active Directory 2012 domain controller, I was testing the LDAP connectivity using the ldapsearch command before adding WebSphere Application Server (WAS) into the mix.

I ran this command: -

ldapsearch -h windows2012.uk.ibm.com -p 636 -b dc=uk,dc=ibm,dc=com -D cn=wasbind,dc=uk,dc=ibm,dc=com -w Ch1mn3y5! cn=wasbind

which resulted in this helpful response: -

ldap_result: Can't contact LDAP server (-1)

In order to double-check the connectivity, I ran a few basic tests: -

Trying 192.168.153.130...
Connected to windows2012.uk.ibm.com.
Escape character is '^]'.


openssl s_client -connect windows2012.uk.ibm.com:636 </dev/null

...
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-SHA384

...

Given that I'm using SSL/TLS, I tested ldapsearch using a non-SSL connection just to check ….

ldapsearch -h windows2012.uk.ibm.com -p 389 -b dc=uk,dc=ibm,dc=com -D CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com -w Ch1mn3y5! cn=wasbind

# wasbind, Users, uk.ibm.com
dn: CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: wasbind
givenName: wasbind


so the problem is SSL/TLS ….

I'd also noted that I was using the old syntax for ldapsearch in the way that I was specifying the hostname and port.

Both the -h and -p switches have been deprecated in favour of the -H switch: -

man ldapsearch

       -H ldapuri
              Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed.  As an  exception,
              if  no  host/port  is  specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782.  The DN must be a non-empty
              sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.

       -h ldaphost
              Specify an alternate host on which the ldap server is running.  Deprecated in favor of -H.

       -p ldapport
              Specify an alternate TCP port where the ldap server is listening.  Deprecated in favor of -H.

...

So I tried the new syntax: -

ldapsearch -H ldaps://windows2012.uk.ibm.com:636 -b dc=uk,dc=ibm,dc=com -D cn=wasbind,cn=users,dc=uk,dc=ibm,dc=com -w Ch1mn3y5! cn=wasbind

which returned the same thing: -

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

so I added a bit of the old debug: -

ldapsearch -Z -H ldaps://windows2012.uk.ibm.com:636 -b dc=uk,dc=ibm,dc=com -D cn=wasbind,cn=users,dc=uk,dc=ibm,dc=com -w Ch1mn3y5! cn=wasbind

which was more insightful: -

ldap_start_tls: Can't contact LDAP server (-1)
additional info: SSLHandshake() failed: misc. bad certificate (-9825)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


This led me here: -



I tried this: -

export LDAPTLS_REQCERT=never

and then: -

ldapsearch -Z -H ldaps://windows2012.uk.ibm.com:636 -b dc=uk,dc=ibm,dc=com -D cn=wasbind,cn=users,dc=uk,dc=ibm,dc=com -w Ch1mn3y5! cn=wasbind

# wasbind, Users, uk.ibm.com
dn: CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: wasbind
givenName: wasbind
distinguishedName: CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com


Hurrah!

2 comments:

Anonymous said...

Great post! I've been struggling the same issue, and after reading & setting the environmental value, it's working fine! Just wanted to see - I believe the default of ldapsearch requires mTLS, correct?

Dave Hay said...

Hi Unknown

If, by "mTLS", you mean mutual TLS ( aka client authentication or mutual authentication ), then no, there's no automatic requirement.

I'm not familiar with a scenario where this'd be required - perhaps one where the end-user presents a client certificate, instead of user/password, to access the LDAP server but #shrug

For reference, when one installs ldapsearch on, say, Ubuntu, there are a bunch of SSL/TLS packages that are also installed: -

apt-get update && apt-get install -y ldap-utils

Hit:1 http://ppa.launchpad.net/ansible/ansible/ubuntu bionic InRelease
Hit:2 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:3 http://ppa.launchpad.net/git-core/ppa/ubuntu bionic InRelease
Hit:4 https://storage.googleapis.com/bazel-apt stable InRelease
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease
Hit:6 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Get:7 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Fetched 163 kB in 2s (85.3 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libldap-2.4-2 libldap-common
Suggested packages:
libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
The following NEW packages will be installed:
ldap-utils
The following packages will be upgraded:
libldap-2.4-2 libldap-common
2 upgraded, 1 newly installed, 0 to remove and 20 not upgraded.
Need to get 294 kB of archives.
After this operation, 703 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-common all 2.4.45+dfsg-1ubuntu1.10 [15.8 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-2.4-2 amd64 2.4.45+dfsg-1ubuntu1.10 [154 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 ldap-utils amd64 2.4.45+dfsg-1ubuntu1.10 [124 kB]
Fetched 294 kB in 1s (426 kB/s)
(Reading database ... 175160 files and directories currently installed.)
Preparing to unpack .../libldap-common_2.4.45+dfsg-1ubuntu1.10_all.deb ...
Unpacking libldap-common (2.4.45+dfsg-1ubuntu1.10) over (2.4.45+dfsg-1ubuntu1.9) ...
Preparing to unpack .../libldap-2.4-2_2.4.45+dfsg-1ubuntu1.10_amd64.deb ...
Unpacking libldap-2.4-2:amd64 (2.4.45+dfsg-1ubuntu1.10) over (2.4.45+dfsg-1ubuntu1.9) ...
Selecting previously unselected package ldap-utils.
Preparing to unpack .../ldap-utils_2.4.45+dfsg-1ubuntu1.10_amd64.deb ...
Unpacking ldap-utils (2.4.45+dfsg-1ubuntu1.10) ...
Setting up libldap-common (2.4.45+dfsg-1ubuntu1.10) ...
Setting up libldap-2.4-2:amd64 (2.4.45+dfsg-1ubuntu1.10) ...
Setting up ldap-utils (2.4.45+dfsg-1ubuntu1.10) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1.4) ...

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...