I previously had LDAP over SSL to AD authentication working and then I
installed the update which fixed bug #9858
(Bug #9858: CVE-2015-1816 - LDAP server SSL certificate not verified - Foreman). AFAIK, I've correctly
installed our CA but I'm still having no luck doing LDAP authentication.
Any ideas? This is what I'm getting from foreman:
So apparently I wasn't doing anything wrong. My organization disabled
SSLv2/v3/TLSv1 due to security concerns and was forcing TLSv1.2. The fix
implemented by the foreman devs in lib/ssl_context_monkey_patch.rb for
ensuring certificates are valid uses the default options for openssl. When
you go and check what those options are (through
/usr/share/ruby/1.8/openssl/ssl-internal.rb), you'll notice that the
default for ssl_version is "SSLv23" for interoperability reasons. In my
situation, that breaks things. So I thought that commenting that line out
and instead adding :ssl_version => TLSv1_2 would work.
While all of this sounded like a good idea, it became clear quite quickly
that changing the system default like that wasn't the best choice. Puppet
broke immediately as it didn't recognize TLS v1.2 (or 1.1 for that matter).
I then thought I could maybe change just that line of code in the
monkey_patch to support TLSv1.1 or TLSv1.2. Nope. Foreman didn't recognize
it as a valid ssl version.
In the end, just to get LDAP auth working again, I took out the
verification by changing line 8 in lib_ssl_context_monkey_patch.rb to
simply be "params = { :verify_mode => OpenSSL::SSL::VERIFY_NONE, }".
set_params then merges the default and whatever is entered. I feel like
there was probably some way of just adding this to a foreman config file
somewhere but I'm not a ruby dev and was tired of looking.
···
On 12-6-2015 22:33, aewig wrote:
> I previously had LDAP over SSL to AD authentication working and then I
> installed the update which fixed bug #9858
> (http://projects.theforeman.org/issues/9858). AFAIK, I've correctly
> installed our CA but I'm still having no luck doing LDAP
> authentication. Any ideas? This is what I'm getting from foreman:
> //
On my CentOS6 box, I put the cert I pulled from the above command into the
/etc/pki/tls/certs/ca-bundle.crt file. I also opened #10707
(Bug #10707: Add ability to specify ca_file - Foreman) to allow me to override that
bundle so I don't need to update the system bundle in the future.
···
On Monday, June 15, 2015 at 10:03:18 AM UTC-4, aewig wrote:
>
> So apparently I wasn't doing anything wrong. My organization disabled
> SSLv2/v3/TLSv1 due to security concerns and was forcing TLSv1.2. The fix
> implemented by the foreman devs in lib/ssl_context_monkey_patch.rb for
> ensuring certificates are valid uses the default options for openssl. When
> you go and check what those options are (through
> /usr/share/ruby/1.8/openssl/ssl-internal.rb), you'll notice that the
> default for ssl_version is "SSLv23" for interoperability reasons. In my
> situation, that breaks things. So I thought that commenting that line out
> and instead adding :ssl_version => TLSv1_2 would work.
>
> While all of this sounded like a good idea, it became clear quite quickly
> that changing the system default like that wasn't the best choice. Puppet
> broke immediately as it didn't recognize TLS v1.2 (or 1.1 for that matter).
>
> I then thought I could maybe change just that line of code in the
> monkey_patch to support TLSv1.1 or TLSv1.2. Nope. Foreman didn't recognize
> it as a valid ssl version.
>
> In the end, just to get LDAP auth working again, I took out the
> verification by changing line 8 in lib_ssl_context_monkey_patch.rb to
> simply be "params = { :verify_mode => OpenSSL::SSL::VERIFY_NONE, }".
> set_params then merges the default and whatever is entered. I feel like
> there was probably some way of just adding this to a foreman config file
> somewhere but I'm not a ruby dev and was tired of looking.
>
I'm not finding where I can make this change to a running Foreman 1.8.1
instance… Can someone help?
···
On Monday, June 15, 2015 at 9:03:18 AM UTC-5, aewig wrote:
>
> In the end, just to get LDAP auth working again, I took out the
> verification by changing line 8 in lib_ssl_context_monkey_patch.rb to
> simply be "params = { :verify_mode => OpenSSL::SSL::VERIFY_NONE, }".
> set_params then merges the default and whatever is entered. I feel like
> there was probably some way of just adding this to a foreman config file
> somewhere but I'm not a ruby dev and was tired of looking.
>
My issue turned out to be a not-deep-enough Base DN that was taking forever
for any action. Our AD is very large, on the order of hundreds of
thousands of containers. What I thought was a failure of some sort turned
out to be timeouts.
···
On Monday, June 15, 2015 at 8:49:20 AM UTC-5, lawre wrote:
>
> I too am getting this error after turning on LDAPS for the first time on
> Foreman 1.8.1.
>
Again, I'm running 1.7.5 so I just edited their patch. I think you would
change line 86 of app/models/auth_sources/auth_source_ldap.rb from
{ :method => :simple_tls, :tls_options => { :verify_mode => OpenSSL::SSL::
VERIFY_PEER } }
to
{ :method => :simple_tls, :tls_options => { :verify_mode => OpenSSL::SSL::
VERIFY_NONE } }
but I'm not a ruby dev and that would be a complete hack if it did work.
You might be better off trying to find out if there's a way to set
:verify_mode from a config file somewhere. Just my two cents.
···
On Monday, June 15, 2015 at 10:46:02 AM UTC-5, lawre wrote:
>
> I'm not finding where I can make this change to a running Foreman 1.8.1
> instance... Can someone help?
>
> On Monday, June 15, 2015 at 9:03:18 AM UTC-5, aewig wrote:
>>
>> In the end, just to get LDAP auth working again, I took out the
>> verification by changing line 8 in lib_ssl_context_monkey_patch.rb to
>> simply be "params = { :verify_mode => OpenSSL::SSL::VERIFY_NONE, }".
>> set_params then merges the default and whatever is entered. I feel like
>> there was probably some way of just adding this to a foreman config file
>> somewhere but I'm not a ruby dev and was tired of looking.
>>
>
