LDAP Authentication fails

Added by Julian Gassner about 1 year ago

Hello,

I am currently experiencing problems with my Redmine LDAP authentication. When trying to log in I get an 500 internal error and the log states that the certificate is a mismatch:

Net::LDAP::Error (hostname "[LDAP-Server-IP]" does not match the server certificate)

A bit of Background from my Situation:
The company I work for uses a redmine installation which runs within a vm and is available via DOMAIN/redmine. During an update process I have now installed redmine locally on the Server and plan to make it available via redmine.OTHER_DOMAIN. Installing redmine with postgresql went well. Migrating the database with pg_dump and pg_restore also worked. I have tested the new installation with Apache under DOMAIN/redmine and it worked (I could log in and see everything I am used to see without errors in the logs). Last but not least I set up the new DHCP entry for Redmine to be available via redmine.OTHER_DOMAIN. This is where the trouble begins. When I attempt to log in now I get the above described error.
I am totally new to this so I may be overlooking something fairly obvious. I have tried to do my due dilligence but had a hard time finding something. Maybe I am looking in the wrong places. I would be happy for any pointers in the right direction.

I am experiencing this on a Debian server.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.2 (stretch)
Release:        9.2
Codename:       stretch
  • Postgresql 9.6
  • Ruby 2.3.3
  • Rails 4.2.7.1
  • Redmine 3.3.1-4 (installed with apt)
  • plugins
    • redmine_agile
    • clipboard_image_paste

The web service is running on apache2 (2.4.25) and passenger 5.0.30.

Full log from login process:

 
Started GET "/" for XXX.XXX.XXX.XXX at 2017-12-20 09:38:11 +0100
Processing by WelcomeController#index as HTML
  Current user: anonymous
Redirected to https://redmine.DOMAIN/login?back_url=https%3A%2F%2Fredmine.DOMAIN%2F
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 6ms (ActiveRecord: 1.4ms)
Started GET "/login?back_url=https%3A%2F%2Fredmine.DOMAIN%2F" for XXX.XXX.XXX.XXX at 2017-12-20 09:38:11 +0100
Processing by AccountController#login as HTML
  Parameters: {"back_url"=>"https://redmine.DOMAIN/"}
  Current user: anonymous
  Rendered account/login.html.erb within layouts/base (31.7ms)
  Rendered plugins/clipboard_image_paste/app/views/clipboard_image_paste/_headers.html.erb (1.1ms)
  Rendered plugins/clipboard_image_paste/app/views/clipboard_image_paste/_add_form.html.erb (3.6ms)
Completed 200 OK in 50ms (Views: 47.4ms | ActiveRecord: 0.9ms)
Started POST "/login" for XXX.XXX.XXX.XXX at 2017-12-20 09:38:24 +0100
Processing by AccountController#login as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "back_url"=>"https://redmine.DOMAIN/", "username"=>"XXXXX", "password"=>"[FILTERED]", "login"=>"Anmelden »"}
  Current user: anonymous
Completed 500 Internal Server Error in 16ms (ActiveRecord: 2.2ms)

Net::LDAP::Error (hostname "[LDAP-Server-IP]" does not match the server certificate):
  app/models/auth_source_ldap.rb:190:in `get_user_dn'
  app/models/auth_source_ldap.rb:49:in `block in authenticate'
  app/models/auth_source_ldap.rb:110:in `block in with_timeout'
  app/models/auth_source_ldap.rb:109:in `with_timeout'
  app/models/auth_source_ldap.rb:48:in `authenticate'
  app/models/user.rb:317:in `check_password?'
  app/models/user.rb:223:in `try_to_login'
  app/controllers/account_controller.rb:196:in `password_authentication'
  app/controllers/account_controller.rb:191:in `authenticate_user'
  app/controllers/account_controller.rb:40:in `login'
  lib/redmine/sudo_mode.rb:63:in `sudo_mode'


about my environment:
$ /usr/share/redmine/bin/about

sh: 1: darcs: not found
sh: 1: hg: not found
sh: 1: cvs: not found
sh: 1: bzr: not found
Environment:
  Redmine version                3.3.1.stable
  Ruby version                   2.3.3-p222 (2016-11-21) [x86_64-linux-gnu]
  Rails version                  4.2.10
  Environment                    production
  Database adapter               PostgreSQL
SCM:
  Subversion                     1.9.5
  Git                            2.11.0
  Filesystem
Redmine plugins:
  clipboard_image_paste          1.12
  redmine_agile                  1.4.5

Replies (6)

RE: LDAP Authentication fails - Added by Mr Redmine about 1 year ago

What version of net-ldap are you running? I had the same problem with 0.16.1, but I went back to 0.12.1 and it worked again.

RE: LDAP Authentication fails - Added by Julian Gassner about 1 year ago

Mr Redmine wrote:

What version of net-ldap are you running? I had the same problem with 0.16.1, but I went back to 0.12.1 and it worked again.

Thanks for your reply!

$ dpkg -l *net-ldap returns:

||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  ruby-net-ldap  0.12.1-2     all          LDAP client library for Ruby

So I think I should already be running the right version? I have tested the installation with ruby-net-ldap 0.12.1 under the old domain name and it works. My only guess is that is has to do something with the changed domain name. But I can't quite work out what to tweak to make it work.

RE: LDAP Authentication fails - Added by Siddharth Kaul about 1 year ago

Did you figured out any working tweak.

I had somewhat similar problem.

This is what i did that work. Maybe you can try it out and see whether this works for you as well. So the domain controller that i was working with had an outdated certificate.

So i got the list of all the domain controllers.

nslookup

Then i typed the following:

_ldap._tcp.dc._msdcs.domain_name.domain.com

I got the entire list of domain controllers in my organization. I used some other one on this list and it had the proper certificate and it worked.

This was a lucky break for me, hopefully this will be for you as well.

RE: LDAP Authentication fails - Added by Sukhorukova Jones 4 months ago

Verifying the Bind Account and Settings

1. Navigate to Users | Settings | Configure LDAP.
2. On the Settings Tab verify the following information:
Name or IP Address: This must point to the LDAP Server directly. If necessary verify that the SonicWall can resolve the Server's DNS or simply use an IP Address.
Port Number: By default this is set to 389 (LDAP) but can be set to 636 (LDAP over TLS). Use 389 when troubleshooting to establish baseline functionality.
Server Timeout: Set to 10 Seconds by default. If the LDAP Server is reached over a VPN, MPLS, or a routed network then consider increasing this value.
Anonymous Login / Login Name / Bind Distinguished Name: Login Name/Distinguished Name can be any User but must be Case Sensitive.

https://www.mcdvoice.onl/

RE: LDAP Authentication fails - Added by Julian Gassner 4 months ago

Sorry for not replying - but I have been on leave for the better part of this year and have not been involved in this Project anymore. What I was able to find out is that the Installation was moved to a different (fresh) virtualized Server in the same Network - which apparently made the LDAP authentication work. So my best guess here is that there was some kind of configuration (maybe firewall/proxy settings) that I did not find causing the problem.
Unfortunately I do not have access to the infrastructure anymore so that I won’t be able to verify.
Sorry that I can’t be of more help.

RE: LDAP Authentication fails - Added by rajiv shukla 3 months ago

Please help me I got the same problem if anyone found the Solution kindly help me When trying to log in I get an 500 internal error and the log states that the certificate is a mismatch

(1-6/6)