LDAP Authentication fails

Added by Julian Gassner almost 2 years ago

Hello,

I am currently experiencing problems with my Redmine LDAP authentication. When trying to log in I get an 500 internal error and the log states that the certificate is a mismatch:

Net::LDAP::Error (hostname "[LDAP-Server-IP]" does not match the server certificate)

A bit of Background from my Situation:
The company I work for uses a redmine installation which runs within a vm and is available via DOMAIN/redmine. During an update process I have now installed redmine locally on the Server and plan to make it available via redmine.OTHER_DOMAIN. Installing redmine with postgresql went well. Migrating the database with pg_dump and pg_restore also worked. I have tested the new installation with Apache under DOMAIN/redmine and it worked (I could log in and see everything I am used to see without errors in the logs). Last but not least I set up the new DHCP entry for Redmine to be available via redmine.OTHER_DOMAIN. This is where the trouble begins. When I attempt to log in now I get the above described error.
I am totally new to this so I may be overlooking something fairly obvious. I have tried to do my due dilligence but had a hard time finding something. Maybe I am looking in the wrong places. I would be happy for any pointers in the right direction.

I am experiencing this on a Debian server.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.2 (stretch)
Release:        9.2
Codename:       stretch
  • Postgresql 9.6
  • Ruby 2.3.3
  • Rails 4.2.7.1
  • Redmine 3.3.1-4 (installed with apt)
  • plugins
    • redmine_agile
    • clipboard_image_paste

The web service is running on apache2 (2.4.25) and passenger 5.0.30.

Full log from login process:

 
Started GET "/" for XXX.XXX.XXX.XXX at 2017-12-20 09:38:11 +0100
Processing by WelcomeController#index as HTML
  Current user: anonymous
Redirected to https://redmine.DOMAIN/login?back_url=https%3A%2F%2Fredmine.DOMAIN%2F
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 6ms (ActiveRecord: 1.4ms)
Started GET "/login?back_url=https%3A%2F%2Fredmine.DOMAIN%2F" for XXX.XXX.XXX.XXX at 2017-12-20 09:38:11 +0100
Processing by AccountController#login as HTML
  Parameters: {"back_url"=>"https://redmine.DOMAIN/"}
  Current user: anonymous
  Rendered account/login.html.erb within layouts/base (31.7ms)
  Rendered plugins/clipboard_image_paste/app/views/clipboard_image_paste/_headers.html.erb (1.1ms)
  Rendered plugins/clipboard_image_paste/app/views/clipboard_image_paste/_add_form.html.erb (3.6ms)
Completed 200 OK in 50ms (Views: 47.4ms | ActiveRecord: 0.9ms)
Started POST "/login" for XXX.XXX.XXX.XXX at 2017-12-20 09:38:24 +0100
Processing by AccountController#login as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "back_url"=>"https://redmine.DOMAIN/", "username"=>"XXXXX", "password"=>"[FILTERED]", "login"=>"Anmelden »"}
  Current user: anonymous
Completed 500 Internal Server Error in 16ms (ActiveRecord: 2.2ms)

Net::LDAP::Error (hostname "[LDAP-Server-IP]" does not match the server certificate):
  app/models/auth_source_ldap.rb:190:in `get_user_dn'
  app/models/auth_source_ldap.rb:49:in `block in authenticate'
  app/models/auth_source_ldap.rb:110:in `block in with_timeout'
  app/models/auth_source_ldap.rb:109:in `with_timeout'
  app/models/auth_source_ldap.rb:48:in `authenticate'
  app/models/user.rb:317:in `check_password?'
  app/models/user.rb:223:in `try_to_login'
  app/controllers/account_controller.rb:196:in `password_authentication'
  app/controllers/account_controller.rb:191:in `authenticate_user'
  app/controllers/account_controller.rb:40:in `login'
  lib/redmine/sudo_mode.rb:63:in `sudo_mode'


about my environment:
$ /usr/share/redmine/bin/about

sh: 1: darcs: not found
sh: 1: hg: not found
sh: 1: cvs: not found
sh: 1: bzr: not found
Environment:
  Redmine version                3.3.1.stable
  Ruby version                   2.3.3-p222 (2016-11-21) [x86_64-linux-gnu]
  Rails version                  4.2.10
  Environment                    production
  Database adapter               PostgreSQL
SCM:
  Subversion                     1.9.5
  Git                            2.11.0
  Filesystem
Redmine plugins:
  clipboard_image_paste          1.12
  redmine_agile                  1.4.5

Replies (6)

RE: LDAP Authentication fails - Added by Mr Redmine almost 2 years ago

What version of net-ldap are you running? I had the same problem with 0.16.1, but I went back to 0.12.1 and it worked again.

RE: LDAP Authentication fails - Added by Julian Gassner almost 2 years ago

Mr Redmine wrote:

What version of net-ldap are you running? I had the same problem with 0.16.1, but I went back to 0.12.1 and it worked again.

Thanks for your reply!

$ dpkg -l *net-ldap returns:

||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  ruby-net-ldap  0.12.1-2     all          LDAP client library for Ruby

So I think I should already be running the right version? I have tested the installation with ruby-net-ldap 0.12.1 under the old domain name and it works. My only guess is that is has to do something with the changed domain name. But I can't quite work out what to tweak to make it work.

RE: LDAP Authentication fails - Added by Siddharth Kaul over 1 year ago

Did you figured out any working tweak.

I had somewhat similar problem.

This is what i did that work. Maybe you can try it out and see whether this works for you as well. So the domain controller that i was working with had an outdated certificate.

So i got the list of all the domain controllers.

nslookup

Then i typed the following:

_ldap._tcp.dc._msdcs.domain_name.domain.com

I got the entire list of domain controllers in my organization. I used some other one on this list and it had the proper certificate and it worked.

This was a lucky break for me, hopefully this will be for you as well.

RE: LDAP Authentication fails - Added by Julian Gassner 11 months ago

Sorry for not replying - but I have been on leave for the better part of this year and have not been involved in this Project anymore. What I was able to find out is that the Installation was moved to a different (fresh) virtualized Server in the same Network - which apparently made the LDAP authentication work. So my best guess here is that there was some kind of configuration (maybe firewall/proxy settings) that I did not find causing the problem.
Unfortunately I do not have access to the infrastructure anymore so that I won’t be able to verify.
Sorry that I can’t be of more help.

RE: LDAP Authentication fails - Added by rajiv shukla 10 months ago

Please help me I got the same problem if anyone found the Solution kindly help me When trying to log in I get an 500 internal error and the log states that the certificate is a mismatch

RE: LDAP Authentication fails - Added by la ma 7 months ago

RESOLUTION:

Authentication to the LDAP Server is done through a Binding in the form of either a Distinguished Name or anonymous login. Having an incorrect Bind is the most common reason for seeing the "Authentication Failed" Error when attempting to import Users/Groups or test Users/Groups on the SonicWall.

CAUTION: Not all LDAP Deployments support Anonymous Binding and for security reasons Distinguished Name is recommended.
NOTE: The examples in this article will be shown with Active Directory however all the steps presented will work with and be applicable to any LDAP Methodology.

Verifying the Bind Account and Settings

1. Navigate to Users | Settings | Configure LDAP.
2. On the Settings Tab verify the following information:
Name or IP Address: This must point to the LDAP Server directly. If necessary verify that the SonicWall can resolve the Server's DNS or simply use an IP Address.
Port Number: By default this is set to 389 (LDAP) but can be set to 636 (LDAP over TLS). Use 389 when troubleshooting to establish baseline functionality.
Server Timeout: Set to 10 Seconds by default. If the LDAP Server is reached over a VPN, MPLS, or a routed network then consider increasing this value.
Anonymous Login / Login Name / Bind Distinguished Name: Login Name/Distinguished Name can be any User but must be Case Sensitive.
NOTE: When using Active Directory it's usually best to assign a Bind the Domain Admin Role.

(1-6/6)