Project

General

Profile

Actions

Defect #27071

closed

Error testing LDAPS Connection: "Unable to connect (hostname X.X.X.X does not match the server certificate)"

Added by Carlos Simó over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
LDAP
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

I've migrated from a 2.4.2 Redmine server to a new 3.2.1.
Everything is working OK but failing to test LDAPS (LDAP + SSL) connections (LDAP connections without SSL are working OK).
I've tested with different users and different LDAP servers and always get the same result: auth_source form shows an error message: "Unable to connect (hostname X.X.X.X does not match the server certificate)".
I've not found relevant info in production.log file:

Started PATCH "/auth_sources/8" for 172.19.12.124 at 2017-09-25 12:46:16 +0200
Processing by AuthSourcesController#update as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"Fa1QoVLFef+zngYYwypUipDda1/c0Yh0mqqGmtWThvA0D2zNmqqeDLiGUwN0pwgTWfklBjrZ73G4KpDo/53qTA==", "auth_source"=>{"name"=>"OpenLdap", "host"=>"X.X.X.X", "port"=>"636", "tls"=>"1", "account"=>"uid=xxxxxxx,ou=xxxxxx,dc=xxxxx,dc=xx", "base_dn"=>"ou=xxxxxx,dc=xxxxxx,dc=xx", "filter"=>"", "timeout"=>"", "onthefly_register"=>"0", "attr_login"=>"sAMAccountName", "attr_firstname"=>"", "attr_lastname"=>"", "attr_mail"=>""}, "dummy_password"=>"[FILTERED]", "commit"=>"Save", "id"=>"8"}
  SQL (4.3ms)  UPDATE `tokens` SET `tokens`.`updated_on` = '2017-09-25 12:46:16' WHERE `tokens`.`user_id` = 1 AND `tokens`.`value` = '932b09e00f3e76cd17f3b9b92f4dfacc77b0b3c2' AND `tokens`.`action` = 'session' AND (created_on > '2017-09-24 12:46:16.911570') AND (updated_on > '2017-09-25 00:46:16.911805')
   (0.3ms)  SELECT MAX(`settings`.`updated_on`) FROM `settings`
  User Load (0.3ms)  SELECT  `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser') AND `users`.`status` = 1 AND `users`.`id` = 1 LIMIT 1
  Current user: admin (id=1)
  AuthSource Load (0.2ms)  SELECT  `auth_sources`.* FROM `auth_sources` WHERE `auth_sources`.`id` = 8 LIMIT 1
   (0.1ms)  BEGIN
  AuthSource Exists (0.3ms)  SELECT  1 AS one FROM `auth_sources` WHERE (`auth_sources`.`name` = BINARY 'OpenLdap' AND `auth_sources`.`id` != 8) LIMIT 1
  SQL (0.2ms)  UPDATE `auth_sources` SET `port` = 636, `tls` = 1 WHERE `auth_sources`.`id` = 8
   (1.2ms)  COMMIT
Redirected to https://<my_server>/auth_sources
Completed 302 Found in 15ms (ActiveRecord: 6.8ms).

I've tested from SSL connections with openssl to LDAP connection with ldapsearch, and it not seems to be anything wrong.
Using the same users credentials and the same server connections (early configured into Redmine), with ldapseach goes everything OK.

Data about my environment:

root@asscc111s:/usr/share/redmine# ruby bin/about

Environment:
  Redmine version                3.2.1.stable
  Ruby version                   2.3.1-p112 (2016-04-26) [x86_64-linux-gnu]
  Rails version                  4.2.6
  Environment                    production
  Database adapter               Mysql2
SCM:
  Git                            2.7.4
  Filesystem
Redmine plugins:
  no plugin installed

root@asscc111s:/usr/share/redmine# mysql -V
mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper

Finally, all installed over a Ubuntu Server 16.04.


Related issues

Related to Redmine - Patch #29606: Support self-signed LDAPS connectionsClosedJean-Philippe Lang

Actions
Actions #1

Updated by Toshi MARUYAMA over 6 years ago

  • Description updated (diff)
Actions #3

Updated by Boris B over 6 years ago

Same problem with Redmine 3.2.3 on Ubuntu 16.10. For info, I'm also using Rhodecode on the same server which has no problem to connect to the LDAPS.

OpenSSL s_client also works after putting the LDAP certificate in /etc/ssl/certs/ca-bundle.crt.

This is really an issue for us since we want to use the same company accounts for Git and Redmine.

Actions #4

Updated by Mischa The Evil over 6 years ago

Just my two cents on this matter: this is something that might be solved by the upgrade of the net-ldap gem to 0.16 in r16773 for #24970, which is going to be shipped with the upcoming Redmine 4.0.0 release.

Actions #5

Updated by Boris B over 6 years ago

I updated net-ldap gem to 0.16 and it did not fix the issue.

Actions #6

Updated by Holger Just over 5 years ago

  • Related to Patch #29606: Support self-signed LDAPS connections added
Actions #7

Updated by Go MAEDA over 5 years ago

  • Status changed from New to Closed
  • Priority changed from High to Normal
  • Resolution set to Fixed

You will be able to disable a certificate check in upcoming Redmine 4.0.0. See #29606 for details.

Actions

Also available in: Atom PDF