Difference between revisions of "Troubleshoooting LDAP"

From IVS Wiki
Jump to: navigation, search
(TLS 1.2 Issues)
(TLS 1.2 Issues)
Line 88: Line 88:
 
* If the search is successful, the compatibility issue is causing your problem.
 
* If the search is successful, the compatibility issue is causing your problem.
  
You will need to modify the LDAP PHP files to include the line '''putenv("LDAPTLS_CIPHER_SUITE=NORMAL:!VERS-TLS1.2");'''
+
You will need to modify the LDAP PHP files to include the line: <pre>putenv("LDAPTLS_CIPHER_SUITE=NORMAL:!VERS-TLS1.2");</pre>
  
 
The following files will need to be modified:
 
The following files will need to be modified:

Revision as of 14:46, 24 April 2019

Often times configuring the Valt appliance for LDAP authentication can prove challenging. Most often these issues are caused by communications problems, incorrect credentials or using the wrong distinguished name. In order to troubleshoot the issue, it's recommended you take the Valt application out of the equation.

Validate Connection

  1. Connect to the Valt server via SSH or access the terminal.
    If accessing via the terminal, you will need to exit to shell
  2. Ping the LDAP server
    EX: Ping ldap.ipivs.com
    • If the server responds you are able communicate with that server.
    • If the server does not respond, you may have a networking issue, or ICMP may be blocked. You may need to contact the customer's IT department to investigate. If ICMP is just blocked, you do not need ICMP in order to perform LDAP queries.
  3. Verify you have the correct server address and check if the server is set to accept queries via LDAP or LDAPS
  4. Check to see if the VALT server can communicate with the LDAP server on the appropriate port.
    • For LDAP: nc -zv ldapserver 389
      • This command should return "Connection to ldapserver 389 port [tcp/ldap] succeeded!"
    • For LDAPS: nc -zv ldapserver 636
      • This command should return "Connection to ldapserver 636 port [tcp/ldaps] succeeded!"
    • If the appropriate command returns a failure message, the VALT server is unable to communicate with the ldap server on the appropriate port. This could be caused by a firewall or other security appliance between the two servers or you may have the incorrect LDAP server. You should contact the customer's IT department and notify them that the Valt server is unable to connect to the provided LDAP server on the appropriate port.

Validate LDAP Query/Credentials

After verifying communication between the VALT server and the LDAP server, you can validate the credentials you were provided by attempting to connect to the LDAP server from the command line.

  1. Connect to the Valt server via SSH or access the terminal.
    If accessing via the terminal, you will need to exit to shell
  2. Enter the following:
    ldapsearch -H ldap://''ldapserver'' -x -b "''distinguishedname''" -D ''username'' -W
    Be sure to replace the ldapserver, distinguishedname, and username with the appropriate information.
    Example:
    LDAP Server: ivs2012r2dc.internal.ipivs.com
    Protocol: LDAPS
    Distinguished Name of Group: CN=IVS Users,CN=Users,DC=internal,DC=ipivs,DC=com
    Username: ivs@internal.ipivs.com
    ldapsearch -H ldaps://ivs2012r2dc.internal.ipivs.com -x -b "CN=IVS Users,CN=Users,DC=internal,DC=ipivs,DC=com" -D ivs@internal.ipivs.com -W
  3. Enter the password when prompted.
  4. The query should return a list of group members.
    • If a list of group members was returned successfully, then LDAP authentication should be working. If you are still experiencing issues it is most likely a configuration problem with the application.
      LDAPT1.png
    • If you received a message stating "No Such Object," the distinguished name of the group you entered is incorrect. The next section contains information on verifying the distinguished name or the group, or you can contact the customer's IT department.
      LDAPT3.png
    • If you received a message stating "Invalid credentials," the username or password you entered is incorrect. You will need to contact the customer's IT department.
      LDAPT2.png

Verify Distinguished Name of Groups

If you believe the distinguished name of the group is incorrect you can verify it by accessing the customer's directory using LDAP Admin and the credentials they have provided you.

  1. Download and run LDAP Admin.
    LDAPT6.png
  2. Click Connect.
    LDAPT7.png
  3. Double click on New Connection.
    LDAPT5.png
  4. Enter the host.
  5. Uncheck Anonymous Connection.
  6. Enter the username and password.
  7. Click Fetch DNs.
  8. Select the Base DN for the domain.
    EX: DC=internal,DC=ipivs,DC=com
    LDAPT8.png
  9. Click OK.
  10. You can now browse the customer's directory. Using the distinguished name you were provided, try to locate the group.
    LDAPT10.png
    • If you are able to locate the group, click on it and the DN will be displayed on the right hand side of the window.
    • If you are unable to locate the group, contact the customer's IT department.

LDAPS Security Certificate

If you are connecting over LDAPS, you may experience an issue with security certificate presented by the ldap server being untrusted by the valt appliance.

Verify the Issue

  1. Run an ldapsearch query against the LDAP directory server using ldaps and append -d1 to the end of the command.
    See the section above regarding Validate LDAP Query/Credentials for information on running an ldapsearch
  2. The query will fail, but the results should contain diagnostic details about why.
  3. Review the results of the query, if there is an issue with the certificate you will see a message stating Certificate Untrusted or something similar in the results.
  4. Enter the following:
    sudo nano /etc/ldap/ldap.conf
  5. Append the following to the end of the file:
  6. TLS_REQCERT never
  7. Rerun the ldapsearch command. It should be successful this time.

Resolution

  1. Download the security certificate from your LDAP directory server.
  2. Upload the certificate to the valt appliance.
  3. Copy the certificate file to
    /etc/ssl/certs/
    EX: sudo cp ./cert.crt /etc/ssl/certs/
  4. Enter the following:
    sudo nano /etc/ldap/ldap.conf
  5. Append the following to the end of the file, replacing the italicized text with the name of your certificate:
    TLS_CACERT /etc/ssl/certs/cert.crt
  6. Press CTRL-X.
  7. Answer Y to save.
  8. Press Enter to keep the file name the same.

TLS 1.2 Issues

There is a known compatibility issue between OpenLDAP and certain versions of Windows Server. This issue was resolved in hotfixes, however you if you are able to verify all the information is correct and you are still unable to submit an LDAP query via LDAPS, this may be the cause. The issue stems from a compatibility problem related to TLS 1.2. By disabling TLS version 1.2 you can force LDAPS to use TLS version 1.1.

To test if this is the case, run the following:

export LDAPTLS_CIPHER_SUITE=NORMAL:!VERS-TLS1.2
  • Run another LDAPSearch
  • If the search is successful, the compatibility issue is causing your problem.
You will need to modify the LDAP PHP files to include the line:
putenv("LDAPTLS_CIPHER_SUITE=NORMAL:!VERS-TLS1.2");

The following files will need to be modified:

/var/www/v3/src/FS/UserBundle/Util/LdapSynchronizer.php
/var/www/v3/src/FS/UserBundle/Controller/LDAPController.php
/var/www/v3/src/FS/CamBundle/Command/LdapSyncCommand.php
/var/www/v3/src/FS/UserBundle/Entity/LdapServer.php
/var/www/v3/src/FS/UserBundle/Entity/LdapSynchronize.php
/var/www/v3/src/FS/UserBundle/Entity/User.php
/var/www/v3/app/console

This list of files was from old notes and may not be 100% accurate