unable to connect to Ldap
Closed this issue · 3 comments
am trying to enable reauth to my existing application
Error: 06/Nov/2019:13:13:53 +0000 [ERROR 500 /login] Get http://localhost:5650: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
my Caddyfile
kibana-test.xxx.io:5000 {
tls /root/config/star_tajawal_io.crt /root/config/XXXX-io-sub-domain-private-key.pem
#basicauth / kibana-test kibana-test
jwt {
path /
redirect /login
}
reauth {
path /
upstream url=http://localhost:5650
ldap url=ldap://prod-devops-freeipa-ldap-public-xxxx.eu-west-1.elb.amazonaws.com:389,timeout=5s,username=qa.xxx,password=xxxx,base="OU=Users,OU=tajawal,DC=tajawal,DC=io"
}
log stdout
errors visible
}
am running in container..
Logs from Caddy:
$ sudo docker-compose up
Starting caddy_kibana_test ... done
Attaching to caddy_kibana_test
caddy_kibana_test | 2019/11/06 13:13:47 [INFO] Successfully loaded TLS assets from /root/config/star_tajawal_io.crt and /root/config/xxxx-io-sub-domain-private-key.pem
caddy_kibana_test | Activating privacy features... done.
caddy_kibana_test | JWT middleware is initiated
caddy_kibana_test |
caddy_kibana_test | Serving HTTPS on port 5000
caddy_kibana_test | https://kibana-test.XXXX.io:5000
caddy_kibana_test |
caddy_kibana_test | 2019/11/06 13:13:47 [INFO] Serving https://kibana-test.xxxx.io:5000
caddy_kibana_test | 2019/11/06 13:13:47 [INFO][cache:0xc000186f00] Started certificate maintenance routine
caddy_kibana_test | 2019/11/06 13:13:47 [NOTICE] Sending telemetry: we were too early; waiting 19h27m31.015992392s before trying again
caddy_kibana_test | 5.195.224.30 - - [06/Nov/2019:13:13:49 +0000] "GET /login HTTP/2.0" 500 172
caddy_kibana_test | 5.195.224.30 - - [06/Nov/2019:13:13:49 +0000] "GET /favicon.ico HTTP/2.0" 500 178
caddy_kibana_test | 5.19
Please advise @freman
Hi
It would appear to be your upstream is HTTPS and you are requesting as HTTP
\x15\x03\x01\x00\x02\x02 is basically the start of HTTPS (It's funny, I have written a transport that is capable of handling http and https automatically and I wonder why it was never done before)
It's basically midnight here so I'm a bit tired but if you just want ldap you don't need upstream url=http://localhost:5650
if you do need that for other reasons then try upstream url=https://localhost:5650
Hello @freman
Thanks for quick help, I have removed the upstream.. already now its says invalid credintals though i tried with many other all are good credintals
error : +0000 [ERROR 500 /] bind with "xxx.xx": LDAP Result Code 49 "Invalid Credentials":
just a quick question.
My ladap string is correct.?? am doing with freeipa.
ldap url=ldap://prod-devops-freeipa-ldap-public-xxx.eu-west-1.elb.amazonaws.com:389,timeout=5s,username=imran.xxx,password="imxran.xxx",base="CN=Users,CN=tajawal,DC=tajawal,DC=io",filter="(&(memberOf=CN=group,CN=accounts,DC=xxx,DC=io)(uid=%s)(objectClass=user)(sAMAccountName=%s))"
Thanks in adavance
I ran that through the config parser, it parses ok.
I have spotted one more issue, the filter is limited to only one %s parameter
"(&(memberOf=CN=group,CN=accounts,DC=xxx,DC=io)(uid=%s)(objectClass=user)(sAMAccountName=%s))"
all tho you can cheat and use %[1]s to repeatedly use that one parameter (I'm lazy, I used the default sprintf)
Should your ldap not be using ssl/tls? I imagine that'd be something aws would enforce? ldaps://
But beyond that, the everything after the : (LDAP Result Code 49 "Invalid Credentials") is actually coming from LDAP so unless one of your passwords is incorrect the module appears to be working
If you can get your hands on the ldapsearch tool on a box that has access to the ldap host you can test your parameters with that much easier and quicker, if you find a set up that works for you let me know what it is and I"ll help you with a config line for caddy-reauth
ldapsearch -h prod-devops-freeipa-ldap-public-xxxx.eu-west-1.elb.amazonaws.com -D qa.xxx -w xxxx -b "OU=Users,OU=tajawal,DC=tajawal,DC=io" "(&(memberOf=CN=group,CN=accounts,DC=xxx,DC=io)(objectClass=user)(sAMAccountName=username))" "cn"