LDAP-Proxy: using SSL/TLS

Installation
1

Hi,
I successfully installed privacyidea and the ldap-proxy on Ubuntu 18.04.
Cleartext is no problem, but I have to use encoded communication.

If I set
[ldap-backend]
endpoint = tls:myserverFQDN:port=636:trustRoots=/usr/local/share/ca-certificates/

I get this error:

[pi_ldapproxy.proxy#critical] Could not connect to LDAP backend
Traceback (most recent call last):
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py”, line 651, in _runCallbacks
current.result = callback(current.result, *args, **kw)
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py”, line 1355, in gotResult
_inlineCallbacks(r, g, deferred)
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py”, line 1297, in _inlineCallbacks
result = result.throwExceptionIntoGenerator(g)
File “/usr/local/lib/python2.7/dist-packages/twisted/python/failure.py”, line 389, in throwExceptionIntoGenerator
return g.throw(self.type, self.value, self.tb)
— —
File “/usr/local/lib/python2.7/dist-packages/pi_ldapproxy/proxy.py”, line 483, in test_connection
client = yield self.connect_service_account()
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py”, line 1297, in _inlineCallbacks
result = result.throwExceptionIntoGenerator(g)
File “/usr/local/lib/python2.7/dist-packages/twisted/python/failure.py”, line 389, in throwExceptionIntoGenerator
return g.throw(self.type, self.value, self.tb)
File “/usr/local/lib/python2.7/dist-packages/pi_ldapproxy/proxy.py”, line 387, in connect_service_account
yield client.bind(self.service_account_dn, self.service_account_password)
File “/usr/local/lib/python2.7/dist-packages/twisted/protocols/tls.py”, line 335, in _checkHandshakeStatus
self._tlsConnection.do_handshake()
File “/usr/local/lib/python2.7/dist-packages/OpenSSL/SSL.py”, line 1907, in do_handshake
self._raise_ssl_error(self._ssl, result)
File “/usr/local/lib/python2.7/dist-packages/OpenSSL/SSL.py”, line 1639, in _raise_ssl_error
_raise_current_error()
File “/usr/local/lib/python2.7/dist-packages/OpenSSL/_util.py”, line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)]

but the LDAP-proxy “runs” - it accepts connections, starts a factory and comes up with the same error for the BindRequest.

I also get an error if I set

[ldap-proxy]
endpoint = ssl:port=636:privateKey=/etc/ssl/somecert.pem

Traceback (most recent call last):
File “/usr/local/bin/twistd”, line 11, in <module>
sys.exit(run())
File “/usr/local/lib/python2.7/dist-packages/twisted/scripts/twistd.py”, line 29, in run
app.run(runApp, ServerOptions)
File “/usr/local/lib/python2.7/dist-packages/twisted/application/app.py”, line 648, in run
runApp(config)
File “/usr/local/lib/python2.7/dist-packages/twisted/scripts/twistd.py”, line 25, in runApp
_SomeApplicationRunner(config).run()
File “/usr/local/lib/python2.7/dist-packages/twisted/application/app.py”, line 379, in run
self.application = self.createOrGetApplication()
File “/usr/local/lib/python2.7/dist-packages/twisted/application/app.py”, line 439, in createOrGetApplication
ser = plg.makeService(self.config.subOptions)
File “/usr/local/lib/python2.7/dist-packages/twisted/plugins/ldapproxy_plugin.py”, line 42, in makeService
endpoint_string = serverFromString(reactor, config[‘ldap-proxy’][‘endpoint’])
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/endpoints.py”, line 1522, in serverFromString
return _serverFromStringLegacy(reactor, description, _NO_DEFAULT)
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/endpoints.py”, line 1435, in _serverFromStringLegacy
nameOrPlugin, args, kw = _parseServer(description, None, default)
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/endpoints.py”, line 1426, in _parseServer
return (endpointType.upper(),) + parser(factory, *args[1:], **kw)
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/endpoints.py”, line 1139, in _parseSSL
privateCertificate = ssl.PrivateCertificate.loadPEM(certPEM + keyPEM)
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/_sslverify.py”, line 700, in loadPEM
return Class.load(data, KeyPair.load(data, crypto.FILETYPE_PEM),
File “/usr/local/lib/python2.7/dist-packages/twisted/internet/_sslverify.py”, line 843, in load
return Class(crypto.load_privatekey(format, data))
File “/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py”, line 2798, in load_privatekey
_raise_current_error()
File “/usr/local/lib/python2.7/dist-packages/OpenSSL/_util.py”, line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [(‘PEM routines’, ‘PEM_read_bio’, ‘no start line’)]

and the LDAP-proxy stops.

I think, there are some config-steps missing in the documentation…

Best regards

2

Problem is solved:
the ldap-backend-endpoint needs the .crt-File of the CA, not the directory:

[ldap-backend]
endpoint = tls:myserverFQDN:port=636:trustRoots=/usr/local/share/ca-certificates/MyCA.crt

the ldap-proxy-endpoint needs the privateKey.key and certKey.pem:

[ldap-proxy]
endpoint = ssl:port=636:privateKey=/etc/ssl/MyprivateKey.key:certKey=/etc/ssl/MycertKey.pem

Topic can be closed…

2 Likes
3

Thanks for this, I’ve got my ldap-proxy successfully listening on 636 and can connect to it via SSL. However, I still can’t connect to my backend LDAP over 636 through the proxy. The certificate that you use for ldap-backend, is it the cert for just the CA that issued the cert to the backend-ldap server or does it contain both the ldap-backend server you are connecting to and the CA?

4

Interestingly, I got mine to work by specifying a directory for the ldap-backend. However, I don’t have a cert bundle for my server cert and CA cert, they’re individual files.

Regardless, thanks for the insight.

5

Hi,
this works for me, it takes the certs from the certstore…

[ldap-backend]
endpoint = tls:myLDAPbackendFQDN:port=636
test-connection = true