LDAPS Error with user Resolver - Active Directory

Dear All,

when trying to use ldaps://server

getting bellow error: ( PI is running on Ubuntu 20 )

LDAPSocketOpenError((socket ssl wrapping error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1123),))

Same LDAPS is working in Ubuntu 18 ( Other test server where PI is installed )

Any clue please ?

Thanks

Any more information?

Thanks for your quick revert.
I have two environment, both are not in production.

first environment:

Ubuntu 18.04 ( PI 3.5 + Freeradius both are installed and running perfectly fine )
in this setup, I am using AD as user resolver with below config:
ldaps://ldapserver ( my AD server hostname )
and when click on test ldap resolver, it work perfectly fine

Second environment:

this environment is Exactly similar to above envoirnment except OS, this is Ubuntu 20.04 and all other PI related setups are same environment 1.
when clicking " Test Ldap Resolver " getting this message.
LDAPSocketOpenError((socket ssl wrapping error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1123),))

Unfortunately no error logs in /var/log/privacyidea

please let me know if need any more info.

You are getting an error with your ldap resolver. So what might be good information to look at?

Hint: It is not the FreeRADIUS configuration.

I am really cornelinux,
you must be having some clue, i tried every possible way to see but failed, then only came this wonderful group.

every single setting and configurations are same as Ubuntu 18.04, only difference is it is Ubuntu 20.04 :slight_smile:

Certificate i am using wildcard, and same certificate is on other working server, not sure what i am missing.

Please do suggest if have some clue to reach close to this problem.

Thanks you

Hi Cornelinux,

i see this log at AD server.

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
any help, what TLS setting to be changed in Ubuntu 20.04 as same is working in Ubuntu 18.04

Thanks

Dear All,

Any help on this please ?

i have tried enabling TLS 1.2 on AD server including PI Apache but no luck.

your help be greatly appreciated

Here you have it. Must be s.th. with your TLS setting.
But I do not know these.

Note: On 20.04 you have other versions of python and other ldap modules on privacyIDEA.

Hi Cornelinux,

Thank you so much , i followed steps to Install PI 3.5 from here for Ubuntu 20.04 and its working.
https://privacyidea.readthedocs.io/en/latest/installation/ubuntu.html

Note- managed to get this LDAPS working but this method is not recommended in production and I had to bring down tls security from 1.2 to 1.0 in Openssh.conf file.
openssl_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

Any suggestion please