Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v2.6.1 fails with "LDAP connection failure: automatic start_tls befored bind not successful" #656

Closed
mictsi opened this issue Oct 27, 2020 · 8 comments · Fixed by #663
Closed

v2.6.1 fails with "LDAP connection failure: automatic start_tls befored bind not successful" #656

mictsi opened this issue Oct 27, 2020 · 8 comments · Fixed by #663
Assignees
@bhunut-adobe
Labels
bug under investigation
Milestone
v2.6.2

Comments

@mictsi
Copy link

mictsi commented Oct 27, 2020

Description
Tried to upgrade from 2.6 to 2.6.1 and the new version fails to connect to ldap.

Steps to reproduce
Run version 2.6.1 of user-sync with 2.6 config

Configuration is in the correct .yml files and the configuration is tested and works fine with 2.6.

Expected behavior
That user-sync connect to ldap and get group information and users

Logs
DEBUG ldap - Connecting to: ldaps://fqdn - Authentication Method: SIMPLE using username: username@domain
CRITICAL main - LDAP connection failure: automatic start_tls befored bind not successful
INFO main - ========== End Run (User Sync version: 2.6.1) (Total time: 0:00:00)

Environment

  • UST version: 2.6.1
  • OS type and version: ubuntu 18.04 LTS
@mgoette
Copy link

mgoette commented Nov 10, 2020
edited
Loading

I can confirm that. Switching back to 2.6 solves the issue.

@Luci2015
Copy link
Collaborator

It must be an updated ldap3 library packed in 2.6.1 than in 2.6.0, as there are no code differences in between these versions.
Can you please check if your host value in the connector-ldap file is set to ldaps:// protocol?
If that is the case, can you retry connecting with 2.6.1 using ldap:// protocol for host and keep TLS enabled -> this way TLS connection should happen before the bind and the entire traffic be encrypted.
Please confirm.

@mgoette
Copy link

mgoette commented Nov 18, 2020

Thanks, Luci. Your solution works. Interestingly the LDAPS-Server with the "require_tls_cert: True" setting worked even though it would be using LDAPS over TLS...
Issue is resolved I guess

@mictsi
Copy link
Author

mictsi commented Nov 23, 2020

Hi, @mgoette ,

tried 2.6.1 with require_tls_cert: True and changed the url to ldap:// and i am getting the following error.

Logs

2020-11-23 11:30:43 57497 DEBUG ldap - Connecting to: ldap://myldapserver - Authentication Method: SIMPLE using username: myusername
2020-11-23 11:30:43 57497 CRITICAL main - LDAP connection failure: socket connection error while opening: [Errno 111] Connection refused
2020-11-23 11:30:43 57497 INFO main - ========== End Run (User Sync version: 2.6.1) (Total time: 0:00:00)

@mgoette
Copy link

mgoette commented Nov 23, 2020

Seems to be a firewall issue to me. Make sure tcp/389 is opened and your LDAP-Server offers LDAP and not just LDAPS.

@mictsi
Copy link
Author

mictsi commented Nov 23, 2020

@mgoette, LDAPS should go through port 636 not 389 and yes 389 is not open as we do not offer LDAP over 389 (unencrypted traffic) in our enviroment.

@mgoette
Copy link

mgoette commented Nov 24, 2020
edited
Loading

Thats exactly the point.
https://is.gd/tk2eAo

@bhunut-adobe bhunut-adobe self-assigned this Dec 3, 2020
@bhunut-adobe
Copy link
Collaborator

Look like there is a change to LDAP3 version 2.8 causing this issue.
cannatag/ldap3#855

@bhunut-adobe bhunut-adobe mentioned this issue Dec 3, 2020
Merged
@adorton-adobe adorton-adobe added this to the v2.6.2 milestone Dec 4, 2020
adorton-adobe added a commit that referenced this issue Dec 4, 2020
@adorton-adobe
Merge pull request #663 from bhunut-adobe/bugfix/#656
6c574b8 
Bug fix: Prevent start_tls before Bind on LDAPS Connection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bhunut-adobe bhunut-adobe

Labels
bug under investigation
Projects
None yet
Milestone
v2.6.2
Development

Successfully merging a pull request may close this issue.

Bug fix: Prevent start_tls before Bind on LDAPS Connection bhunut-adobe/user-sync.py
5 participants
@mgoette @Luci2015 @mictsi @adorton-adobe @bhunut-adobe