Connecting to Active Directory via LDAP without encryption

[1sk0ne]

Hello, please tell me if it is possible to bypass an LDAP connection without encryption, since I do not have LDAP configured on my domain controllers due to the fact that all traffic is on the internal network.

As a result, if I get an error with the following data:

apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: ActiveDirectoryIdentityProvider
metadata:
  name: pinniped-active-directory
  namespace: pinniped-supervisor
spec:
  host: dc-1.base.local:389
  tls:
    certificateAuthorityData: <self-signed-controller-domain-certificate>

Logs:

{"level":"info","timestamp":"2024-12-27T08:46:10.757059Z","caller":"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go:143$upstreamwatchers.TestConnection","message":"testing LDAP connection using TLS failed, so trying again with StartTLS","error":"error dialing host \"dc1.base.local:389\": LDAP Result Code 200 \"Network Error\": read tcp 10.140.44.152:41140->10.33.12.13:389: read: connection reset by peer","host":"dc1.base.local:389"}
{"level":"info","timestamp":"2024-12-27T08:46:10.770079Z","caller":"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go:154$upstreamwatchers.TestConnection","message":"testing LDAP connection using StartTLS also failed","error":"error dialing host \"dc1.base.local:389\": LDAP Result Code 200 \"Network Error\": read tcp 10.140.44.15:41140->10.33.12.1:389: read: connection reset by peer","host":"dc1.base.local:389"}

I would also like to know if it is possible to use a connection specifying base.local:389
So, if a particular domain controller fails, is it possible to connect to the next one?

[cfryanr]

Hi, thanks for your questions.

It is not possible to use LDAP without TLS. As you saw in the logs, your server can support either LDAPS or StartTLS, but it must support one of those. It would not be secure to use LDAP without TLS, since it involves sending the user's password to the LDAP server over the network.

You should be able to use whatever DNS tricks you want to use, as long as the TLS certificate can be validated using the DNS name.

[cfryanr]

I noticed in your example you said <self-signed-controller-domain-certificate>. It's fine for the cert or the CA to be self-signed. That's not a problem, as long as the TLS connection can be validated.