[SOLVED] LdapS authentication issue

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
Houg
Messages: 7
Registration: July 2, 2020 - 9:59 AM

July 2, 2020 - 10:18

Hello everyone.
For the switch to wapt enterprise, I am currently configuring our new server (on debian).
All that's left for me is console authentication with LdapS.
And that's where I'm stuck… I followed the instructions exactly…

Authentication with local session: OK
LDAP authentication (non-S): OK (the connection request is clearly visible in the AD server)
LDAP authentication: not working => however, there is no connection request in the AD server.
However, on AD, the certificate is correctly installed with a known authority.
Just to be sure, I added this authority to the WAPT server. No changes…:

Code: Select all

sudo cp TERENACA.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
A telnet connection on port 636 (ldapS) from my wapt server to my AD server is functional.
(By the way, this reminds me that the documentation states that the default LdapS port is 646, whereas it's actually 636) :D )

Here is my waptserver.ini (anonymized):
[options]
waptwua_folder = /var/www/waptwua
server_uuid = XXXXXXXXXXX
clients_signing_key = XXXXXXXXXXX
clients_signing_certificate = XXXXXXXXXXX
wapt_password = XXXXXXXXXXX
allow_unauthenticated_connect = False
secret_key = XXXXXXXXXXX
use_kerberos = True
wapt_huey_db = /opt/wapt/db/waptservertasks.sqlite

wapt_admin_group_dn=CN=group,CN=Users,DC=mydomain,DC=fr
ldap_auth_server=myserver.mydomain.fr
ldap_auth_base_dn=OU=mygroup,DC=mydomain,DC=fr
ldap_auth_ssl_enabled=True


Here is the result of /opt/wapt/runwaptserver.sh -ldebug during identification:
2020-07-02 10:08:45,001 [waptserver ] DEBUG (3174) accepted ('127.0.0.1', 59294)
2020-07-02 10:08:45,002 [root ] DEBUG Using monserver.mondomaine.fr as authentication ldap server
2020-07-02 10:08:45,003 [root ] DEBUG Using OU=mongroup,DC=mondomaine,DC=fr as base DN
2020-07-02 10:08:45,003 [root ] DEBUG using dc monserver.mondomaine.fr for authentication, with base DN OU=mongroup,DC=mondomaine,DC=fr and bind username monlogin@mondomaine.fr
2020-07-02 10:08:45,003 [root ] DEBUG Using ldaps for authentication
2020-07-02 10:08:45,012 [waptserver ] INFO ip.de.mon.AD,127.0.0.1 - - [02/Jul/2020 10:08:45] "POST /api/v3/login HTTP/1.0" 401 324 0.009679
2020-07-02 10:08:47,625 [waptserver ] INFO wsgi exiting
2020-07-02 10:08:47,625 [waptserver ] INFO (3174) wsgi exited, is_accepting=True
2020-07-02 10:08:47,625 [waptserver ] INFO Waptserver stopped
Well... I'm not exactly an expert on logs, but in this case, I don't see...
The console won't connect

Thanks in advance !!
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

July 2, 2020 - 5:10 PM

You can do a test like this:

Code: Select all

apt install ldap-utils
ldapsearch -x -H ldap://srvads.mydomain.lan -Z -D sfonteneau@mydomain.lan -b dc=mydomain,dc=lan -W
This allows you to perform a test without going through wapt

After the order

Code: Select all

sudo update-ca-certificates
Your certificate should be located in /etc/ssl/certs
High
Houg
Messages: 7
Registration: July 2, 2020 - 9:59 AM

July 3, 2020 - 8:32 AM

Good morning,

As described in the post, the LDAP connection is working... I tested different ldapsearch parameters before posting on the forum (I forgot to mention that)
So this line is functional (a slight variation to clearly show the indicated port):
ldapsearch -x -h srvads.mydomain.lan -Z -D sfonteneau@mydomain.lan -p 389 -b dc=mydomain,dc=lan -W
Enter LDAP Password:
[...]
# search result
search: 3
result: 4 Size limit exceeded
[...]

But, if I specify port 636, it is no longer the same.
ldapsearch -x -h srvads.mydomain.lan -Z -D sfonteneau@mydomain.lan -p 636 -b dc=mydomain,dc=lan -W
ldap_start_tls: Can't contact LDAP server (-1)
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I should point out that LdapS is functional on AD => telnet on port 636 is functional + the ldp.exe tool from Microsoft (via another server) also works.

Regarding the certificate, yes, it is indeed available in /etc/ssl/certs. Furthermore, it's a public certificate authority, which is therefore already present by default.



EDIT: Problem solved, or rather bypassed => I specified a different AD and it works....
High
Locked

Return to "WAPT Server"


  • To go further with WAPT