Login failed: The LDAP server is unreachable

mohammad_amro · March 9, 2020, 5:00am

I have the following problem with ldap when I tried to use secure ldap with ‘verify_cert’: True.
“Login failed: The LDAP server is unreachable”
Is there any work around for this problem?

Thanks,

ThiefMaster · March 9, 2020, 3:10pm

Point cert_file to a file containing the root CA that signed the certificate used by your LDAP server. If it’s a publicly recognized CA, then it should work out of the box (assuming the certifi python package is installed):

github.com

indico/flask-multipass/blob/9d5ad2a420ee3e19be9cdf473e43b2b8c170da86/flask_multipass/providers/ldap/providers.py#L48






class LDAPProviderMixin(object):
    @property
    def ldap_settings(self):
        return self.settings['ldap']


    def set_defaults(self):
        self.ldap_settings.setdefault('timeout', 30)
        self.ldap_settings.setdefault('verify_cert', True)
        self.ldap_settings.setdefault('cert_file', certifi.where() if certifi else None)
        self.ldap_settings.setdefault('starttls', False)
        self.ldap_settings.setdefault('page_size', 1000)
        self.ldap_settings.setdefault('uid', 'uid')
        self.ldap_settings.setdefault('user_filter', '(objectClass=person)')
        if not self.ldap_settings['cert_file'] and self.ldap_settings['verify_cert']:
            warn("You should install certifi or provide a certificate file in order to verify the LDAP certificate.")
        # Convert LDAP settings to text in case someone gave us bytes
        self.settings['ldap'] = to_unicode(self.settings['ldap'])

mohammad_amro · March 11, 2020, 4:16pm

Thank you for your replies. I tried this configuration and received the following error:

Something went wrong

ValueError: option error
Report Error

I used the below configuration.

'cert_file': '/opt/indico/custom/cert',
'timeout': 30,
'verify_cert': True,
'starttls': False,
'page_size': 1500,

ThiefMaster · March 11, 2020, 4:20pm

please show the traceback from indico.log. also, can you post the contents of /opt/indico/custom/cert?

mohammad_amro · March 11, 2020, 4:54pm

Sure, please see the contents of /opt/indico/custom/cert

-rw-r–r-- 1 indico www-data 2296 Feb 19 08:38 Base-64-srvinfdc-2.cer
-rw-r–r-- 1 indico www-data 2260 Mar 11 19:03 DER-srvinfdc-2-1.pem
-rw-r–r-- 1 indico www-data 1629 Feb 19 08:35 DER-srvinfdc-2.cer
-rw-r–r-- 1 indico www-data 1629 Feb 19 08:35 DER-srvinfdc-2.crt
-rw-r–r-- 1 indico www-data 2260 Mar 11 19:02 DER-srvinfdc-2.pem
I used the following command to convert the .cer and .crt to .pem file

openssl x509 -inform der -in /opt/indico/custom/cert/DER-srvinfdc-2.crt -out /opt/indico/custom/cert/DER-srvinfdc-2.pem

indico.log (4.7 KB)

ThiefMaster · March 11, 2020, 4:59pm

You have to point this config option to an actual file (in pem format) that contains the root CA certificate, not some folder containing all kinds of files.

Also, the file you attached looks like a logfile from uwsgi and not the usual indico.log one from /opt/indico/log/indico.log…

PS: You cannot put an obfuscated email address in your config (except for PUBLIC_SUPPORT_EMAIL). As the log shows, sending emails with a sender of events(at)kfupm.edu.sa fails…

mohammad_amro · March 11, 2020, 5:31pm

Thanks, I fixed all mentioned the issues, but still, I have the same error with ldap authentication.

indico.log (30.0 KB)

ThiefMaster · March 11, 2020, 5:33pm

Can you attach the file cert_file points to?

mohammad_amro · March 12, 2020, 8:32am

DER-srvinfdc-2.zip (1.7 KB)

ThiefMaster · March 12, 2020, 8:35am

ok the file looks valid… in that case i don’t know why it fails

mohammad_amro · March 12, 2020, 10:19am

Thanks for your support. It works now!. The problem was in ‘cert_file’: option it should be like this ‘/opt/indico/custom/cert/DER-srvinfdc-2.crt’.
But when I changed the ‘starttls’: True, I received the following error.

Something went wrong

CONNECT_ERROR: {‘info’: u’(unknown error code)‘, ‘desc’: u’Connect error’}

ThiefMaster · March 12, 2020, 10:22am

does it use starttls? if not, you may want ldaps://... in the uri to use a standard tls connection

mohammad_amro · March 15, 2020, 10:39am

Thanks, this problem is due to firewall configuration. I will use the standard tls connection.