LDAP Auth with TLS

stl · ‎08-29-2011

I'm attempting to authenticate users in an OpenLDAP 2.4 directory which requires TLS, and the TLS portion appears to be failing. The LDAP server is using a wildcard certificate of *.wiredrive.com from GoDaddy, on a server with the hostname of la.wiredrive.com. This is being used successfully for PAM based authentication of ssh and auth basic for other services so I do know it does play. Appended is the Splunk logging output for LDAP cranked to the debug level. You can see that the initial anonymous bind works so DNS is functioning, however when it attempts the actual tree search which requires TLS it fails with a 'confidentiality required' error leading me to believe it's not actually utilizing the cert.

08-29-2011 13:56:14.548 -0700 DEBUG ScopedLDAPConnection - Initializing with LDAP URL 'ldap://la.wiredrive.com:389'
08-29-2011 13:56:14.548 -0700 DEBUG ScopedLDAPConnection - Attempting anonymous bind
08-29-2011 13:56:14.550 -0700 DEBUG ScopedLDAPConnection - Bind successful
08-29-2011 13:56:14.550 -0700 DEBUG ScopedLDAPConnection - Attempting to read entry for dn: 'ou=people,dc=la,dc=wiredrive,dc=com'
08-29-2011 13:56:14.550 -0700 DEBUG ScopedLDAPConnection - No constraints, returning empty filter
08-29-2011 13:56:14.551 -0700 ERROR ScopedLDAPConnection - Read for DN 'ou=people,dc=la,dc=wiredrive,dc=com' gave error: Confidentiality required
08-29-2011 13:56:14.551 -0700 DEBUG ScopedLDAPConnection - Attempting to load entries...
08-29-2011 13:56:14.551 -0700 ERROR ScopedLDAPConnection - Could not read invalid entry at DN ou=people,dc=la,dc=wiredrive,dc=com
08-29-2011 13:56:14.559 -0700 DEBUG ScopedLDAPConnection - Successfully performed unbind

The modified ldap.conf file in Splunk's etc/openldap/ directory. I've also attempted to set REQCERT to demand with no luck.

ssl start_tls
TLS_REQCERT never
TLS_CACERT $SPLUNK_HOME/etc/openldap/certs/godaddy.pem
TLS_CACERTDIR $SPLUNK_HOME/etc/openldap/cert

Here is my check of the CA certificate, which as mentioned is the same that I am using successfully for PAM.

# openssl verify godaddy.pem 
godaddy.pem: OK

schplunk_meiste · ‎07-19-2019

Has anybody figured this out. The official documentation I've read doesn't seem to address cases where TLS 1.2 is the only option for a splunk LDAP client to communicate with an openldap server.

mpavlas · ‎01-07-2016

https://answers.splunk.com/answers/222947/does-splunk-ldap-support-starttls.html

anark · ‎09-21-2011

Did you find a way to do this? I am also trying to connect to an ldap server using start tls and have not had any luck yet

phatfingers · ‎08-29-2011

I notice on the first line of your log, it's connecting to "ldap://la.wiredrive.com:389".

Using "ldap" and not "ldaps"
Using "389" and not "636"

Work through the steps under "Set up LDAP via Splunk Web" on this page:
Setup User Authentication with LDAP

It addresses those specific problems.

stl · ‎08-30-2011

The LDAP server is configured to use TLS which runs on the default port of 389, not the SSL port of 636.

LDAP Auth with TLS

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation

LDAP Auth with TLS

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...