LDAP with SSL

If the Glados server does not trust the certificate chain of a secure LDAP server the test login form issues an error Can't contact LDAP server or similar.

In order to connect to an LDAP server via SSL, the system running Glados has to trust the secure LDAP server certificate. You may have to include the CA certificate of your LDAP/AD server. First you need to export the CA certificate of your LDAP server in the crt format.

On Debian you can do the following. Copy the CA certificate Domain-CA.crt to /usr/local/share/ca-certificates/

Then run the program that updates the certificate store of your server:

update-ca-certificates -v

To test whether the certificate is trusted, use:

echo | openssl s_client -showcerts -connect hostname.domain.local:636

where hostname.domain.local denotes the FQDN of the LDAP server and 636 is the LDAPS port number. You should observe an output like the following if the certificate was trusted:

CONNECTED(00000003)
depth=1 DC = local, DC = domain, CN = Domain-CA
verify return:1
depth=0
verify return:1
---
Certificate chain
 0 s:
   i:DC = local, DC = domain, CN = Domain-CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=

issuer=DC = local, DC = domain, CN = Domain-CA

---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2057 bytes and written 487 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4525000086F0C2A132B4B44AF39E8AE64AD18F8D1B5ABC64B575B19B50E93045
    Session-ID-ctx:
    Master-Key: 31E243F284265AE6AC15C9BFF8FAFA8FB5F3F9E0BE8E6989B0D1BC5EFA165DE4BC0F89A61E6416BA1BAE4F866C6018F5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1632386882
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

If the certificate was not trusted instead it may look like this:

CONNECTED(00000003)
depth=0 CN = hostname.domain.local
verify error:num=20:unable to get local issuer certificate
verify return:1
[...]
SSL handshake has read 2115 bytes and written 487 bytes
Verification error: unable to verify the first certificate
[...]
SSL-Session:
[...]
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
[...]
    Verify return code: 21 (unable to verify the first certificate)
[...]

As soon as the verification using the openssl command is successful you can authenticate via LDAP using SSL. For this, choose ldaps as Connection Method and 636 as LDAP Port or prefix your LDAP URI with ldaps://.