Cacti (home)ForumsRepositoryDocumentation
Cacti: offical forums and support
It is currently Mon Sep 22, 2014 3:14 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Ldap encryption problem
PostPosted: Mon Oct 13, 2008 6:44 am 
Offline

Joined: Mon Feb 12, 2007 11:55 am
Posts: 15
I am running cacti version 0.8.7b, on sles10, with ldap authentication enable which works. However when I enable TLS or SSL, I get the error messages “LDAP Search Error: Protocol error, unable to start TLS communications”


With encryption disabled ldap authentication works fine but does not work with encryption.

I am running php version 5.2.0, apache 2.2.8

Here is my cacti Ldap setting:

Server: 181.74.x.x
Port Standard: 389
Port SSL : 636
Protocol Version : 3
Encryption : TLS
Referrals : Enable
Mode : Anonymous Searching

Distinguished Name (DN) : o=aol
Search Base: o=aol
Search filter: (&(objectClass=posixAccount)(cn=<username>))
Search Distinguished Name (DN): o=aol

Unfortunately Encryption either by TLS or SSL does not work for me.
Can you help? Please.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Oct 21, 2008 9:25 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Do you have the Open SSL modules installed? What does your Apache error_log indicate if anything?

TheWitness

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 29, 2008 11:17 am 
Offline

Joined: Mon Feb 12, 2007 11:55 am
Posts: 15
Thanks for your response. I am running Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m PHP/5.2.0 mod_auth_tkt/2.0.0rc2. Unfortunately my apache error log does not log anything regarding cacti tls/ssl failed login.

How can I troubleshoot the problem?


Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 29, 2008 11:52 am 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Oh my.... :-?

I barely got this to work when I implemented the code and never got it fully tested. I'm not 100% sure that the TLS/SSL works for php-ldap.

That being said, I will render as much assistance as I can on this issue, because I would like to see it working.

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Apr 23, 2009 4:36 pm 
Offline

Joined: Thu Mar 31, 2005 2:03 pm
Posts: 25
Location: Texas, USA
I've run into the same issue with Novell LDAP and Cacti 0.8.7d all patched up running on W2k3. When using the TLS option I always get:

LDAP Error: Protocol error, unable to start TLS communications

With the encryption set to NONE, it authenticates fine every time, so we know the other settings are okay. The Novell admin won't leave non-encrypted connections enabled, so I have to get either TLS or SSL working. TLS seemed to be the easier option... and we use it for other services but I'll have to get past this error.

Any ideas? What kind of information may I provide to help hammer through the problem?


Top
 Profile  
 
 Post subject:
PostPosted: Fri Apr 24, 2009 8:15 am 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Does SSL work on the standard port?

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Apr 24, 2009 1:36 pm 
Offline

Joined: Thu Mar 31, 2005 2:03 pm
Posts: 25
Location: Texas, USA
Got around to toying with SSL today. I'm not having any luck with SSL either, while NONE still works. Digging through forums for SSL LDAP threads now... Will update the SSL findings asap.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Apr 27, 2009 10:41 am 
Offline

Joined: Tue Jul 31, 2007 2:49 am
Posts: 5
I got my LDAPS service today and played a while:
Cacti 0.8.7b, server SUSE Enterprise Server 9

* get public Root CA certificate and copy it to /etc/ssl/certs/
run "c_rehash"
(other distributions may use different directories and configuration files)

* check SSL using sth. like:
"openssl s_client -showcerts -connect server.test.domain:12345 -CApath /etc/ssl/certs/"
(non standard port 12345)

end of command output should look like this:

New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 123(snip)
Session-ID-ctx:
Master-Key: 123 (snip)
Key-Arg : None
Start Time: 1240844427
Timeout : 300 (sec)
Verify return code: 0 (ok)
---


* in /etc/openldap/ldap.conf add
TLS_REQCERT allow
TLS_CACERTDIR /etc/ssl/certs

* check LDAPS (or let it be):
ldapsearch -x -H "server.test.domain:12345" -b "dc=company, dc=com" -D "uid=aUser,ou=something,ou=users,dc=com" -W "(&(|(objectClass=atestperson)(objectClass=atestaccount))(uid=ncc1701))

* configure cati:
set encryption to SSL (TLS not working in my environment)
overwrite "Port Standard = 382" setting with LDAPS port (default/standard 636), "Port SSL" setting will be ignored by Cacti (see trace/tcpdump)

* restart Apache


Top
 Profile  
 
 Post subject:
PostPosted: Mon Apr 27, 2009 11:32 am 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Phytius wrote:
* configure cati:
set encryption to SSL (TLS not working in my environment)
overwrite "Port Standard = 382" setting with LDAPS port (default/standard 636), "Port SSL" setting will be ignored by Cacti (see trace/tcpdump)


Please email me proof that it's ignoring the port designation.

If so, I will fix it.

Thanks,

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 28, 2009 10:00 am 
Offline

Joined: Tue Jul 31, 2007 2:49 am
Posts: 5
Sorry, I forgot this yesterday:

In lib/ldap.php you will find

-- SNIP ---
if ($ldap_encryption == "1") {
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port;
$ldap_port = $ldap_port_ssl;
}else{
-- SNAP ---

It should be
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port_ssl;
or
$ldap_port = $ldap_port_ssl;
$ldap_host = "ldaps://" . $ldap_host . ":" . $ldap_port;


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 28, 2009 10:54 am 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Email me a patch, I will forget to come back here... :(

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group