ldap configuration issue forcing TLS

We have a test environment using your vertica-vmsrvr-7.0.1-0.64 image and are trying to get LDAP to authenticate a user.  My issue is that i continually get "FATAL 3846:  LDAP authentication failed".  I have used the unix binary ldapsearch to Successfully connect to the LDAP Microsoft AD server and been able to connect fine.  I then took the parameters used in the ldapsearch to build the ClientAuthentication in vertica.conf.  It appears from the logs that it wants to connect to the ldap server using TLS?  We also added the ldap.conf and the environment variable LDAPCONF even though we are not using ldaps, tls or ssl but it mentioned in the documents that this is a requirement for setting up ldap.  
Below is the ClientAuthentication record, output from the vertica log, ldapsearch command ,the ldapsearch output and ldap.conf.

ClientAuthentication = host all 0.0.0.0/0 ldap "ldap://150.142.96.30/search;basedn=DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;binddn=CN=steve.brown,OU=DMTRUsers,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;bindpasswd=rosoft99ff;searchattribute=sAMAccountName"

here is the log output:
2014-08-27 07:47:05.346 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/2705: Connection received: host=192.168.72.1 port=51863 (connCnt 1)
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/4540: Received SSL negotiation startup packet
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/4691: Sending SSL negotiation response 'N'
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/3443: Found matching ClientAuthentication entry: host all 0.0.0.0/0  ldap ldap://192.168.1.24/search;basedn=DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;binddn=CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;bindpasswd=password1;searchattribute=sAMAccountName
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/4686: sendAuthRequest: user=sb2345 database=dbadmin host=192.168.72.1 authType=3
2014-08-27 07:47:05.352 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/2917: Could not start LDAP TLS session: error code -11: Connect error
2014-08-27 07:47:05.352 Init Session:0x210e7260-a000000000590c [Txn] <INFO> Begin Txn: a000000000590c 'check_login_history'
2014-08-27 07:47:05.353 Init Session:0x210e7260-a000000000590c [Txn] <INFO> Rollback Txn: a000000000590c 'check_login_history'
2014-08-27 07:47:05.354 Init Session:0x210e7260 <FATAL> @v_apple_node0001: {SessionRun} 28000/3846: LDAP authentication failed for user "sb2345"
        LOCATION:  auth_failed, /scratch_a/release/vbuild/vertica/Basics/ClientAuthentication.cpp:776

ldapsearch:
ldapsearch -h 192.168.1.24 -p 389 -x -D "CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US" -W -b "DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US"  -s sub "sAMAccountName=sb2345"

ldapsearch output:
[dbadmin@vertica v_apple_node0001_catalog]$ ldapsearch -h 192.168.1.24 -p 389 -x -D "CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US" -W -b "DC=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US"  -s sub "sAMAccountName=sb2345"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US> with scope subtree
# filter: sAMAccountName=sb2345
# requesting: ALL
#

# steve.brown, DMTR Users, DMTR, llbean11.lcom.bean.State.ME.US
dn: CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean,D
 C=State,DC=ME,DC=US
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: steve.brown
sn: Brown
c: US
l: AlbaME
st: ME
description: OMM
postalCode: 12201
physicalDeliveryOfficeName: One Metro

givenName: Steven
initials: W
distinguishedName: CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=H
 COM,DC=llbean,DC=State,DC=ME,DC=US
instanceType: 4
whenCreated: 20100113225107.0Z
whenChanged: 20140825012451.0Z
displayName: Steven W Brown
uSNCreated: 14963
mail: steve.brown@bean.me.gov
middleName: W
mAPIRecipient: TRUE
MEsits-sourceAnchor: vKrXlrw/j0i5vHH9LAI5yQ==
msExchRecipientTypeDetails: 128
msExchPoliciesExcluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchPoliciesIncluded: {23668AD4-4FA1-4EE8-B2BB-F94640E8FBA0},{26491CFC-9E50-
 4857-861B-0CB8DF22B5D7}
extensionAttribute15: CmnExcludeFromDirSync
msExchRemoteRecipientType: 3
mailNickname: sb2345
targetAddress: sb2345@notes.bean.state.me.us

# search reference
ref: ldap://DomainDnsZones.llbean11.lcom.bean.State.ME.US/DC=DomainDnsZones,D
 C=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1


LDAPCONF
/home/dbadmin/ldap.conf

[dbadmin@vertica v_apple_node0001_catalog]$ cat /home/dbadmin/ldap.conf
TLS_REQCERT never
TLS_CACERT = /home/dbadmin/CA-cert-bundle.crt



Comments

  • Hello Steve,

    If you are setting up LDAP in Vertica 7.0, there is an additional configuration file which needs to be created and updated.

    In Vertica 7.0, we introduced some new security features which in turn introduced some new configuration files. Please review the below documentation page, it will walk you through setting up an additional config file, ldap.conf, in which we will state that we will never want starttls connections: 

    https://my.vertica.com/docs/7.0.x/HTML/index.htm#Authoring/InstallationGuide/InstallingVertica/UsingSecureLDAPAuthenticationinHPVertica7.0.htm 

    The only entry we need to add to the file is: 

    TLS_REQCERT allow

    Thanks,
    Rory
  • Setting the 'TLS_REQCERT allow' in the ldap.conf fixed some of the problem, and i was able to connect when the basedn is set to the group i am in.  When i try and make the basedn more generic and force it higher up the tree, i get FATAL 3846:  LDAP authentication failed.  Is there something i need to specify in the basedn to search subtrees?

    *** worked when searched group i belong***
    ClientAuthentication = host all 0.0.0.0/0 ldap "ldap://192.168.1.24/search;basedn=OU=DMTR Users,OU=DMTR,DC=llbean1,DC=LCOM,DC=Llbean,DC=State,DC=ME,DC=US;binddn=llbean1\sb2345;bindpasswd=password1;searchattribute=sAMAccountName"                

    *** did not work using a more generic basedn***  
    ClientAuthentication = host all 0.0.0.0/0 ldap "ldap://192.168.1.24/search;basedn=DC=llbean1,DC=LCOM,DC=Llbean,DC=State,DC=ME,DC=US;binddn=llbean1\sb2345;bindpasswd=password1;searchattribute=sAMAccountName"
                    
    fails with
    2014-08-27 13:38:28.996 Init Session:0xea84020 <LOG> @v_apple_node0001: 00000/5559: Could not search LDAP for filter "(sAMAccountName=sb2345)" on server "ldap://192.168.1.24": error code 1 Operations error

    example of our LDAP tree

    OU=DMTR,DC=llbean1,DC=LCOM,DC=Llbean,DC=State,DC=ME,DC=US
    OU=URLR,DC=llbean1,DC=LCOM,DC=Llbean,DC=State,DC=ME,DC=US

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file