LDAP Configuration

Good morning,

@sshah after retrieving certificate from our LDAP server and creating respective truststore and keystores , those files can simply be copied to /etc/trasa/certs ?

We assume additional SSL configuration is required because of this error

Hi, can you check what was written in the log file? Though I can confirm its TLS error, we need to check at what stage of LDAP connection does this error occurs.

Currently, TRASA tries to connect to LDAP port 636 by default. TLS verification for LDAPs is not strict and TRASA will accept any private self-signed certificate. You do not need to copy LDAP certs to /etc/trasa/certs as this will be ignored for LDAP.

Good afternoon,

the message is this one:

time="2021-05-18T14:23:38+01:00" level=error msg="LDAP Result Code 200 \"Network Error\": tls: failed to parse certificate from server: x509: RSA key missing NULL parameters" func=github.com/seknox/trasa/server/api/providers/uidp.UpdateIdp file="uidp/hUIDP.go:110"

So by what I understood, it should just be enough to join the server into our own AD/LDAP domain ? I realized I missed that step, and after checking our lab enviroment configuration docs I can proceed to it if that would work.

That error seems to have occurred during the initial LDAP Bind TLS. Can you confirm that you can connect to LDAP server with https://linux.die.net/man/1/ldapsearch? If it works with this tool, then it should work with TRASA as well.

Note that only LDAP over TLS listening on port 636 is supported.

after performing a successful telnet to LDAP server with port 636, i tried a general search without binding, and then binding to admin

These were the results

Without admin binding

# ldapsearch -x -b "search_base" -H ldap://ldap_host
# extended LDIF
# LDAPv3
# base <dc=search_base> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# search result
search: 2
result: 1 Operations error
text: 00002020: Operation unavailable without authentication

# numResponses: 1

With admin binding

# ldapsearch -x -b "search_base" -H ldap://ldap_host -D "bind_dn" -W
Enter LDAP Password:
ldap_bind: Strong(er) authentication required (8)
	additional info: BindSimple: Transport encryption required.

Not sure how you tested LDAPs on port 636 with telnet. Also the command above clearly is not using ldaps:// but ldap:// !

Good morning ,

My bad, I assumed that a successful telnet on port 636 would be a sign it would work, but apparently not as the ldapsearch command with ldaps:// gives this output now

Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Good morning @sshah

Had to give priority to other tasks, but now seems we’re back into this.
And after a brief meeting with the client, the service is AD instead of LDAP… we were requested to use AD feature in TRASA but with SSL. Can TRASA support AD reconciled with SSL?

TRASA does support AD - https://www.trasa.io/docs/providers/users/ldap/ldap

Yes, but is there additional configuration for SSL authentication? It’s a client request.

As long as LDAPs is configured properly in AD, there is no additional configurations required on TRASA.

Good morning,

I see, and when that is assured there won’t be any issue if we use some sort of ssl configuration beyond it, like HAProxy for example?

This is just an extra feature the client has asked if it was possible to implement in paralel with TRASA access.

I have that implementation setup, and trasa connect without issue