AD and no LDAP over SSL.

Rudi Swennen

Member
May 14, 2014
24
0
21
Heverlee, Belgium
Hello,

I configured my proxmox server to authenticate users to our AD server.
I explicitly specified to use port 636 and SSL.
I also configured the user on the proxmox server. So he could log in.

But when I look in the firewall before the AD the only packets that are leaving the server have destination port 389 and not 636.
The tcpdump -i eth0 'port 636' confirms this behavior. No packets are leaving on port 636 only on port 389.

Anyone an idea?

Kind regards,

Rudi
 

Attachments

  • 02.png
    02.png
    15.6 KB · Views: 16
It gets even stranger ...

When I configure a test proxmox server with the possibility to connect our AD on port 389 but I explicitly request *with SSL*. No encryption occurs :-(
When I log in on the proxmox server and at the same time analyse the packets of the server (ssh root@xx.xx.xx.xx tcpdump -nli eth0 host ad.server.be -s0 -w - | wireshark -nki - ) I can see the passwords in clear text.

So even it I request SSL, proxmox decides to use plain LDAP.
Is this normal?
 
Is this normal?

No, you found a bug. The following patch should solve the problem:

Code:
diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index eb502f7..35396b9 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -80,7 +80,7 @@ my $authenticate_user_ad = sub {
     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
     my $conn_string = "$scheme://${server}:$port";
     
-    my $ldap = Net::LDAP->new($server) || die "$@\n";
+    my $ldap = Net::LDAP->new($conn_string) || die "$@\n";
 
     $username = "$username\@$config->{domain}" 
        if $username !~ m/@/ && $config->{domain};
 
No, you found a bug. The following patch should solve the problem:

Code:
diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index eb502f7..35396b9 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -80,7 +80,7 @@ my $authenticate_user_ad = sub {
     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
     my $conn_string = "$scheme://${server}:$port";
     
-    my $ldap = Net::LDAP->new($server) || die "$@\n";
+    my $ldap = Net::LDAP->new($conn_string) || die "$@\n";
 
     $username = "$username\@$config->{domain}" 
        if $username !~ m/@/ && $config->{domain};

Just to confirm on how to apply this patch (or any other patch):

1. copy the patch code above into a file (patch1.diff).
2. type the command as root:
patch -p1 -i patch1.diff /etc/pve/Auth/AD.pm

Am I correct?

Serge

 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!