[SOLVED] Active Directory authentication does not verify certificates

Petr

Member
Dec 13, 2013
40
0
6
Configured AD authentication with SSL option.
When user logins, PVE opens LDAP SSL connection to DC and authentications succeeds in spite of the absence of Domain Root CA or DC server certificates on Proxmox hosts.
I can not find option responsible for certificete checks in configuration files, GUI and documentation.
How to force Proxmox to check certificate on AD user authentication?
 
Why do you think that problem in aforementioned topic is related to certificates? I updated to latest version and still login to AD successfully. Please check your configuration and make sure you choose right Realm in authentication dialog.

According to sources, PVE::Auth::AD module uses Net::LDAP for LDAP connection. I'm not sure whether Net::LDAP properly implements certificate verification using ldaps:// scheme or not, but i'm sure that PVE::Auth::AD does not enable 'verify' parameter.
This is security flaw to use LDAP authentication without server certificate check, and can compromise not only Proxmox btw.
 
Problem is I can't debug properly without any output.
After auth errors i see error messages in syslog "...pve01 pvedaemon[23645]: authentication failure;..." with understendable or googlable output.

But what i like about Proxmox is good clean code, that can be debugged by nonprogrammer like me without any special tools or knowledge. For instance you can add line "use PVE::SafeSyslog;" in file "/usr/share/perl5/PVE/Auth/AD.pm" and output any data to syslog with function like `syslog('err', "hello syslog");`. Just restart pvedaemon after changes.
Of course not for production cluster. I install nested Proxmox for debugging purposes.

EDIT:
Concerning my problem, registered bug report
Bug 1470 - Implement server certificate verification before Active Directory LDAP authentication
 
Last edited:
Fixed in commit 23e0cf85fd504f60222e4cc30f7081d601809c95, libpve-access-control version 5.0-6.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!