AD and no LDAP over SSL.

R

Rudi Swennen

Member
May 14, 2014
24
0
21
Heverlee, Belgium
Hello,

I configured my proxmox server to authenticate users to our AD server.
I explicitly specified to use port 636 and SSL.
I also configured the user on the proxmox server. So he could log in.

But when I look in the firewall before the AD the only packets that are leaving the server have destination port 389 and not 636.
The tcpdump -i eth0 'port 636' confirms this behavior. No packets are leaving on port 636 only on port 389.

Anyone an idea?

Kind regards,

Rudi
 

Attachments

  • 02.png
    02.png
    15.6 KB · Views: 16
It gets even stranger ...

When I configure a test proxmox server with the possibility to connect our AD on port 389 but I explicitly request *with SSL*. No encryption occurs :-(
When I log in on the proxmox server and at the same time analyse the packets of the server (ssh root@xx.xx.xx.xx tcpdump -nli eth0 host ad.server.be -s0 -w - | wireshark -nki - ) I can see the passwords in clear text.

So even it I request SSL, proxmox decides to use plain LDAP.
Is this normal?
 
Rudi Swennen said:
Is this normal?
Click to expand...

No, you found a bug. The following patch should solve the problem:

Code: 
diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index eb502f7..35396b9 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -80,7 +80,7 @@ my $authenticate_user_ad = sub {
     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
     my $conn_string = "$scheme://${server}:$port";
     
-    my $ldap = Net::LDAP->new($server) || die "$@\n";
+    my $ldap = Net::LDAP->new($conn_string) || die "$@\n";
 
     $username = "$username\@$config->{domain}" 
        if $username !~ m/@/ && $config->{domain};
 
dietmar said:
No, you found a bug. The following patch should solve the problem:

Code: 
diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index eb502f7..35396b9 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -80,7 +80,7 @@ my $authenticate_user_ad = sub {
     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
     my $conn_string = "$scheme://${server}:$port";
     
-    my $ldap = Net::LDAP->new($server) || die "$@\n";
+    my $ldap = Net::LDAP->new($conn_string) || die "$@\n";
 
     $username = "$username\@$config->{domain}" 
        if $username !~ m/@/ && $config->{domain};
Click to expand...

Just to confirm on how to apply this patch (or any other patch):

1. copy the patch code above into a file (patch1.diff).
2. type the command as root:
patch -p1 -i patch1.diff /etc/pve/Auth/AD.pm

Am I correct?

Serge
 
You must log in or register to reply here.
Top Bottom