Issue when FAB is integrated with LDAP and AUTH_LDAP_USE_TLS = True

[musunuru]

Is there any property to set Cert file location?

[rushtokunal]

I have been waiting for RBAC for such a long time, thanks for this functionality 👍
I'm facing one issue though, i need to communicate with my ldap server on secure port 636 and also specify the cert, is there any way i can do it? appreciate any help

AUTH_TYPE = AUTH_LDAP
AUTH_LDAP_SERVER = "ldaps://myldapserver.com:636"
AUTH_LDAP_USE_TLS = True

[alexandrezia]

This does not direct answer your question, but is related anyway.
In default configuration of openldap port 636 is SSL not TLS

So for SSL on port 636 use:

AUTH_LDAP_USE_TLS = False

For TLS on port 389 use:

AUTH_LDAP_USE_TLS = True

Yet Flask App Builder will ignore certificate check if you set: So you can use your own self signed certificate.

AUTH_LDAP_ALLOW_SELF_SIGNED = True

However if really you want/need to check server certificate over TLS you can:

• Put the CA that signed your server certificate or server certificate itself in /etc/openldap/cacerts
• Run c_rehash /etc/openldap/cacerts to generate certificate hash links

You'll end up with something like this:

# ll /etc/openldap/cacerts
total 8.2k
drwxr-xr-x  2 root root  104 May 10 19:45 ./
drwxr-xr-x. 4 root root   48 May 10 19:45 ../
lrwxrwxrwx  1 root root   18 May 10 19:45 2e5ac55d.0 -> dst-root-ca-x3.pem
lrwxrwxrwx  1 root root   32 May 10 19:45 4f06f81d.0 -> lets-encrypt-x3-cross-signed.pem
-rw-r--r--  1 root root 1.2k Mar 14 21:45 dst-root-ca-x3.pem
-rw-r--r--  1 root root 1.7k Nov 14  2016 lets-encrypt-x3-cross-signed.pem

Then set this in /etc/ldap.conf:

ssl start_tls
tls_checkpeer demand
tls_cacertdir /etc/openldap/cacerts

Restart Flask App builder application.

Certificate check should work as expected.

If still doesn't works check if your:
lib/python2.7/site-packages/_ldap.so
is linked against openldap :

# ldd lib/python2.7/site-packages/_ldap.so | egrep "(ldap|ber)"
  libldap_r-2.4.so.2 => /lib64/libldap_r-2.4.so.2 (0x00007fa8454b2000)
  liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fa8452a3000)

You can also remove and re-install python-ldap and see if it works

[musunuru]

Go to superset installation path /security/manager.py
Add line "con.set_option(ldap.OPT_X_TLS_CACERTFILE,"")"
below "con = ldap.initialize(self.auth_ldap_server)" line.
Then LDAP will work with SSL cert.

[rushtokunal]

Thank you so much, i am able to hit LDAP now

[dpgaspar]

Hi,

Did @alexandrezia answer helped? is this still a problem?

LDAP with TLS is not an easy test I can do, (yet not impossible of course). @alexandrezia answer looks feasible to me, by setting the LDAP trusted CA's certificates at the OS level. However it would probably be nice if we could configure this on FAB by setting:

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE)

and creating a new config key named: AUTH_LDAP_TLS_CACERTFILE

Please reply if this is still a problem, and if you can give me an hand on testing a solution.

thks!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.