Join 34,000+ subscribers and receive articles from our blog about software quality, testing, QA and security.
 

Ldaps authentication


#1

Hello, how can I use ldaps for authentication? ldap + ssl/tls?

Thanks in advance.


LDAPS on Testrail using windows server
#2

Hi @proks,

Thanks for your posting! Have you already set up the basic LDAP integration?

http://docs.gurock.com/testrail-integration/auth-ldap

TestRail and the authentication module also support LDAPS and you can change the authentication script for this (custom/auth/auth.php in your TestRail installation directory). You would need to change the protocol to ldaps:// and also change the port accordingly:

define(‘AUTH_HOST’, ‘ldaps://ldap.example.com’); // Note the added "s"
define(‘AUTH_PORT’, 636);

Now, to make the actual LDAPS certificate work you would need to register the certificate / CA on your TestRail server. PHP’s LDAP library usually uses the standard LDAP lib/client on your system. So you would need to register the SSL certificate on the machine TestRail is installed on, like this:

/etc/ldap/ldap.conf:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=example,dc=com
URI ldaps://ldap.example.com:3269

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

TLS_CACERT /etc/ssl/certs/example-ca.crt TLS_REQCERT demand

I hope this helps!

Cheers,
Tobias


#3

Thank you.
It works with “tls_reqcert allow” in ldap.conf for selfsigned certs.
However, the basic problem is that gnutls and all depended packages like ldap-utils, php5-ldap on ubuntu14.04.4 does not support MD5 signature algorithm. The problem had been solved by installing the same packages (other versions) from ubuntu15.10(Wily).


#4

Great to hear that you got it working :slight_smile:

Cheers,
Tobias


#5

Hi @tgurock

I have the same question but I am using Windows (so have installed the Active Directory script). I have enabled the PHP extention, installed the script with the protocol set to ldaps:// in AUTH_HOST and the port to 636 I am getting the following error:

External auth: Bind: Can’t contact LDAP server

I have confirmed that my root CA is installed on the server.

If I revert to LDAP then it works correctly, however, this is against our security policy. Do I need to be using the specific LDAP script rather than the AD script?


#6

Hi Ben,

Thanks for your posting. Please make sure the your LDAP/AD server actually supports SSL connections on port 636. You can also try to add the 636 port to the LDAP/AD address as follows:

ldaps://<server>:636/

I hope this helps!

Cheers,
Tobias


#7

Hi @tgurock

Thanks for the info. Yes our AD server supports SSL over 636 as we use it for other purposes. I have managed to use the info on http://stackoverflow.com/questions/14815142/php-ldap-bind-on-secure-remote-server-windows-fail to discover that when I configure the C:\openldap\sysconf\ldap.conf file to “TLS_REQCERT never” I am able to authenticate successfully using the LDAPS configuration, however, when I change this to:
TLS_CACERT C:\openldap\sysconf\cacert.pem (with the .pem file containing the hash of my root cert) I get the “External auth: Bind: Can’t contact LDAP server” error again.

Am I missing another step? Is there an LDAPS PHP extension that needs to be installed?


#8

Hi Ben,

Thanks for your reply. If the connection works with certificate validation disabled, then it’s very likely a certificate issue or the client cannot validate the certificate for any reason. I looks like LDAP/LDAPS is working in general and I would recommend trying to get the certificate validation working outside of TestRail first and this should make it easier to troubleshoot this issue.

Cheers,
Tobias


#9

Hi Tobias,

I am facing issues in changing the ldap configuration from LDAP to LDAPS.
I have done the changes as per your instructions in the auth.ldap and /etc/ldap/ldap.conf.

However, I am still getting the error “External auth: Bind: Can’t contact LDAP server (failed to retrieve user object)”.

Are there any other changes that needs to be done. Testrail server is running on Ubuntu.

Please help.

Thanks,
Sridhar.


#10

Hey Sridhar,

Thank you for the post. When you have the script setup for just LDAP you have no issues contacting the LDAP server? It sounds like, from the error you are getting, that TestRail is unable to contact the LDAP server at all. DNS issue perhaps?


#11

Hi,

Thanks for you response. After multiple attempts, I have resolved the issue “Can’t contact LDAP server”. It appears the issue was related to SSL Certificate.

But now facing different issue as below:
"External auth: Bind: Invalid credentials (failed to retrieve user object)

Please let me know your suggestions.

Thanks,
Sridhar.


#12

Hi Sridhar,

Thanks for your reply! This error just indicates that there isn’t an LDAP user matching the username you entered under the AUTH_DN that you have configured in your auth.php script. This could mean either the username was entered incorrectly or that the wrong AUTH_DN was configured in your auth.php script. Please note that when authenticating via LDAP you would need to use your LDAP username/password as opposed to your email address. If you’re still unsure, please send a screenshot of the login page after receiving the error as well as a copy of your auth.php script via email directly to contact@gurock.com so that we can review this and troubleshoot the issue.

Hope this helps!

Regards,
Marco


#13

Hi Marco,
Thanks for your help. I have fixed the issue. The issue was related to the invalid AUTH_DN and password.
Now LDAP authentication works fine.

Regards,
Sridhar.


#14

Hi Sridhar,

Thanks for the update, glad you were able to get this working! Just let us know in case there’s anything else we can assist with.

Regards,
Marco