OpenLDAP Fails to Authenticate Over Encrypted Port
Introduction
OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. When using an unencrypted port for LDAP authentication, clients may be able to authenticate, however it may not be the right setting based on your security policies.
Problem
When LDAP authentication occurs over an unencrypted port, certificate validation issues may be bypassed leading to a successful authentication. OpenLDAP servers, by default, demand certificate verification, which can cause failures if the certificate is self-signed or untrusted.
Symptoms
LDAP authentication failures when using the encrypted port and not when using the unencrypted port may produce errors such as:
7: AUTH: Bind failed ß------- This is where the connection breaks
7: AUTH: LDAP ERROR: -1: Can't contact LDAP server
Resolution
To modify the client TLS settings, update the LDAP client configuration. Open the LDAP configuration file in a text editor:
sudo vi /etc/openldap/ldap.conf
Locate the TLS_REQCERT directive and modify its value based on your security requirements.
To bypass certificate validation completely (not recommended for secure environments):
TLS_REQCERT never
To allow authentication with an untrusted certificate without disabling validation completely:
TLS_REQCERT allow
Save the file and exit the editor. Restart any services dependent on LDAP authentication, or reboot the system if necessary.
Root Cause
This issue arises because OpenLDAP servers, by default, demand certificate verification (TLS_REQCERT demand). If the certificate is self-signed or untrusted, authentication fails unless this setting is adjusted.
Notes
The default OpenLDAP behavior (TLS_REQCERT demand) is intended for secure environments. Changing this setting can reduce security.
If modifying TLS_REQCERT, ensure other security measures are in place to prevent unauthorized access.