LDAPS Connection Issue - Unable to open socket

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

LDAPS Connection Issue - Unable to open socket

Mat Hanson

Hi everyone,

 

I am just starting out with pgAdmin and trying to configure an LDAPS connection to Active Directory, however, I am receiving the error message below.

 

 

This installation is on a CentOS 8 server with firewalld and SELinux currently disabled. Here are the relevant LDAP settings from /usr/lib/python3.6/site-packages/pgadmin4-web/config_local.py file -

 

AUTHENTICATION_SOURCES = ['ldap']

LDAP_AUTO_CREATE_USER = True

LDAP_CONNECTION_TIMEOUT = 10

LDAP_SERVER_URI = 'ldaps://ad:636'

LDAP_BASE_DN = '(&(objectClass=user)(memberof=CN=pgAdmin,OU=Security Groups,OU=Domain Groups,DC=[REDACTED],DC=[REDACTED]))'

LDAP_USERNAME_ATTRIBUTE = 'sAMAccountName'

LDAP_SEARCH_BASE_DN = '<Search-Base-DN>'

LDAP_SEARCH_FILTER = '(objectclass=user)'

LDAP_SEARCH_SCOPE = 'SUBTREE'

LDAP_USE_STARTTLS = True

LDAP_CA_CERT_FILE = '/etc/pki/tls/certs/chain.cer'

LDAP_CERT_FILE = '/etc/pki/tls/certs/[REDACTED].crt'

LDAP_KEY_FILE = '/etc/pki/tls/private/[REDACTED].key'

 

I have verified the chain CA cert against my local server cert and it is showing as ok.

 

I also was able to connect to the server using openssl s_client as shown below –

 

openssl s_client -connect ad:636 -CAfile /etc/pki/tls/certs/chain.cer

 

CONNECTED(00000003)

Can't use SSL_get_servername

depth=2 CN = ROOT-CA

verify return:1

depth=1 DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA

verify return:1

depth=0

verify return:1

---

Certificate chain

0 s:

   i:DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA

1 s:DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA

   i:CN = ROOT-CA

---

Server certificate

-----BEGIN CERTIFICATE-----

[REDACTED]

-----END CERTIFICATE-----

subject=

 

issuer=DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA

 

---

No client certificate CA names sent

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512

Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512

Peer signing digest: SHA256

Peer signature type: RSA

Server Temp Key: ECDH, P-384, 384 bits

---

SSL handshake has read 3355 bytes and written 469 bytes

Verification: OK

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: [REDACTED]

    Session-ID-ctx:

    Master-Key: [REDACTED]

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1591252114

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: yes

 

I am also able to connect and bind with the relevant account using ldp.exe from my Windows machine, so it looks like the server is able to connect to this port on the AD server fine. At this point I really don’t know what this issue is pointing to and can not find any documentation on the issue. What am I missing here?!

 

Kind regards

 

Mat Hanson
Network Security Engineer


Chrysos Corporation Limited
Waite Road, Urrbrae SA 5064 Australia 
Locked Bag 2, Glen Osmond SA 5064 Australia
M +61 411 22 5753 E [hidden email]
www.chrysos.com.au

 

This e-mail message is intended only for the addressee(s) and contains information which may be confidential. If you are not the intended recipient please advise the sender by return email at [hidden email]. Delete this message and any attachments from your system and do not use or disclose the contents.