12-27-2018 10:20 AM
I’m trying to setup Duo as an LDAP authentication proxy for my OpenLDAP infrastructure but having trouble with the SSL setup. I’ve installed my InCommon CA file (CA for my upstream OpenLDAP servers) on the duo authproxy server but getting this error when I attempt to bind as a user via ldapsearch ldapsearch -h duoauthproxy.my.com -D "uid=my_user,ou=peeps,dc=my,dc=dom,dc=com" -W
:
additional info: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]
Can anyone tell what I have wrong? The ldapsearch command above succeeds when I connect it to one of my OpenLDAP servers (ldap.my.dom.com). Here’s my authproxy.cfg:
[ad_client]
host=ldap.my.dom.com
transport=starttls
ssl_ca_certs_file=/etc/ssl/certs/InCommonServerCA.pem
timeout=60
search_dn=ou=peeps,dc=my,dc=dom,dc=com
# openldap does not use sAMAccountName
username_attribute=uid
service_account_username=my_account
service_account_password=..redacted..
[ldap_server_auto]
client=ad_client
ikey=..redacted..
skey=..redacted..
api_host=..redacted..
failmode=safe
Update: I Added a [main] section and debug entries to the config. Here is the output. Looks like Duo is having trouble verifying the upstream LDAP cert. Do I need to add the intermediate bundle or anything? :
2018-12-27T12:53:05-0600 [-] Duo Security Authentication Proxy 2.11.0 - Init Complete
2018-12-27T12:53:20-0600 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fb431054e50>
2018-12-27T12:53:20-0600 [_ADServiceClientProtocol (TLSMemoryBIOProtocol),client] "Certificate verification failed: errno 20 depth=0 subject [('C', 'US'), ('postalCode', 'xxxx06'), ('ST', 'xx'), ('L', 'xxxxxxx'), ('street', 'xxxx xxxxxxxxx xxxx Street'), ('O', 'xxxxxxxxxxxx'), ('OU', 'xxxxxxx'), ('CN', 'ldap.my.dom.com')]"
2018-12-27T12:53:20-0600 [twisted.internet.defer#critical]
Traceback (most recent call last):
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 501, in errback
self._startRunCallbacks(fail)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 568, in _startRunCallbacks
self._runCallbacks()
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 654, in _runCallbacks
current.result = callback(current.result, *args, **kw)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 1475, in gotResult
_inlineCallbacks(r, g, status)
--- <exception caught here> ---
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 654, in _runCallbacks
current.result = callback(current.result, *args, **kw)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/ldaptor/protocols/ldap/ldapserver.py", line 88, in _cbLDAPError
reason.trap(ldaperrors.LDAPException)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/failure.py", line 441, in trap
raise self
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 1416, in _inlineCallbacks
result = result.throwExceptionIntoGenerator(g)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/failure.py", line 491, in throwExceptionIntoGenerator
return g.throw(self.type, self.value, self.tb)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/ldap/proxy.py", line 125, in handleUnknown
handle_msg=True
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 1416, in _inlineCallbacks
result = result.throwExceptionIntoGenerator(g)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/failure.py", line 491, in throwExceptionIntoGenerator
return g.throw(self.type, self.value, self.tb)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/ldap/client.py", line 334, in send
super(ADClientProtocol, self).send(op, controls=controls, handler=handler, handle_msg=handle_msg)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/protocols/tls.py", line 235, in _checkHandshakeStatus
self._tlsConnection.do_handshake()
File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1806, in do_handshake
File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1546, in _raise_ssl_error
File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in exception_from_error_queue
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]
2018-12-27T12:53:20-0600 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fb431054e50>
2018-12-27T12:53:20-0600 [DuoAutoLdapServer (TLSMemoryBIOProtocol),0,192.168.136.202] Received extraneous LDAP PDU while resolving a BindRequest: LDAPMessage(id=2L, value=LDAPUnbindRequest())
Update 2: looks like I needed to create a chained cert. Must have missed that in the docs
01-02-2019 05:12 AM
Glad to see you were able to resolve your issues.
04-12-2021 10:49 AM
Guys, I got the same issue. Nothing to worry.
To chain your file follow below steps;
Follow this guide, it should work;
https://help.duo.com/s/article/2222?language=en_US
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide