-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP 504 failed to connect #812
Comments
tailing the opscode-erchef* gives me more info:
which seems to come from https://github.com/chef/chef-server/blob/bb28b489960c8fae6ac061bf2dab5800142b22a3/src/oc_erchef/apps/oc_chef_wm/src/oc_chef_wm_authn_ldap.erl |
Did more digging: With tls_enabled set to false and ssl_enabled set to true the chef server's client hello only offers TLS cipher suites. This might be the real root of the cause, since foxpass claims to only support SSL Important packet trace shows chef-server closes the connection with a TLSv1.2 Record Layer: Encrypted Alert. This is likely the close_notify alert to end the session, meaning chef is successfully reaching ldap but is either not successfully binding or is executing the search incorrectly
Following is the client hello showing chef server only offers TLS despite disabling it in the settings
|
for comparison here is a successfull tcp trace for ldapsearch
there are four more packets sent and obviously more encrypted LDAP packets are sent back and forth |
Same here! |
@gfoligna did you ever get a resolution? |
I'm a bit surprised that this issue isn't being addressed at all... I too am experiencing this. |
Instead of ssl/tls_enabled, does it behave when you set:
|
same issue here.. @marcparadise that did not work for me. |
@marcparadise I'm still researching why the current code looks like it does, but here is what I've found so far:
Now, my research here indicates that you should be at least getting SSLv3 offered; however, I'll need to look more carefully at the data @cpoole offered to figure out whether you are and if not, why not. |
hey everyone, we gave up and just went with hosted chef and manually creating accounts. I have since torn down the proof of concept server. I'm sure I can stand this up quickly again and make some more trial connections if need be. I can probably get log entries from foxpass as well... but the fact that this is a 504 makes me suspicious that the requests are not reaching foxpass's application servers |
@cpoole Thanks for the offer but I wouldn't go out of your way, it is easy enough for us to set up a test locally. Any users currently hitting problems with LDAP should also feel free to let us know what they are seeing. |
sounds good. My specific use case was with the hosted LDAP provider foxpass (great service btw). Their founder might have some insight as well... paging @aren |
Happy to help debug. aren@foxpass.com. |
I finally got my test instance back up to not impact production. What information can I provide to help move this along? Our setup is LDAP secure (636) with self signed certs UPDATE ldap['base_dn'] = 'ASK_LDAP_ADMIN' Only used for chef manageldap['system_adjective'] = 'NOT_REALLY_USED' Default is false but adding it anywaysldap['tls_enabled'] = 'false' |
@cpoole Sorry for the late reply on this. We will try to pull this example into our tests see if the same issue still exists with the latest chef-server. If so we can try to schedule to fix soon on the roadmap. |
following the guide to install chef-server standalone on ubuntu 14.04 https://docs.chef.io/install_server.html
When configuring the chef-server.rb
If I execute ldap search from the same box as chef-server is running on everything works properly. however when I attempt to log in to chef the following appears in the logs.
these errors show up in the chef logs milliseconds after clicking login through the management console so a 504 seems like an improper error code.
I have spoken with foxpath and there is no inbound connection to their ldap service, something in chef server is failing to connect to ldap and is throwing the error.
The text was updated successfully, but these errors were encountered: