You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by alopresto <gi...@git.apache.org> on 2016/12/02 05:49:28 UTC
[GitHub] nifi issue #1275: NIFI-2325 - Add support for LDAPS
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1275
I set up a Docker container running OpenLDAP with certificates I generated using the NiFI TLS toolkit. If I configure `TLS_VERIFY_CLIENT=never` on OpenLDAP and `<property name="TLS - Client Auth">NONE</property>` in `login-identity-providers.xml`, the LDAP login provider works fine.
<img width="1920" alt="Successful user authentication via LDAPS" src="https://cloud.githubusercontent.com/assets/798465/20823670/2c913e58-b80b-11e6-8353-a98746c5dfb6.png">
However, if I switch to `TLS_VERIFY_CLIENT=demand` and `<property name="TLS - Client Auth">REQUIRED</property>`, I get a "Unable to validate the supplied credentials" error on login and the `logs/nifi-bootstrap.log` fills with TLS negotiation output including the lines below:
```
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** CertificateVerify
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut Signature Algorithm SHA256withRSA
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 264
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** Finished
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut verify_data: { 12, 201, 103, 33, 205, 116, 165, 164, 117, 65, 44, 206 }
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut ***
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 96
2016-12-01 21:19:12,956 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, READ: TLSv1.2 Change Cipher Spec, length = 1
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, READ: TLSv1.2 Handshake, length = 96
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut *** Finished
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut verify_data: { 67, 162, 103, 118, 253, 199, 182, 215, 157, 89, 207, 22 }
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut ***
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut %% Cached client session: [Session-346, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, setSoTimeout(0) called
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 112
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, received EOFException: ignored
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeInternal(false)
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, SEND TLSv1.2 ALERT: warning, description = close_notify
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, WRITE: TLSv1.2 Alert, length = 80
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeSocket(false)
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called close()
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeInternal(true)
2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 250
2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 7
```
I want to continue investigating this tomorrow because I can produce odd results even using the `ldapsearch` tool locally (OpenLDAP configured with client verify `never`):
```
### Trying on port 389 (no TLS)
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
\U0001f513 4s @ 21:41:04 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 389 -v
ldap_initialize( ldap://localhost:389 )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.org
dn: dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: example
# admin, example.org
dn: cn=admin,dc=example,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9NWsyemxnYmc3dk1wR2RqVERRQkJCVVlIQ0tQYm04aUo=
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
### Trying on port 636 (LDAPS)
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
\U0001f513 23s @ 21:41:28 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 636 -v
ldap_initialize( ldap://localhost:636 )
ldap_result: Can't contact LDAP server (-1)
### Trying to force TLS (-Z is actually for START_TLS)
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
\U0001f513 6s @ 21:42:54 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 636 -v -Z
ldap_initialize( ldap://localhost:636 )
ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
### Verifying that a successful TLS session is negotiated on port 636
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
\U0001f513 3s @ 21:42:57 $ openssl s_client -connect localhost:636 -debug -state -CAfile cacert.crt -cert ldaps.pem -key ldaps.key
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7f87c1dc3a00 [0x7f87c2811600] (308 bytes => 308 (0x134))
0000 - 16 03 01 01 2f 01 00 01-2b 03 03 09 b3 3c a2 de ..../...+....<..
...
---
SSL handshake has read 2195 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4B35F1...5641E8
Session-ID-ctx:
Master-Key: DBCB82...996654
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480657473
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Q
DONE
write to 0x7f87c1dc3a00 [0x7f87c281b203] (31 bytes => 31 (0x1F))
0000 - 15 03 03 00 1a 0b 43 b5-33 0f 65 b2 0a 9d 80 e5 ......C.3.e.....
0010 - ef e5 54 12 a9 e5 a9 da-1f d5 87 31 5f 5c d7 ..T........1_\.
SSL3 alert write:warning:close notify
### Verifying that a TLS session is not negotiated over port 389
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
\U0001f513 102s @ 21:44:40 $ openssl s_client -connect localhost:389 -debug -state -CAfile cacert.crt -cert ldaps.pem -key ldaps.key
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7f9808700450 [0x7f9809001c00] (308 bytes => 308 (0x134))
0000 - 16 03 01 01 2f 01 00 01-2b 03 03 98 11 20 40 b6 ..../...+.... @.
...
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480657486
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---