2021-10-12

redmine ldap user login fails “500 execution expired”

作者 关文津

Env:
redmine runs on freebsd with jail
login to jail console,try to find out the reason
Try to do:
use ldapsearch to query data verify the ldap server status
[email protected]:~ # ldapsearch -H ldaps://xx.com -D uid=xx,ou=xx,dc=xx,dc=xx,dc=com -W
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[email protected]:~ #

Check ldap client version.
[email protected]:~ # ldapsearch -V
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.59 (Aug 26 2021 01:31:53) $
[email protected]:/wrkdirs/usr/ports/net/openldap24-sasl-client/work/openldap-2.4.59/clients/tools
(LDAP library: OpenLDAP 20459)

Check ldap configuration file
[email protected]:~ # cat /usr/local/etc/openldap/ldap.conf | grep -vE '^$|^#'
missing ca and some about ssl option
modified ldap.conf
[email protected]:~ # cat /usr/local/etc/openldap/ldap.conf | grep -vE '^$|^#'
TLS_CACERT /usr/local/share/certs/ca-root-nss.crt
TLS_REQCERT demand
ssl start_tls

Try again with debug level 99 to check more detail,letsencrypt ca certificate has expired on Sep 30 2021.
[email protected]:~ # ldapsearch -d 99 -H ldaps://xx.com -D uid=xx,ou=xx,dc=xx,dc=xx,dc=com -W
TLS certificate verification: depth: 3, err: 10, subject: /O=Digital Signature Trust Co./CN=DST Root CA X3, issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
TLS certificate verification: Error, certificate has expired
TLS trace: SSL3 alert write:fatal:certificate expired
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (certificate has expired).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Change redmine ldap config port 636 ldaps(no ssl check)

Test ldap connection successful.

Updated on Oct 13
!!!On the openldap server
Download the Intermediate Certificates Signed by ISRG Root X1 from https://letsencrypt.org/certs/lets-encrypt-r3.pem
cd /etc/ssl/certs/ && wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
Create ca.crt using below command
cat lets-encrypt-r3.pem /etc/ssl/certs/DST_Root_CA_X3.crt > /path/to/openldapserver/ssl/folder/ca.crt
Confirm slapd.conf settings correct
[email protected]:~# grep ca.crt /etc/openldap/slapd.conf
TLSCACertificateFile /path/to/ca.crt

Restart the openldap server.
[email protected]:~# /etc/init.d/ldap restart
Using openssl verify ldaps certificate status ok

Change redmine ldap config port 636 back to ldaps and test OK.

Enjoy!