2021-10-12

redmine ldap user login fails “500 execution expired”

作者 关文津

Env:
redmine runs on freebsd with jail
login to jail console,try to find out the reason
Try to do:
use ldapsearch to query data verify the ldap server status
root@redmine:~ # ldapsearch -H ldaps://xx.com -D uid=xx,ou=xx,dc=xx,dc=xx,dc=com -W
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
root@redmine:~ #

Check ldap client version.
root@redmine:~ # ldapsearch -V
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.59 (Aug 26 2021 01:31:53) $
root@114amd64-quarterly-job-06:/wrkdirs/usr/ports/net/openldap24-sasl-client/work/openldap-2.4.59/clients/tools
(LDAP library: OpenLDAP 20459)

Check ldap configuration file
root@redmine:~ # cat /usr/local/etc/openldap/ldap.conf | grep -vE '^$|^#'
missing ca and some about ssl option
modified ldap.conf
root@redmine:~ # cat /usr/local/etc/openldap/ldap.conf | grep -vE '^$|^#'
TLS_CACERT /usr/local/share/certs/ca-root-nss.crt
TLS_REQCERT demand
ssl start_tls

Try again with debug level 99 to check more detail,letsencrypt ca certificate has expired on Sep 30 2021.
root@redmine:~ # ldapsearch -d 99 -H ldaps://xx.com -D uid=xx,ou=xx,dc=xx,dc=xx,dc=com -W
TLS certificate verification: depth: 3, err: 10, subject: /O=Digital Signature Trust Co./CN=DST Root CA X3, issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
TLS certificate verification: Error, certificate has expired
TLS trace: SSL3 alert write:fatal:certificate expired
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (certificate has expired).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Change redmine ldap config port 636 ldaps(no ssl check)

Test ldap connection successful.

Updated on Oct 13
!!!On the openldap server
Download the Intermediate Certificates Signed by ISRG Root X1 from https://letsencrypt.org/certs/lets-encrypt-r3.pem
cd /etc/ssl/certs/ && wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
Create ca.crt using below command
cat lets-encrypt-r3.pem /etc/ssl/certs/DST_Root_CA_X3.crt > /path/to/openldapserver/ssl/folder/ca.crt
Confirm slapd.conf settings correct
root@Home:~# grep ca.crt /etc/openldap/slapd.conf
TLSCACertificateFile /path/to/ca.crt

Restart the openldap server.
root@Home:~# /etc/init.d/ldap restart
Using openssl verify ldaps certificate status ok

Change redmine ldap config port 636 back to ldaps and test OK.

Enjoy!