Hi there. Related to a similar post, Microsoft is pushing out Windows updates in March that will cause us grief if we don't change our LDAP setup to LDAPS. Our Moodle 3.7x is currently on LDAP and working OK. This is running on Ubuntu 18. We have an existing Windows AD certificate server and LDAPS server. I've been able to move some of our other web services over to LDAPS OK, so I know our LDAPS server is working, but am getting tripped up with doing the same with Moodle/Ubuntu. I've been following the steps on https://docs.moodle.org/38/en/LDAP_authentication#Using_LDAPS_.28LDAP_over_SSL.29 . Those instructions are for RHEL and I thought I found the Ubuntu equivalents....Perhaps not? Here's what I've done. I've been trying all these steps on a test server first.
1) On my Windows CA server, went to certificates.mmc and exported the same cert I used for my other web services. This is in DER encoded binary X.509 (.CER) format. I copied this (ldaps.cer) over to /etc/ssl/certs.
2) The above doc says you need to convert DER X509 into PEM. I tried the following:
openssl x509 -in ldaps.cer -inform DER -out ldaps.pem -outform PEM
But I get an error:
unable to load certificate
140535988134336:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140535988134336:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
Searching that error, I read elsewhere that (possibly) all I need to do here is change the extension .cer to .pem, so I tried that.
Ran c_rehash OK. Updated my hosts file to include the LDAPS server as suggested in the above link.
Ran the step to verify the cert is installed correctly:
openssl verify -verbose -CApath /etc/ssl/certs /etc/ssl/certs/ldaps.pem
/etc/ssl/certs/ldaps.pem: OK
Tried connecting to my LDAPS server over SSL.
openssl s_client -connect <ldaps server DNS name>:636 (some info removed below)
CONNECTED(00000005)
depth=1 DC = ca, DC = school, CN = (cert name)
verify return:1
depth=0
verify return:1
---
Certificate chain
0 s:
i:DC = ca, DC = school, CN = (cert name)
---
Server certificate
-----BEGIN CERTIFICATE-----
..... snip
-----END CERTIFICATE-----
subject=
issuer=DC = ca, DC = school, CN = (cert name)
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2060 bytes and written 520 bytes
Verification: OK
---
New, TLSv1.2, Cipher is (string of hex)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : (string of hex)
Session-ID: (long string of hex)
Session-ID-ctx:
Master-Key: (long string of hex)
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1582824804
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
read:errno=104
I wasn't sure what response to expect from the above command. I did see the read:errno=104. On the other hand, I also note it shows Verification: OK
The next step was to edit the OpenLDAP config. Again, the above Moodle link points to /etc/openldap/ldap.conf. I believe the Ubuntu equivalent is /etc/ldap/slapd. Edited ldap.conf to show the following:
TLS_CACERT /etc/ssl/certs/ldaps.pem
Restarted. Logged into my test Moodle server, went to Site Admin > Plugins > Authentication > LDAP Server. Changed the host URL from ldap://<ldap ip>:389 to ldaps://<ldaps ip:636>. Changed Use TLS from No to Yes.
Once I saved the settings and logged out, I could not login with any LDAP'd account. Only local accounts worked. I get the following:
LDAP-module cannot connect to any servers: Server: 'ldaps://ldaps ip:636', Connection: 'Resource id #13', STARTTLS failed.
Switch back to LDAP and everything's fine again. But I'm back to square one. Not sure what I'm getting wrong here. Does the cert still need to be converted from DER to PEM. If so, would anyone have the right syntax, as I tried a couple variations and none of them worked.
I'm sure there's others out there facing the same scenario, so any help would be greatly appreciated!
Thanks,
Rick
