Is it Possible to Configure the Ciphers for LDAPS? #2280
Replies: 5 comments 9 replies
-
For what it's worth ldapsearch on the host OS (EL8.8) seems to work fine with similar parameters given to Quay. Now obviously that's different, because Quay appears to use python-ldap. |
Beta Was this translation helpful? Give feedback.
-
Quay does use quay/conf/init/nginx_conf_create.py Line 75 in 2a67255 |
Beta Was this translation helpful? Give feedback.
-
Here are the startup logs from Podman for the Quay container with |
Beta Was this translation helpful? Give feedback.
-
As mentioned, you already received an error response after SSL has been
established...
I haven't checked with openldap in particular which authentication
restrictions it provides or which ACLs you have in place...
Do you have client certification verification enabled ?
Do you have simple authentication enabled ? (AFAIK we do not support any other mechanism like SASL/...)
Ivan Bazulic ***@***.***> schrieb am Di., 3. Okt. 2023, 22:41:
… I was just reading through the latest Golang code and the
AES256-GCM-SHA384 should be supported:
https://cs.opensource.google/go/go/+/refs/tags/go1.21.1:src/crypto/tls/cipher_suites.go;l=46
According to the Dockerfile, the Go image used during build is
registry.access.redhat.com/ubi8/go-toolset:latest which has Go 1.19.10.
And that version also contains the same cipher so it should be supported
from our side:
https://cs.opensource.google/go/go/+/refs/tags/go1.19.10:src/crypto/tls/cipher_suites.go;l=46
That is, if the cipher is actually the culprit here. I just did some
research and it appears that the error 13 that was reported by the
config-tool actually talks about how a bind is achieved against the LDAP
tree and not ciphers. So we were looking in the wrong direction. Can you
show us your LDAP configuration that you're using (with redacted info)?
—
Reply to this email directly, view it on GitHub
<#2280 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AWSY2GHYJLSO6PM4VM464IDX5RZ5FAVCNFSM6AAAAAA5RHAL4GVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TCOBQGEZTC>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Alright, I went over everything you all posted here.
Confirmed the URI always had ldaps://, and also tried adding an explicit 636 port number as well as a test, no success.
I just tried turning off validation with So it's definitely something specific to the Golang config tool. Here are my LDAP-related Quay config entries:
Passwords, domains, hostnames replaced or redacted. |
Beta Was this translation helpful? Give feedback.
-
Hi all,
I'm currently struggling with setting up LDAPS for Quay.
The LDAP server is OpenLDAP 2.4.44 on EL7.
I've tried playing with SSL_PROTOCOLS and SSL_CIPHERS, but I still get
Could not authenticate LDAP server. Error: LDAP Result Code 13 "Confidentiality Required": stronger confidentiality required
when trying to connect to our LDAP server via LDAPS. It's not obvious if SSL_PROTOCOLS and SSL_CIPHERS have an effect on LDAPS, as opposed to just the web server.Beta Was this translation helpful? Give feedback.
All reactions