Skip to main content

Console LDAP authentication is broken after upgrading to Puppet Enterprise 2018.1 and later

Selvakumar Subburaj
  • Updated

You are using a wildcard certificate for your LDAP server. After you upgrade to PE 2018.1 or later from any version prior to 2018.1, you are not able to log into the console, and LDAP authentication fails.

Error messages and logs

You get the following error message in /var/log/puppetlabs/console-services/console-services.log:

Hostname verification failed because the expected hostname 'ldap.abc.com’' was not found in peer certificate 'subject='CN=*.abc.com

In PE 2018.1, hostname and wildcard configuration options were added to the RBAC directory services to validate that the certificate and the hostname for the connecting client match. By default,ssl_hostname_validation is set to true and ssl_wildcard_validation is set to false.

LDAP SSL authentication fails using these settings if the certificate installed doesn't match LDAP server FQDN (for example when you have a wildcard certificate).

Version and installation information

PE version: 2018.1 and later versions

Installation type: monolithic

Solution

  1. On the primary server (called the master in older versions of PE), export your directory services (DS) configuration to a file named ds.txt:

    curl -X GET --cert $(puppet config print hostcert) --key $(puppet config print hostprivkey) --cacert $(puppet config print localcacert) https://$(hostname -f):4433/rbac-api/v1/ds > ds.txt

  2. Edit ds.txt and update ssl_hostname_validation* and/or ssl_wildcard_validation to true or false as necessary.

    If the SSL certificate uses a wildcard certificate, set both to true. If the SSL certificate CN is different from the LDAP server FQDN, set both to false.

    Note: Setting both to false has security implications. Read more about it in our documentation.

  3. Test the changed settings:

    curl -i -X PUT -H "Content-Type: application/json" --cert $(puppet config print hostcert) --key $(puppet config print hostprivkey) --cacert $(puppet config print localcacert) https://$(hostname -f):4433/rbac-api/v1/ds/test -d @ds.txt

    If the new settings are successful, this will return HTTP 200.

  4. If the test was successful, apply the new settings. Run:

    curl -i -X PUT -H "Content-Type: application/json" --cert $(puppet config print hostcert) --key $(puppet config print hostprivkey) --cacert $(puppet config print localcacert) https://$(hostname -f):4433/rbac-api/v1/ds -d @ds.txt

Did this solve your problem?
6 out of 9 found this helpful

How can we improve this article?

0 comments

Please sign in to leave a comment.

Related articles