Hi Tom, quite late answer, but maybe it still helps:
I had the very same problem using Reviewboard 6.0.2 and used the workaround as showed by you, also finding it working but ugly. If finally managed to solve it by: 1. cp <special-certificate> /usr/local/share/ca-certificates/<special-certificate> 2. /usr/sbin/update-ca-certificates 3. apt-get install libldap-common By doing so, the <special-certificate> is added to system-wide cert-store (/etc/ssl/certs/ca-certificates.crt in my case) and LDAP client is automatically configured (by /etc/ldap/ldap.conf) to look into the system-wide cert store. Afterwards, LDAP login worked again for me without changing anything inside RB's ldap.py. Although RB might support selection of SSL certs in future, I found that solution very convenient, because it is a step towards storing the certificate in one single place, instead of having to maintain it at several places all over the OS and different applications ... This issue is also tracked at https://hellosplat.com/s/beanbag/tickets/5023/ in order to get it fixed inside the reviewboard docker images. Best regards, -Florian On Friday, June 23, 2023 at 11:37:18 AM UTC+2 Tom Schäfer wrote: > Hi Christian, > > the ports to the LDAP(s) server are open, no more restrictions and we are > forced to use the 636 ports from IT. We use a selfsigned certificate and on > other systems we had to import the ca certificate (for example in our > Jenkins server). So i figured out how i can do this in ReviewBoard and the > trick seems to be that the setting in /etc/ldap/ are ignored but > python-ldap settings are used instead. > > If i add the certificate to the file > /venv/lib/python3.8/site-packages/reviewboard/accounts/backends/ldap.py > it works. > > It was the following lines after line 342 or after the ldap.initialize > ldapo.set_option(ldap.OPT_X_TLS_CACERTFILE, '/site/Root_CA.crt') > ldapo.set_option(ldap.OPT_X_TLS_NEWCTX, 0) > > Then the python-ldap recognises the ca cert file and ldap is working. Not > very intuitive but good enough for us now ;) > > Greetings, > Tom > > Christian Hammond schrieb am Donnerstag, 22. Juni 2023 um 01:48:24 UTC+2: > >> Hi Tom, >> >> What LDAP server software are you using? >> >> While I’d expect a different error code here, to check, do you use >> self-signed SSL certs (or an in-house CA)? Is the cert still valid (not >> expired)? >> >> Are there any ACLs on the LDAP server that restrict what IPs can connect >> to it? >> >> Christian >> >> >> On Wed, Jun 21, 2023 at 01:15 'Tom Schäfer' via Review Board Community < >> revie...@googlegroups.com> wrote: >> >>> Hi there, >>> >>> I have the same issue now and i´m wondering if there is any solution to >>> this. >>> installed Reviewboard 6.0 beta1and tried setup LDAP authentication with >>> LDAPS. >>> >>> *OS* : Ubuntu 22.04.2 >>> *ReviewBoard Version* : 6.0 beta1 >>> >>> LDAP Config: >>> >>> LDAP Server: ldaps://ldaps.mycompany.com:636 >>> *Use TLS for authentication*: Checked >>> Review Board LDAP Bind Account: CN=my-user,OU=All Service >>> Accounts,DC=my,DC=company >>> Review Board LDAP Bind Password: xxxxxxxx >>> LDAP Base DN: OU=All Users,DC=my,DC=company >>> Username Attribute: sAMAccountName >>> Full Name Attribute: displayName >>> E-Mail LDAP Attribute: mail >>> >>> tail -f /var/www/reviewboard/logs/reviewboard.log >>> >>> WARNING - - reviewboard.accounts.backends.ldap - Error authenticating >>> with LDAP: {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], >>> 'info': '(unknown error code)'} >>> >>> The ldap server is pingable and telnet on port 636 of ldap server is >>> also working. >>> >>> Could someone help please? >>> >>> Christian Hammond schrieb am Mittwoch, 8. September 2021 um 23:22:00 >>> UTC+2: >>> >>>> Hi, >>>> >>>> The error from python-ldap isn't always useful. However, this usually >>>> means that it either can't communicate over the configured port, or >>>> there's >>>> some other issue preventing communication. This *could* be >>>> SSL-related, but that should usually result in a different error. >>>> >>>> From the Review Board server, are you able to run: >>>> >>>> telnet ldaps.mycompany.com 636 >>>> >>>> Does that connect and ask you for input, or does it give an error >>>> message? >>>> >>>> Christian >>>> >>>> On Wed, Sep 8, 2021 at 6:41 AM Deviprasad Tummidi < >>>> tummidid...@gmail.com> wrote: >>>> >>>>> Hi Community Members, >>>>> >>>>> I have installed Reviewboard 4.0.4 version and trying setup LDAP >>>>> authentication but unable to progress. >>>>> >>>>> *OS* : CentOS 8 >>>>> *ReviewBoard Version* : 4.0.4 >>>>> >>>>> LDAP Config: >>>>> >>>>> LDAP Server: ldaps://ldaps.mycompany.com:636 >>>>> *Use TLS for authentication*: Checked >>>>> Review Board LDAP Bind Account: my_existing_ldap_user >>>>> Review Board LDAP Bind Password: xxxxxxxx >>>>> LDAP Base DN: dc=olympus,dc=mycompany,dc=com >>>>> Username Attribute: sAMAccountName >>>>> Full Name Attribute: displayName >>>>> E-Mail LDAP Attribute: mail >>>>> >>>>> tail -f /var/www/reviewboard/logs/reviewboard.log >>>>> >>>>> 2021-09-08 07:08:48,374 - WARNING - - >>>>> reviewboard.accounts.backends.ldap - Error authenticating with LDAP: >>>>> {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': []} >>>>> >>>>> The ldap server is pingable from my CentOS and vice versa. >>>>> >>>>> Also the Reviewboard documentation >>>>> <https://www.reviewboard.org/docs/manual/dev/admin/configuration/authentication-settings/#ldap-authentication-settings> >>>>> >>>>> is not really helpful. >>>>> >>>>> Can anyone kindly help me please? >>>>> >>>>> >>>>> -- >>>>> Supercharge your Review Board with Power Pack: >>>>> https://www.reviewboard.org/powerpack/ >>>>> Want us to host Review Board for you? Check out RBCommons: >>>>> https://rbcommons.com/ >>>>> Happy user? Let us know! https://www.reviewboard.org/users/ >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Review Board Community" group. >>>>> >>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to reviewboard...@googlegroups.com. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/reviewboard/39f2300e-c45e-4d70-9235-31e0de343d1fn%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/reviewboard/39f2300e-c45e-4d70-9235-31e0de343d1fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> >>>> -- >>>> Christian Hammond >>>> President/CEO of Beanbag <https://www.beanbaginc.com/> >>>> Makers of Review Board <https://www.reviewboard.org/> >>>> >>> -- >>> Supercharge your Review Board with Power Pack: >>> https://www.reviewboard.org/powerpack/ >>> Want us to host Review Board for you? Check out RBCommons: >>> https://rbcommons.com/ >>> Happy user? Let us know! https://www.reviewboard.org/users/ >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Review Board Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to reviewboard...@googlegroups.com. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/reviewboard/58acf9aa-ccd2-4734-bfe7-2d8c3f383a34n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/reviewboard/58acf9aa-ccd2-4734-bfe7-2d8c3f383a34n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> -- >> Christian Hammond >> President/CEO of Beanbag >> Makers of Review Board >> > -- Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/ Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/ Happy user? Let us know! https://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "Review Board Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/9e220c57-7984-4a48-926e-e6c123dd009cn%40googlegroups.com.
