This seem to be a recurring issue - but even though I’ve found quite a few posts about it I can’t seem to find one that can help me get my Active Directory integration working.
I have one domain controller and I’ve procured the public certs for both the server and the CA that signed it. I try to add them to the together with the rest of the settings to get AD-auth working and the rest I keep as vanilla as possible but all I get is errors.
I’ve started a shell in the rancher container:
$ kubectl -n cattle-system get pods
NAME READY STATUS RESTARTS AGE
rancher-79864b46bd-ch792 1/1 Running 0 20h
rancher-webhook-7476c74c6c-9b4ww 1/1 Running 0 20h
$ kubectl -n cattle-system exec -it pods/rancher-79864b46bd-ch792 -- /bin/bash
rancher-79864b46bd-ch792:/var/lib/rancher #
and installed ldapsearch in it directly
rancher-79864b46bd-ch792:/ # zypper install openldap2-client
Refreshing service 'container-suseconnect-zypp'.
Loading repository data...
Reading installed packages...
Resolving package dependencies...
The following NEW package is going to be installed:
openldap2-client
The following package is not supported by its vendor:
openldap2-client
1 new package to install.
Overall download size: 147.7 KiB. Already cached: 0 B. After the operation, additional
569.3 KiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving: openldap2-client-2.4.46-150200.14.17.1.x86_64 (SLE_BCI) (1/1), 147.7 KiB
Retrieving: openldap2-client-2.4.46-150200.14.17.1.x86_64.rpm ......................[done]
Checking for file conflicts: .......................................................[done]
(1/1) Installing: openldap2-client-2.4.46-150200.14.17.1.x86_64 ....................[done]
it gives errors much like the web UI does:
rancher-79864b46bd-ch792:/ # ldapsearch -x -Z -H ldap://MYDC01.corp.local:389 -D 'CN=svc ldapsearch,OU=Users,DC=corp,DC=local' -w 'secret string' -b DC=corp,DC=local
ldap_start_tls: Connect error (-11)
additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
ldap_result: Can't contact LDAP server (-1)
I also tried the same thing from another non-container system running ubuntu:
$ ldapsearch -Z -x -H 'ldap://MYDC01.corp.local:389/' -D "CN=svc ldapsearch,OU=Users,DC=corp,DC=local" -w 'secret string'
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
very familiar error message - but I can make it go away by adding my public server/ca-certs to /etc/ssl/certs/ca-certificates.crt
:
$ ldapsearch -Z -x -H 'ldap://MYDC01.corp.local:389/' -D "CN=svc ldapsearch,OU=Users,DC=corp,DC=local" -w 'secret string' samaccountname=myuser samaccountname cn userprincipalname
# extended LDIF
#
# LDAPv3
# base <dc=corp,dc=local> (default) with scope subtree
# filter: samaccountname=myuser
# requesting: samaccountname cn userprincipalname
#
# My User, corp.local
dn: CN=My User,DC=corp,DC=local
cn: My User
sAMAccountName: myuser
userPrincipalName: myuser@corp.local
# search reference
ref: ldap://DomainDnsZones.corp.local/DC=DomainDnsZones,DC=corp,DC=local
# search reference
ref: ldap://ForestDnsZones.corp.local/DC=ForestDnsZones,DC=corp,DC=local
# search reference
ref: ldap://corp.local/CN=Configuration,DC=corp,DC=local
# search result
search: 3
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
So my interpretation is that the certs I paste in the web UI doesn’t get trusted properly.
How can I get this working?