Unable to set up Active Directory auth in Rancher

This seem to be a recurring issue - but even though I’ve found quite a few posts about it I can’t seem to find one that can help me get my Active Directory integration working.

I have one domain controller and I’ve procured the public certs for both the server and the CA that signed it. I try to add them to the together with the rest of the settings to get AD-auth working and the rest I keep as vanilla as possible but all I get is errors.

I’ve started a shell in the rancher container:

$ kubectl -n cattle-system get pods
NAME                               READY   STATUS    RESTARTS   AGE
rancher-79864b46bd-ch792           1/1     Running   0          20h
rancher-webhook-7476c74c6c-9b4ww   1/1     Running   0          20h
$ kubectl -n cattle-system exec -it pods/rancher-79864b46bd-ch792 -- /bin/bash
rancher-79864b46bd-ch792:/var/lib/rancher # 

and installed ldapsearch in it directly

rancher-79864b46bd-ch792:/ # zypper install openldap2-client
Refreshing service 'container-suseconnect-zypp'.
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  openldap2-client

The following package is not supported by its vendor:
  openldap2-client

1 new package to install.
Overall download size: 147.7 KiB. Already cached: 0 B. After the operation, additional
569.3 KiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving: openldap2-client-2.4.46-150200.14.17.1.x86_64 (SLE_BCI)   (1/1), 147.7 KiB    
Retrieving: openldap2-client-2.4.46-150200.14.17.1.x86_64.rpm ......................[done]

Checking for file conflicts: .......................................................[done]
(1/1) Installing: openldap2-client-2.4.46-150200.14.17.1.x86_64 ....................[done]

it gives errors much like the web UI does:

rancher-79864b46bd-ch792:/ # ldapsearch -x -Z -H ldap://MYDC01.corp.local:389 -D 'CN=svc ldapsearch,OU=Users,DC=corp,DC=local' -w 'secret string' -b DC=corp,DC=local
ldap_start_tls: Connect error (-11)
	additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
ldap_result: Can't contact LDAP server (-1)

I also tried the same thing from another non-container system running ubuntu:

$ ldapsearch -Z -x -H 'ldap://MYDC01.corp.local:389/' -D "CN=svc ldapsearch,OU=Users,DC=corp,DC=local" -w 'secret string'
ldap_start_tls: Connect error (-11)
	additional info: (unknown error code)

very familiar error message - but I can make it go away by adding my public server/ca-certs to /etc/ssl/certs/ca-certificates.crt:

$ ldapsearch -Z -x -H 'ldap://MYDC01.corp.local:389/' -D "CN=svc ldapsearch,OU=Users,DC=corp,DC=local" -w 'secret string' samaccountname=myuser samaccountname cn userprincipalname

# extended LDIF
#
# LDAPv3
# base <dc=corp,dc=local> (default) with scope subtree
# filter: samaccountname=myuser
# requesting: samaccountname cn userprincipalname
#

# My User, corp.local
dn: CN=My User,DC=corp,DC=local
cn: My User
sAMAccountName: myuser
userPrincipalName: myuser@corp.local

# search reference
ref: ldap://DomainDnsZones.corp.local/DC=DomainDnsZones,DC=corp,DC=local

# search reference
ref: ldap://ForestDnsZones.corp.local/DC=ForestDnsZones,DC=corp,DC=local

# search reference
ref: ldap://corp.local/CN=Configuration,DC=corp,DC=local

# search result
search: 3
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

So my interpretation is that the certs I paste in the web UI doesn’t get trusted properly.

How can I get this working?

As my reputation on this forum is still limiting what I can put in a post I had to remove some screenshots.

Certs like so:

Settings like so:

Was able to activate the provider!!

If you read very very carefully here you’ll find the answer: Configure Active Directory (AD) | Rancher

I’d made the following mixture of errors:

  1. Certificate had both server and ca - only ca was required
  2. Service Account Distinguished Name should only be the sAMAccountName, not the distinguishedName
  3. Default Login Domain should be the NetBIOS name, i.e. CORP, not corp.local