LDAP login error code 200 "Network Error"

I am installing OOD on RHEL 7.9 via RPM. Install ondemand-dex and add ldap support. When I try to login to the OOD portal, I get the following error:

Internal Server Error
Login error: failed to connect: LDAP Result Code 200 “Network Error”: dial tcp 12.12.12.100:636: connect: connection refused

The httpd24 log error:
[auth_openidc:warn] [pid 130945] [client 12.12.12.100:34956] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_j8I-PIKIV2gDYZLFJgVWUd-N77g) has expired (original_url=http://12.12.12.100/pun/sys/dashboard)
[auth_openidc:warn] [pid 3776] oidc_check_config_openid_openidc: the URL scheme (http) of the configured OIDCProviderMetadataURL SHOULD be “https” for security reasons!
[auth_openidc:warn] [pid 3776] oidc_check_config_openid_openidc: the URL scheme (http) of the configured OIDCRedirectURI SHOULD be “https” for security reasons (moreover: some Providers may reject non-HTTPS URLs)

Here is the dex portion of my ood_portal.yml:

---
# The server name used for name-based Virtual Host
# Example:
#     servername: 'www.example.com'
# Default: null (don't use name-based Virtual Host)
servername: 12.12.12.100

# ...
dex:
  connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: 12.12.12.100:636
        insecureSkipVerify: false
        bindDN: cn=Manager,dc=local,dc=cn
        bindPW: admin069
        userSearch:
          baseDN: ou=People,dc=local,dc=cn
          filter: "(objectClass=posixAccount)"
          username: uid
          idAttr: uid
          emailAttr: mail
          nameAttr: gecos
          preferredUsernameAttr: uid
        groupSearch:
          baseDN: ou=People,dc=local,dc=cn
          filter: "(objectClass=posixGroup)"
          userMatchers:
            - userAttr: DN
              groupAttr: member
          nameAttr: cn

Here is the ldapsearch translation:

[root@mu01 config]# ldapsearch -x -h 12.12.12.100 -b 'dc=local,dc=cn'
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# local.cn
dn: dc=local,dc=cn
dc: local
objectClass: top
objectClass: domain

# Manager, local.cn
dn: cn=Manager,dc=local,dc=cn
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

# People, local.cn
dn: ou=People,dc=local,dc=cn
objectClass: organizationalUnit
ou: People

# Group, local.cn
dn: ou=Group,dc=local,dc=cn
objectClass: organizationalUnit
ou: Group

# chem, Group, local.cn
dn: cn=chem,ou=Group,dc=local,dc=cn
objectClass: posixGroup
objectClass: top
cn: chem
gidNumber: 1000

# wuy, People, local.cn
dn: uid=wuy,ou=People,dc=local,dc=cn
uid: wuy
cn: wuy
sn: wuy
mail: wuy@local.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/wuy

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

The machine hostname is mu01, and the IP is 12.12.12.100. I also turn off the service of firewalld and disabled selinux.

I’m not sure how to resolve this issue. Any assistance would be greatly appreciated.

Is 636 the right port?

What does this return?

ldapsearch -x -H 12.12.12.100:636 -b 'dc=local,dc=cn'

Thanks for your reply! I do not configure SSL, so the ldap port is 389. “host: 12.12.12.100:636” is modified to “host: 12.12.12.100:389” in /etc/ood/config/ood_portal.yml.
Execute the following command:

/opt/ood/ood-portal-generator/sbin/update_ood_portal
systemctl restart httpd24-httpd.service httpd24-htcacheclean.service
systemctl restart ondemand-dex.service

I get the following error:
Internal Server Error
Login error: failed to connect: LDAP Result Code 200 “Network Error”: EOF

The httpd24 log error:
[auth_openidc:warn] [pid 3785] [client 12.12.12.100:41540] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_E6bk3Fa7rPWLJVfuHWbu-UJ-iTY) has expired (original_url=http://12.12.12.100/pun/sys/dashboard)

[root@mu01 config]# ldapsearch -x -H 12.12.12.100:636 -b 'dc=local,dc=cn'
Could not parse LDAP URI(s)=12.12.12.100:636 (3)
[root@mu01 config]# ldapsearch -x -H 12.12.12.100:389 -b 'dc=local,dc=cn'
Could not parse LDAP URI(s)=12.12.12.100:389 (3)
[root@mu01 config]# ldapsearch -x -H 12.12.12.100 -b 'dc=local,dc=cn'
Could not parse LDAP URI(s)=12.12.12.100 (3)

Does SSL have to be configured?

Hi. I got this from a site. Please let me know if it helps or not.
You will need to modify according your configuration. Got this from https://forum.zentyal.org/index.php?topic=15240.0

ldapsearch -H ldap://athena.computing.lan:390 -x -D “cn=zentyal,dc=computing,dc=lan” -W -b “dc=computing,dc=lan”
Enter LDAP Password:

  • extended LDIF
  • LDAPv3
  • base <dc=computing,dc=lan> with scope subtree
  • filter: (objectclass=*)
  • requesting: ALL
  • computing.lan
  • dn: dc=computing,dc=lan

The port must be 390? I can get the right return with 389 port.

[root@mu01 config]# ldapsearch -H ldap://12.12.12.100:389 -x -b 'dc=local,dc=cn'
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# local.cn
dn: dc=local,dc=cn
dc: local
objectClass: top
objectClass: domain

# Manager, local.cn
dn: cn=Manager,dc=local,dc=cn
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

# People, local.cn
dn: ou=People,dc=local,dc=cn
objectClass: organizationalUnit
ou: People

# Group, local.cn
dn: ou=Group,dc=local,dc=cn
objectClass: organizationalUnit
ou: Group

# chem, Group, local.cn
dn: cn=chem,ou=Group,dc=local,dc=cn
objectClass: posixGroup
objectClass: top
cn: chem
gidNumber: 1000

# wuy, People, local.cn
dn: uid=wuy,ou=People,dc=local,dc=cn
uid: wuy
cn: wuy
sn: wuy
mail: wuy@local.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/wuy

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6
[root@mu01 config]# ldapsearch -H ldap://12.12.12.100:389 -x -D "cn=Manager,dc=local,dc=cn" -W -b "dc=local,dc=cn"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# local.cn
dn: dc=local,dc=cn
dc: local
objectClass: top
objectClass: domain

# Manager, local.cn
dn: cn=Manager,dc=local,dc=cn
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

# People, local.cn
dn: ou=People,dc=local,dc=cn
objectClass: organizationalUnit
ou: People

# Group, local.cn
dn: ou=Group,dc=local,dc=cn
objectClass: organizationalUnit
ou: Group

# chem, Group, local.cn
dn: cn=chem,ou=Group,dc=local,dc=cn
objectClass: posixGroup
objectClass: top
cn: chem
userPassword:: e2NyeXB0fXg=
gidNumber: 1000

# wuy, People, local.cn
dn: uid=wuy,ou=People,dc=local,dc=cn
uid: wuy
cn: wuy
sn: wuy
mail: wuy@local.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJHljaW9RVThOJFZkMTdVUnBFL1hGWTFDLnc5S1BBeS8=
shadowLastChange: 19026
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/wuy

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

I search a website: https://docs.sensu.io/sensu-go/latest/operations/control-access/ldap-auth/

failed to connect: LDAP Result Code 200 "Network Error"

The LDAP provider couldn’t establish a TCP connection to the LDAP server. Verify the host and port attributes. If you are not using LDAP over TLS/SSL, make sure to set the value of the security attribute to insecure for plaintext communication.

I change “dex: → connectors: → config: → insecureSkipVerify: false” to “dex: → connectors: → config: → insecureSkipVerify: true” in /etc/ood/config/ood_portal.yml.
Restart service of httpd24-httpd and ondemand-dex, but get the same error.

you should use the port that is correct for you. If you are getting results from port 389, then you need to use port 389.

After you made the changes to ood_portal.yml, did you run the following command?

sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal

If not, then you need to do this first, prior to restart httpd and dex.

Hope that helps.

thanks,
-gerald

Thanks for your reply. Yes, I’m sure that I executed the following command:

/opt/ood/ood-portal-generator/sbin/update_ood_portal
systemctl restart httpd24-httpd.service httpd24-htcacheclean.service
systemctl restart ondemand-dex.service

But I get the same login error.

In order to use open ondemand, I stop the service of ondemand-dex, and use only basic ldap auth.

[root@mu01 ~]# cat /etc/ood/config/ood_portal.yml
---
# The server name used for name-based Virtual Host
# Example:
#     servername: 'www.example.com'
# Default: null (don't use name-based Virtual Host)
servername: 12.12.12.100

# List of Apache authentication directives
# NB: Be sure the appropriate Apache module is installed for this
# Default: (see below, uses OIDC auth with Dex)
auth:
  - 'AuthType Basic'
  - 'AuthName "private"'
  - 'AuthBasicProvider ldap'
  - 'AuthLDAPURL "ldap://12.12.12.100/ou=People,dc=local,dc=cn?uid"'
  - 'AuthLDAPGroupAttribute memberUid'
  - 'AuthLDAPGroupAttributeIsDN off'
  - 'RequestHeader unset Authorization'
  - 'Require ldap-group cn=chem,ou=Group,dc=local,dc=cn'
  - 'Require valid-user'

Then, excute the following command:

/opt/ood/ood-portal-generator/sbin/update_ood_portal
systemctl restart httpd24-httpd.service

However, I get the error: “failed to map user (wuy)"
Oh :sweat_smile:, the userguide is not friendly to newbie.

Regarding the documentation. I agree. We are actively working to make our documentation better.

Please see my ood_portal.yml config for LDAP. This is working fine for me. I’m running on Rocky8 O/S.

You will need to adjust according to your specific settings. Also. Do you have direct access to LDAP, or is there a different LDAP Administrator?

dex:
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ldapmaster.gbsw.net:636
insecureSkipVerify: true
bindDN: cn=admin,dc=ldapmaster,dc=gbsw,dc=net
bindPW: admin
userSearch:
baseDN: ou=People,dc=ldapmaster,dc=gbsw,dc=net
filter: “(objectClass=posixAccount)”
username: uid
idAttr: uid
emailAttr: mail
nameAttr: gecos
preferredUsernameAttr: uid
groupSearch:
baseDN: ou=Groups,dc=ldapmaster,dc=gbsw,dc=net
filter: “(objectClass=posixGroup)”
userMatchers:
- userAttr: DN
groupAttr: develop
nameAttr: cn

Thanks very much! I will configure OpenLDAP with SSL, and try again.
I can log in to the cluster as root. The administrator password of LDAP is admin069.

[root@mu01 ~]# cat /etc/ood/config/ood_portal.yml
---
# The server name used for name-based Virtual Host
# Example:
#     servername: 'www.example.com'
# Default: null (don't use name-based Virtual Host)
servername: 12.12.12.100

# List of Apache authentication directives
# NB: Be sure the appropriate Apache module is installed for this
# Default: (see below, uses OIDC auth with Dex)
auth:
  - 'AuthType openid-connect'
  - 'Require valid-user'

# ...
dex:
  connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: 12.12.12.100
        insecureSkipVerify: true
        bindDN: cn=Manager,dc=local,dc=cn
        bindPW: admin069
        userSearch:
          baseDN: ou=People,dc=local,dc=cn
          filter: "(objectClass=posixAccount)"
          username: uid
          idAttr: uid
          emailAttr: mail
          nameAttr: gecos
          preferredUsernameAttr: uid
        groupSearch:
          baseDN: ou=Group,dc=local,dc=cn
          filter: "(objectClass=posixGroup)"
          userMatchers:
            - userAttr: DN
              groupAttr: member
          nameAttr: cn