LDAP login error code 200 "Network Error"

Get Help
1

I am installing OOD on RHEL 7.9 via RPM. Install ondemand-dex and add ldap support. When I try to login to the OOD portal, I get the following error:

Internal Server Error
Login error: failed to connect: LDAP Result Code 200 “Network Error”: dial tcp 12.12.12.100:636: connect: connection refused

The httpd24 log error:
[auth_openidc:warn] [pid 130945] [client 12.12.12.100:34956] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_j8I-PIKIV2gDYZLFJgVWUd-N77g) has expired (original_url=http://12.12.12.100/pun/sys/dashboard)
[auth_openidc:warn] [pid 3776] oidc_check_config_openid_openidc: the URL scheme (http) of the configured OIDCProviderMetadataURL SHOULD be “https” for security reasons!
[auth_openidc:warn] [pid 3776] oidc_check_config_openid_openidc: the URL scheme (http) of the configured OIDCRedirectURI SHOULD be “https” for security reasons (moreover: some Providers may reject non-HTTPS URLs)

Here is the dex portion of my ood_portal.yml:

---
# The server name used for name-based Virtual Host
# Example:
#     servername: 'www.example.com'
# Default: null (don't use name-based Virtual Host)
servername: 12.12.12.100

# ...
dex:
  connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: 12.12.12.100:636
        insecureSkipVerify: false
        bindDN: cn=Manager,dc=local,dc=cn
        bindPW: admin069
        userSearch:
          baseDN: ou=People,dc=local,dc=cn
          filter: "(objectClass=posixAccount)"
          username: uid
          idAttr: uid
          emailAttr: mail
          nameAttr: gecos
          preferredUsernameAttr: uid
        groupSearch:
          baseDN: ou=People,dc=local,dc=cn
          filter: "(objectClass=posixGroup)"
          userMatchers:
            - userAttr: DN
              groupAttr: member
          nameAttr: cn

Here is the ldapsearch translation:

[root@mu01 config]# ldapsearch -x -h 12.12.12.100 -b 'dc=local,dc=cn'
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# local.cn
dn: dc=local,dc=cn
dc: local
objectClass: top
objectClass: domain

# Manager, local.cn
dn: cn=Manager,dc=local,dc=cn
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

# People, local.cn
dn: ou=People,dc=local,dc=cn
objectClass: organizationalUnit
ou: People

# Group, local.cn
dn: ou=Group,dc=local,dc=cn
objectClass: organizationalUnit
ou: Group

# chem, Group, local.cn
dn: cn=chem,ou=Group,dc=local,dc=cn
objectClass: posixGroup
objectClass: top
cn: chem
gidNumber: 1000

# wuy, People, local.cn
dn: uid=wuy,ou=People,dc=local,dc=cn
uid: wuy
cn: wuy
sn: wuy
mail: wuy@local.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/wuy

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

The machine hostname is mu01, and the IP is 12.12.12.100. I also turn off the service of firewalld and disabled selinux.

I’m not sure how to resolve this issue. Any assistance would be greatly appreciated.

2

Is 636 the right port?

What does this return?

ldapsearch -x -H 12.12.12.100:636 -b 'dc=local,dc=cn'
3

Thanks for your reply! I do not configure SSL, so the ldap port is 389. “host: 12.12.12.100:636” is modified to “host: 12.12.12.100:389” in /etc/ood/config/ood_portal.yml.
Execute the following command:

/opt/ood/ood-portal-generator/sbin/update_ood_portal
systemctl restart httpd24-httpd.service httpd24-htcacheclean.service
systemctl restart ondemand-dex.service

I get the following error:
Internal Server Error
Login error: failed to connect: LDAP Result Code 200 “Network Error”: EOF

The httpd24 log error:
[auth_openidc:warn] [pid 3785] [client 12.12.12.100:41540] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_E6bk3Fa7rPWLJVfuHWbu-UJ-iTY) has expired (original_url=http://12.12.12.100/pun/sys/dashboard)

[root@mu01 config]# ldapsearch -x -H 12.12.12.100:636 -b 'dc=local,dc=cn'
Could not parse LDAP URI(s)=12.12.12.100:636 (3)
[root@mu01 config]# ldapsearch -x -H 12.12.12.100:389 -b 'dc=local,dc=cn'
Could not parse LDAP URI(s)=12.12.12.100:389 (3)
[root@mu01 config]# ldapsearch -x -H 12.12.12.100 -b 'dc=local,dc=cn'
Could not parse LDAP URI(s)=12.12.12.100 (3)

Does SSL have to be configured?

4

Hi. I got this from a site. Please let me know if it helps or not.
You will need to modify according your configuration. Got this from https://forum.zentyal.org/index.php?topic=15240.0

ldapsearch -H ldap://athena.computing.lan:390 -x -D “cn=zentyal,dc=computing,dc=lan” -W -b “dc=computing,dc=lan”
Enter LDAP Password:

  • extended LDIF
  • LDAPv3
  • base <dc=computing,dc=lan> with scope subtree
  • filter: (objectclass=*)
  • requesting: ALL
  • computing.lan
  • dn: dc=computing,dc=lan
5

The port must be 390? I can get the right return with 389 port.

[root@mu01 config]# ldapsearch -H ldap://12.12.12.100:389 -x -b 'dc=local,dc=cn'
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# local.cn
dn: dc=local,dc=cn
dc: local
objectClass: top
objectClass: domain

# Manager, local.cn
dn: cn=Manager,dc=local,dc=cn
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

# People, local.cn
dn: ou=People,dc=local,dc=cn
objectClass: organizationalUnit
ou: People

# Group, local.cn
dn: ou=Group,dc=local,dc=cn
objectClass: organizationalUnit
ou: Group

# chem, Group, local.cn
dn: cn=chem,ou=Group,dc=local,dc=cn
objectClass: posixGroup
objectClass: top
cn: chem
gidNumber: 1000

# wuy, People, local.cn
dn: uid=wuy,ou=People,dc=local,dc=cn
uid: wuy
cn: wuy
sn: wuy
mail: wuy@local.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/wuy

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

[root@mu01 config]# ldapsearch -H ldap://12.12.12.100:389 -x -D "cn=Manager,dc=local,dc=cn" -W -b "dc=local,dc=cn"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# local.cn
dn: dc=local,dc=cn
dc: local
objectClass: top
objectClass: domain

# Manager, local.cn
dn: cn=Manager,dc=local,dc=cn
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

# People, local.cn
dn: ou=People,dc=local,dc=cn
objectClass: organizationalUnit
ou: People

# Group, local.cn
dn: ou=Group,dc=local,dc=cn
objectClass: organizationalUnit
ou: Group

# chem, Group, local.cn
dn: cn=chem,ou=Group,dc=local,dc=cn
objectClass: posixGroup
objectClass: top
cn: chem
userPassword:: e2NyeXB0fXg=
gidNumber: 1000

# wuy, People, local.cn
dn: uid=wuy,ou=People,dc=local,dc=cn
uid: wuy
cn: wuy
sn: wuy
mail: wuy@local.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJHljaW9RVThOJFZkMTdVUnBFL1hGWTFDLnc5S1BBeS8=
shadowLastChange: 19026
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/wuy

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

I search a website: https://docs.sensu.io/sensu-go/latest/operations/control-access/ldap-auth/

failed to connect: LDAP Result Code 200 "Network Error"

The LDAP provider couldn’t establish a TCP connection to the LDAP server. Verify the host and port attributes. If you are not using LDAP over TLS/SSL, make sure to set the value of the security attribute to insecure for plaintext communication.

I change “dex: → connectors: → config: → insecureSkipVerify: false” to “dex: → connectors: → config: → insecureSkipVerify: true” in /etc/ood/config/ood_portal.yml.
Restart service of httpd24-httpd and ondemand-dex, but get the same error.

6

you should use the port that is correct for you. If you are getting results from port 389, then you need to use port 389.

7

After you made the changes to ood_portal.yml, did you run the following command?

sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal

If not, then you need to do this first, prior to restart httpd and dex.

Hope that helps.

thanks,
-gerald

8

Thanks for your reply. Yes, I’m sure that I executed the following command:

/opt/ood/ood-portal-generator/sbin/update_ood_portal
systemctl restart httpd24-httpd.service httpd24-htcacheclean.service
systemctl restart ondemand-dex.service

But I get the same login error.

In order to use open ondemand, I stop the service of ondemand-dex, and use only basic ldap auth.

[root@mu01 ~]# cat /etc/ood/config/ood_portal.yml
---
# The server name used for name-based Virtual Host
# Example:
#     servername: 'www.example.com'
# Default: null (don't use name-based Virtual Host)
servername: 12.12.12.100

# List of Apache authentication directives
# NB: Be sure the appropriate Apache module is installed for this
# Default: (see below, uses OIDC auth with Dex)
auth:
  - 'AuthType Basic'
  - 'AuthName "private"'
  - 'AuthBasicProvider ldap'
  - 'AuthLDAPURL "ldap://12.12.12.100/ou=People,dc=local,dc=cn?uid"'
  - 'AuthLDAPGroupAttribute memberUid'
  - 'AuthLDAPGroupAttributeIsDN off'
  - 'RequestHeader unset Authorization'
  - 'Require ldap-group cn=chem,ou=Group,dc=local,dc=cn'
  - 'Require valid-user'

Then, excute the following command:

/opt/ood/ood-portal-generator/sbin/update_ood_portal
systemctl restart httpd24-httpd.service

However, I get the error: “failed to map user (wuy)"
Oh :sweat_smile:, the userguide is not friendly to newbie.

9

Regarding the documentation. I agree. We are actively working to make our documentation better.

Please see my ood_portal.yml config for LDAP. This is working fine for me. I’m running on Rocky8 O/S.

You will need to adjust according to your specific settings. Also. Do you have direct access to LDAP, or is there a different LDAP Administrator?

dex:
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ldapmaster.gbsw.net:636
insecureSkipVerify: true
bindDN: cn=admin,dc=ldapmaster,dc=gbsw,dc=net
bindPW: admin
userSearch:
baseDN: ou=People,dc=ldapmaster,dc=gbsw,dc=net
filter: “(objectClass=posixAccount)”
username: uid
idAttr: uid
emailAttr: mail
nameAttr: gecos
preferredUsernameAttr: uid
groupSearch:
baseDN: ou=Groups,dc=ldapmaster,dc=gbsw,dc=net
filter: “(objectClass=posixGroup)”
userMatchers:
- userAttr: DN
groupAttr: develop
nameAttr: cn

10

Thanks very much! I will configure OpenLDAP with SSL, and try again.
I can log in to the cluster as root. The administrator password of LDAP is admin069.

[root@mu01 ~]# cat /etc/ood/config/ood_portal.yml
---
# The server name used for name-based Virtual Host
# Example:
#     servername: 'www.example.com'
# Default: null (don't use name-based Virtual Host)
servername: 12.12.12.100

# List of Apache authentication directives
# NB: Be sure the appropriate Apache module is installed for this
# Default: (see below, uses OIDC auth with Dex)
auth:
  - 'AuthType openid-connect'
  - 'Require valid-user'

# ...
dex:
  connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: 12.12.12.100
        insecureSkipVerify: true
        bindDN: cn=Manager,dc=local,dc=cn
        bindPW: admin069
        userSearch:
          baseDN: ou=People,dc=local,dc=cn
          filter: "(objectClass=posixAccount)"
          username: uid
          idAttr: uid
          emailAttr: mail
          nameAttr: gecos
          preferredUsernameAttr: uid
        groupSearch:
          baseDN: ou=Group,dc=local,dc=cn
          filter: "(objectClass=posixGroup)"
          userMatchers:
            - userAttr: DN
              groupAttr: member
          nameAttr: cn
11

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.