-
-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
After Update to 1.22.0 LDAP Login is not working anymore #31228
Comments
Are you using a self-signed certificate, and which LDAP server are you using? |
Could be a TLS cipher issue. Check if your LDAP server supports TLS 1.2 or higher with tools like https://github.com/drwetter/testssl.sh. golang since v1.22 requires TLS 1.2 or higher by default. |
Same here. Self-signed certificate with "skip TLS verification" selected. Used testssl.sh to check protocols:
OS is Debian 12 bookworm. Gitea running using amd64 binary. |
Same here. I'm using an OpenLDAP proxy. TLS1.2 is supported:
|
Actually it's likely not TLS-version related as per https://tip.golang.org/doc/go1.22#minor_library_changes:
So the TLS client has not changed it's requirement in go 1.22/gitea 1.22, only the server has. |
I've captured the LDAP traffic between Gitea and our LDAP server with tcpdump and analysed it with Wireshark. Our LDAP server only supports Why this happened requires further analysis. Compare the following TLS Client Hello Output between Gitea v1.22.0 and v1.21.11
|
The situation seems clear to me:
https://tip.golang.org/doc/go1.22#minor_library_changes Exporting the required env var
|
@adamoutler |
I'm sorry, but I'm using a docker container setup and I'd need to adjust code to do this. I assume it will be fixed soon enough. |
Ok, I'm closing and pinning this since it's working as intended. People affected should look into upgrading their LDAP server to support modern ciphers and if that's not possible you can workaround preferably with |
Working OpenLDAP/slapd config:
To enable ECDHE ciphers
|
Just upgraded and hit this. I don't understand why this isn't a listed as breaking change because it literally fails all logins? No fallback as far as I can see (or rememeber). Currently running a downloaded binary, not docker. Have tried adding this to /etc/gitea/app.ini
Still fails. Tried to add it to the systemd unit file (are the quotes required?) eg
Still fails. Then tried run gitea from the CLI to try and modify LDAP in any way shape form but I get the dreaded:
So can't go back, can't go forwards and can't update my LDAP server for another couple of months as it hinges on other software too. Ironically gitea is on a server that COULD run a newer verion of LDAP but I don't want to do that as it breaks all my backend authent, and I can't modify the LDAP settings in any event........ Completely and utterly stuck and no idea what to do :-( Any advice on this appreciated at least to get it running for now. |
Well after a huge amount of wrangling I got it to work. First, I could not get this to work and would very much like to know how to get it to work on a binary only install?
Next, and this should be better documented, is how to actively modify gitea settings via the CLI. I stumbled over this while looking for something else and modified it for my own use. On a *buntu box it required this to get around the
I had to read the code here to find the different security protocols as that isn't documented either unencrypted | starttls | ldaps Change your comand/directory to suit. Found those here: admin_auth_ldap_test.go Would be nice to be able to: a) query existing settings Next was to check what Ciphers were loaded.
Next was to check the existing non RSA CipherSuites (yes messy but it works for me). I expected to be out of luck:
Hmmm. A chance? Next on the LDAP server I added these additional Cipher suites to etc/openldap/slapd.conf to test ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384 Apparently to use ECDH you need TLSECName as well. So:
Restart ldap server and test. Oh.
I was concerned that the TLS_ECDHE still had RSA but I went to the login page and it worked immediately! So the answer is it will still work, but needs the correct setup. Hope that helps someone. |
Description
Hi,
I've upgrade to 1.22.0 and after the update LDAP login is no longer possible.
I see tls handshake failures in the logfile:
2024/06/03 11:18:01 ...dap/source_search.go:424:SearchEntries() [E] LDAP Connect error, our.ldap.server:LDAP Result Code 200 "Network Error": remote error: tls: handshake failure
2024/06/03 11:18:01 .../ldap/source_sync.go:55:Sync() [E] SyncExternalUsers LDAP source failure [ourldapserver], skipped
Gitea Version
1.22.0
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
2.39.3
Operating System
RHEL 8.9
How are you running Gitea?
running gitea from downloads: gitea-1.22.0-linux-amd64
Database
PostgreSQL
The text was updated successfully, but these errors were encountered: