Connecting to Active Directory via LDAP without encryption #2168

1sk0ne · 2024-12-27T10:51:34Z

1sk0ne
Dec 27, 2024

Hello, please tell me if it is possible to bypass an LDAP connection without encryption, since I do not have LDAP configured on my domain controllers due to the fact that all traffic is on the internal network.

As a result, if I get an error with the following data:

apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: ActiveDirectoryIdentityProvider
metadata:
  name: pinniped-active-directory
  namespace: pinniped-supervisor
spec:
  host: dc-1.base.local:389
  tls:
    certificateAuthorityData: <self-signed-controller-domain-certificate>

Logs:

{"level":"info","timestamp":"2024-12-27T08:46:10.757059Z","caller":"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go:143$upstreamwatchers.TestConnection","message":"testing LDAP connection using TLS failed, so trying again with StartTLS","error":"error dialing host \"dc1.base.local:389\": LDAP Result Code 200 \"Network Error\": read tcp 10.140.44.152:41140->10.33.12.13:389: read: connection reset by peer","host":"dc1.base.local:389"}
{"level":"info","timestamp":"2024-12-27T08:46:10.770079Z","caller":"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go:154$upstreamwatchers.TestConnection","message":"testing LDAP connection using StartTLS also failed","error":"error dialing host \"dc1.base.local:389\": LDAP Result Code 200 \"Network Error\": read tcp 10.140.44.15:41140->10.33.12.1:389: read: connection reset by peer","host":"dc1.base.local:389"}

I would also like to know if it is possible to use a connection specifying base.local:389
So, if a particular domain controller fails, is it possible to connect to the next one?

Answered by cfryanr

Jan 2, 2025

Hi, thanks for your questions.

It is not possible to use LDAP without TLS. As you saw in the logs, your server can support either LDAPS or StartTLS, but it must support one of those. It would not be secure to use LDAP without TLS, since it involves sending the user's password to the LDAP server over the network.

You should be able to use whatever DNS tricks you want to use, as long as the TLS certificate can be validated using the DNS name.

View full answer

cfryanr · 2025-01-02T16:52:30Z

cfryanr
Jan 2, 2025
Maintainer

Hi, thanks for your questions.

It is not possible to use LDAP without TLS. As you saw in the logs, your server can support either LDAPS or StartTLS, but it must support one of those. It would not be secure to use LDAP without TLS, since it involves sending the user's password to the LDAP server over the network.

You should be able to use whatever DNS tricks you want to use, as long as the TLS certificate can be validated using the DNS name.

1 reply

cfryanr Jan 2, 2025
Maintainer

I noticed in your example you said <self-signed-controller-domain-certificate>. It's fine for the cert or the CA to be self-signed. That's not a problem, as long as the TLS connection can be validated.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Connecting to Active Directory via LDAP without encryption #2168

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Connecting to Active Directory via LDAP without encryption #2168

1sk0ne Dec 27, 2024

Replies: 1 comment · 1 reply

cfryanr Jan 2, 2025 Maintainer

cfryanr Jan 2, 2025 Maintainer

1sk0ne
Dec 27, 2024

Replies: 1 comment 1 reply

cfryanr
Jan 2, 2025
Maintainer

cfryanr Jan 2, 2025
Maintainer