I seem to be having the same issue as @zibeug, setting up LDAP auth to a Synology Directory Server (Samba AD) that is utilizing a LetsEncrypt certificate.
LDAP SSL Error with a Synology
Assumed it was protocol to start my own thread here.
These are my settings (with domain and other info redacted)
#-# LDAP Settings
xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.server=ldaps://auth.redacteddomain.com
xwiki.authentication.ldap.port=636
xwiki.authentication.ldap.ssl=1
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.bind_DN=binder@auth.redacteddomain.com
xwiki.authentication.ldap.bind_pass=#########
xwiki.authentication.ldap.base_DN=OU=Users,dc=auth,dc=redacteddomain,dc=com
In the original thread, @Beat_Burgener requested two commands be run:
openssl s_client -host synology.domain.com -port 636 -prexit -showcerts
openssl s_client -connect synology.domain.com:389 -starttls ldap -prexit -showcerts
The first command returned:
CONNECTED(00000005)
depth=0 CN = *.redacteddomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.redacteddomain.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = *.redacteddomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=*.redacteddomain.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
### Redacted ###
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.redacteddomain.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 1985 bytes and written 524 bytes
---
New, TLSv1/SSLv3, Cipher is ####
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : #####
Session-ID: ####
Session-ID-ctx:
Master-Key: #####
Start Time: 1576014785
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
The Second command kept giving me errors about bad arguments, somehow I thought this would be a relevant replacement (i could be totally wrong).
curl ldaps://auth.redacteddomain.com
This returned:
curl: (58) LDAP local: ERROR setting PEM CA cert: Can’t contact LDAP server
SO, based on all I’ve read… the Synology Directory Server Is not passing along the full cert chain. I’m separately reaching out on Synology support forms trying to figure out how to make it serve the certs properly. But, in the mean time… is there something I can do on the xwiki end to force things to work? Xwiki is running in a docker container on a mac mini.
And… if anyone knows how to fix the Synology I’ll take that feedback as well!
Thanks!