SG FLX does auto-detect TLS

Search Guard
1

SG FLX needs tls entries to be defined in an LDAP IDP to use it, as it shown at LDAPConnectionManager.java. But the JVM can be correctly configured, and there is no settings to change if the needed certificates are present in the default key store. The use of ldaps scheme in the LDAP URL should be enough. I needed to configure my IDP as the following fragment to make it work:

          idp:
            hosts:
              - "ldaps://XXXX:636"
              - "ldaps://XXXX:636"
              - "ldaps://XXXX:636"
            bind_dn: "XXXX"
            password: "XXXX"
            tls:
              enabled_protocols:
                - "TLSv1.2"
                - "TLSv1.3"
              trust_all: false

Without the tls entry, it was using ldap, not ldaps

2

Have you tried to use the example of LDAPS configuration from the documentation below?

3

The example won’t use ldaps. They works if your LDAP server is listening both on port 636 and 389. In my setup, I requested port 636 that obviously failed, so that’s why I saw that I was using ldap, not ldaps.

As soon as I added the two tls settings, it was working perfectly.

4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

5

Good point. I have filed an issue at LDAP auth module: Plain text connections are used if `tls` setting is not specified (#258) · Issues · search-guard / Search Guard Suite Enterprise · GitLab