Multiple servers in hosts LDAP configuration fails
Summary
When using multiple hosts
in LDAP configuration, it can fail with a Hostname mismatch
error.
Steps to reproduce
Self-compiled source install example:
production: &base
ldap:
enabled: true
servers:
main:
label: 'GitLab AD'
hosts: [['openldap1.example.com', 389], ['openldap2.example.com', 389]]
uid: 'username'
base: 'dc=example,dc=com'
encryption: 'simple_tls'
Create two OpenLDAP servers, each with the respective hostname as their certificate. (No SANs, this part is important)
What is the current bug behavior?
Error is thrown when connecting.
What is the expected correct behavior?
One hostname is selected, and one hostname is given to the server via SNI
Relevant logs and/or screenshots
LDAP: ... Server: ldapmain
Exception: Unable to connect to any given server:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=10.10.10.5:389 state=error: certificate verify failed (Hostname mismatch) (openldap1.example.com:389)
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=10.10.10.15:389 state=error: certificate verify failed (Hostname mismatch) (openldap2.example.com:389)
Reported by customer (ZD internal: https://gitlab.zendesk.com/agent/tickets/422293)
Output of checks
GitLab info
This occurs starting from GitLab version 16.1
This does not occur on GitLab version 16.0
The net-ldap
gem was updated from version 0.17.1 to 0.18.0 in Gitlab version 16.1
Possible fixes
The cause was likely this pull request where SNI capability was introduced.
We'll need to update our documentation to warn of this behaviour.
PR to fix the issue on the side of the Gem: https://github.com/ruby-ldap/ruby-net-ldap/pull/417
Workarounds
- Specify only a single
host:
andport:
-
Add Subject Alternative Names to both servers. For example,Does not work, see below: #416226 (comment 1446030885)openldap1.example.com
has SANs for bothopenldap1.example.com
andopenldap2.example.com
- Patch the problematic Gem: #416226 (comment 1446525698)