Environment
- Yugabyte Platform - All versions
Issue
When attempting to connect to the YCQL database, LDAP authentication fails:
[yugabyte@<HOSTNAME>]$ ysqlsh -U <USER>
Password for user <USER>:
ysqlsh: FATAL: LDAP authentication failed for user "<USER>"
FATAL: LDAP authentication failed for user "<USER>"
And you see the following error in the Postgres logs:
...
XXXX-XX-XX XX:XX:XX.XXX UTC [XXXX] LOG: 00000: could not start LDAP TLS session: Protocol error
XXXX-XX-XX XX:XX:XX.XXX UTC [XXXX] DETAIL: LDAP diagnostics: ExtendedRequest for StartTLS (X.X.X.X.X.X.X.X) is detected but the server is not set to support it.
...
It is indicative of an LDAP misconfiguration.
Resolution
Overview
If a request for StartTLS is detected but not supported, configuration options related to StartTLS should be removed from the LDAP configuration in favor of LDAPS options.
Steps
1. On Platform, in the target universe, click Actions > Edit Flags
to locate the gflags
2. In the CSV value string for the ysql_hba_conf_csv
TServer flag, locate value ldaptls=1
and remove it (to prevent StartTLS authentication requests)
3. If not already present in string, add value ldapscheme=ldaps
(for LDAPS authentication)
4. Perform a rolling restart
5. Retest connection to database
Comments
0 comments
Please sign in to leave a comment.