Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with LDAP and guard get installer #193

Closed
mapolone opened this issue Nov 7, 2018 · 7 comments
Closed

Issues with LDAP and guard get installer #193

mapolone opened this issue Nov 7, 2018 · 7 comments

Comments

@mapolone
Copy link

mapolone commented Nov 7, 2018
edited

Hello,
I'm trying to setup Guard 0.2.1 in order to use it with an internal LDAP server. I've of course followed the official guide.

I think I hit a couple of issues when using guard get installer:

  • The default path for server and CA certificates is set to /etc/guard/pki even if variable GUARD_DATA_DIR is unset (following this logic, the path should be set to user's home folder).

  • Also, the following options are set by default:
    --tls-cert-file="/etc/guard/pki/tls.crt"
    --tls-private-key-file="/etc/guard/pki/tls.key"

instead, server certificates are named server.crt and server.key respectively (using of course guard init ca). If I try to change the options above, I get this error even when file exists:

server.go:141] open /etc/guard/pki/server.crt: no such file or directory

Am I missing something?

Thank you!
@nightfury1204
Copy link
Contributor

If --pki-dir and GUARD_DATA_DIR are not set, then guard will use $HOME/.guard" as default directory.
Did you set --pki-dir flag? Also check your $HOME directory.

@mapolone
Copy link
Author

mapolone commented Nov 8, 2018

When I run guard init for CA and certificates generation without GUARD_DATA_DIR and --pki-dir, certificates are saved in $HOME/.guard as expected.

When I run guard get installer instead, without --pki-dir, default path for certificates into the .yaml file is set to /etc/guard/pki. Is this the right behaviour?

@nightfury1204
Copy link
Contributor

guard get installer generates yaml for kubernetes. We keep certs files in /etc/guard/pki directory of the pod.

  volumeMounts:
        - mountPath: /etc/guard/pki
          name: guard-pki

So, it is right behaviour

@mapolone
Copy link
Author

Thanks, I was missing this one. Just one last thing: how can I disable secure connection towards my LDAP server? In guard logs I'm getting the following error.

http: TLS handshake error from 192.168.0.5:45912: remote error: tls: bad certificate

Is ldap.is-secure-ldap=false option enough to disable SSL/TLS?

@nightfury1204
Copy link
Contributor

To skip tls verification with LDAP use --ldap.skip-tls-verification=true or use --ldap.ca-cert-file=<path_to_the_ca_cert_file> to send ca cert to verify LDAP server.

--ldap.is-secure-ldap is to specify whether your LDAP is secure or not ( ldap or ldaps).

@mapolone
Copy link
Author

Thanks, but I'm still not able to run it.
In kubespray I got this error a few seconds before set up finishes:

http: TLS handshake error from 192.168.0.5:45568: EOF where 192.168.0.5 is my master node.

and

TLS handshake error from 192.168.0.5:53010: remote error: tls: bad certificate while trying to get a token for user.

The troubleshooting guide doesn't help also. I'll try again on a clean cluster, if you have any clue about this it would help a lot, otherwise feel free to keep this issue closed. Thanks for your help.

@nightfury1204
Copy link
Contributor

nightfury1204 commented Nov 14, 2018
edited

@mapolone you could join in our #guard slack channel https://appscode.slack.com and ask question there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nightfury1204 @mapolone