Support

How Can I Set the trusted_ca For My LDAP Server Over SSL?

Follow

This feature is only available for Shiny Server Pro.

The easiest way to confirm an SSL connection is to use the openssl tool to connect to your LDAP server. If you do not already have the SSL certificates for your server, you can download them using this tool. If you run

openssl s_client -connect <LDAP server address>:<port> -showcerts

you should get significant output. (The default LDAPS port is 636.)

If you review this output, in particular the last few lines, you should see a "result". If there is a problem, it may say something likeVerify return code: 19 (self signed certificate in certificate chain), which indicates that there is an issue with trusting the SSL connection between you and your LDAPS server. If you see an error like the one above, you need to instruct your client to trust a particular Certificate Authority (CA) that the openssl tool does not trust by default. Once you retrieve the CA certificate for your organization (which should also be the last certificate returned by the command above if you are actually connected to the right server), you can tellopenssl to trust that CA by using a command in the format of

openssl s_client -connect <server-address>:<port> -CAfile <file.pem>

Assuming that the certificate matches the CA you provide, and that everything is in the right format, you should get a line of output from openssl that says,Verify return code: 0 (ok). Once you see that, you know you have your CA certificate in the right format.

There is one important check that the openssl tools does not perform that you should do before trying to use the certificate in Shiny Server Pro. You will need to confirm that the hostname you are using matches the SSL certificate. You can do that manually, or use curl by running curl --cacert <file.pem> ldaps://<server-address>:<port>/. If you see some LDAP output,perhaps starting with DN:, and no errors, then things are working properly and you have the right hostname.

Once you have the CA certificate working in the above tests, then you are ready to apply it to Shiny Server Pro. The CA certificate should be in PEM format and only include one certificate per file. You can add these file references using the trusted_ca setting in your Shiny Server Pro configuration as follows:

auth_ldap ... {
  trusted_ca /etc/ssl/ca1.pem /etc/ssl/ca2.pem;
}

This example setting includes two CA certificates that Shiny Server Pro should trust. Shiny Server Pro should now be able to connect to your LDAPS server successfully when you attempt to authenticate users.

Comments