stork-hook-ldap: StartTLS is used with ldaps
Describe the bug
When using ldaps to connect to an ldap server, starttls is used. This results in the error ldap: already encrypted.
To Reproduce
Steps to reproduce the behavior:
- Install Stork server
v1.18.0and ldap hookv1.18.0and run with the following ldap configs: '...'
STORK_SERVER_HOOK_LDAP_URL="ldaps://freeipa.internal.net:636"
STORK_SERVER_HOOK_LDAP_ROOT="cn=users,cn=accounts,dc=internal,dc=net"
STORK_SERVER_HOOK_LDAP_BIND_USERDN="uid=stork,cn=sysaccounts,cn=etc,dc=internal,dc=net"
STORK_SERVER_HOOK_LDAP_BIND_PASSWORD="mypassword"
STORK_SERVER_HOOK_LDAP_SKIP_SERVER_TLS_VERIFICATION=true
# The mandatory group that must be assigned to user to access Stork, empty for allow all users
STORK_SERVER_HOOK_LDAP_GROUP_ALLOW="cn=stork,cn=groups,cn=accounts,dc=internal,dc=net"
STORK_SERVER_HOOK_LDAP_MAP_GROUPS=false
STORK_SERVER_HOOK_LDAP_DEBUG=true- Attempt to login to the GUI using LDAP
- Login attempt fails and the server logs contain:
" error="cannot authenticate a user: error occurred in the Authenticate callout: cannot start TLS: LDAP Result Code 200 \"Network Error\": ldap: already encrypted" identifier="user" method="ldap"Expected behavior
Stork connects to the ldap server using ldaps and queries ldap for the user logging in.
Environment:
- Stork: v1.18.0
- OS: Debian 12
- Stork: stork-hook-ldap v1.18.0
Additional Information When using ldap on port 389 to connect to the freeipa server the server responds as expected (request is rejected as tls is required).
I've taken a look through the hook's source code and i'm fairly sure I've found the source of the issue - starttls is only being used for ldaps URIs when it should only be used for ldap URIs. This requires a very minor change. However, I've not been able to test this as when I've built the hook from v1.18.0 of the source I get a plugin version error when attempting to load it with Stork:
Unexpected error: plugin.Open("/usr/lib/stork-server/hooks/stork-server-ldap"): plugin was built with a different version of package isc.org/stork/hooks/server/authenticationcalloutsIf someone could point me in the right direction as to what my go.mod file should look like I'm happy to test the change and open an MR.